Suricata Suricata - IDS on AsusWRT Merlin

[XIII]

Finally getting some alerts for actions I trigger! (and also immediately some from the outside world...)

Looks like instead of this part in the provided config file:

af-packet:
 - interface: eth0 ## set your wan interface
copy-mode: ips
copy-iface: br0
defrag: yes
use-mmap: yes

I actually need to use this?

af-packet:
 - interface: eth0
   copy-mode: ips
   copy-iface: br0
   defrag: yes
   use-mmap: yes
 - interface: br0
   copy-mode: ips
   copy-iface: eth0
   defrag: yes
   use-mmap: yes

Source: https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/

Did I miss instructions somewhere?

And are there other parts in the YAML file that I need to change?

 

[ugandy]

Finally getting some alerts for actions I trigger! (and also immediately some from the outside world...)

Looks like instead of this part in the provided config file:

af-packet:
 - interface: eth0 ## set your wan interface
copy-mode: ips
copy-iface: br0
defrag: yes
use-mmap: yes

I actually need to use this?

af-packet:
 - interface: eth0
   copy-mode: ips
   copy-iface: br0
   defrag: yes
   use-mmap: yes
 - interface: br0
   copy-mode: ips
   copy-iface: eth0
   defrag: yes
   use-mmap: yes

Source: https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/

Did I miss instructions somewhere?

And are there other parts in the YAML file that I need to change?

hopefully @rgnldo can clarify...

if i remember/understood correctly back then, one version is to set IDS mode and the other to set IPS mode(?)

i noticed that with the 2nd config option you mention, suricata cpu usage is very high.

 

[ttgapers]

Finally getting some alerts for actions I trigger! (and also immediately some from the outside world...)

Looks like instead of this part in the provided config file:

af-packet:
 - interface: eth0 ## set your wan interface
copy-mode: ips
copy-iface: br0
defrag: yes
use-mmap: yes

I actually need to use this?

af-packet:
 - interface: eth0
   copy-mode: ips
   copy-iface: br0
   defrag: yes
   use-mmap: yes
 - interface: br0
   copy-mode: ips
   copy-iface: eth0
   defrag: yes
   use-mmap: yes

Source: https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/

Did I miss instructions somewhere?

And are there other parts in the YAML file that I need to change?

Seems sound but I am curious on others opinion about the eth0->br0 copy vs another dedicated port/interface. The CPU spike seems logical as well, but @rgnldo can hopefully chime in as well.

 

[vdemarco]

So i just got a new attempt today

07/04/2020-18:22:47.059476 [**] [1:2008453:7] ET SCAN Tomcat Auth Brute Force attempt (admin) [**] [Classification: Web Application Attack] [Priority: 1] {TCP} XX.XX.XX.XX:55732 -> 192.168.100.1:8

So i am slowly gaining more confidence that this is all working.

There have been only two attach types the above one, and the nntp one.

06/15/2020-01:08:27.733347 [**] [1:2017918:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 14.18.245.237:12002 -> XX.XX.XX.XX:123

So the ip 192.168.100.1, is my netgear router. It does have a user name set to admin, maybe i should change it to something else.

 

[New2This]

stats.log are working, still nothing after 3 days on the fast.log

 

[ugandy]

So i just got a new attempt today

07/04/2020-18:22:47.059476 [**] [1:2008453:7] ET SCAN Tomcat Auth Brute Force attempt (admin) [**] [Classification: Web Application Attack] [Priority: 1] {TCP} XX.XX.XX.XX:55732 -> 192.168.100.1:8

i get this one everytime i log into my comcast router... not sure why

 

[vdemarco]

i get this one everytime i log into my comcast router...

Oh, so its nothing. I just checked that tail -f fast.log on the router and i logged in on my computer and the log showed up.

Okay good to know it's nothing.

 

[ugandy]

i think that with diversion and skynet both installed, suricata won't catch much stuff coming in.
it's one of those things that doesn't do much until the day it does
I'm hoping that suricata is mostly of value, to catch worms, bots or trojans that might have infected clients in your network (does it?). if you tend to get that kind of stuff
i feel folks using AI protection (trend micro), have similar experiences?
it surely would have been satisfying to check the logs and found the world trying to get in

 

[mike37]

i think that with diversion and skynet both installed, suricata won't catch much stuff coming in.
it's one of those things that doesn't do much until the day it does

Yes, which suggests that in IDS mode suricata is stacked inline after the firewall which is statefully and quietly blocking unrequested net noise; and with the assistance of Skynet and Diversion deliberately blocking known-bad sites. (IIRC in other computers Snort was independent of the FW, which allowed detection of mischief directed at you even though quietly blocked by the FW).

But if this is true, then how is Suricata catching the NTP UDP packet? I see no allowance for NTP in iptables, yet it gets through and detected by suricata!? Perhaps Diversion or Skynet has an NTP whitelist allowance in ipset? I'm presently too busy to look into this - hopefully later.

"I'm hoping that suricata is mostly of value, to catch worms, bots or trojans that might have infected clients in your network (does it?)....

YES!!! And trend likely uses Suricata or Snort to provide its Ai protection analysis (at the cost of privacy). (Aiprotection will block bad addresses - I don't know about bad packet fingerprints which are looked for and should be blocked by suricata.)

My beef is that I've not gotten suricata IPS to work - to actually drop malevolent packets/communications. I want realtime blocking, not some indication the next morning that my IOT or Windows computer was hacked during the preceding night.

Back when I was testing it, Suricata "drop" rules would indeed set off an alert/log, but the action had been changed from "drop" to "alert" and packets got through.

 

[ugandy]

finally something new this morning

07/06/2020-08:14:07.621201 [**] [1:2027695:2] ET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.50.244:24194 -> 104.16.249.249:443

 

[Smokey613]

My only real issue with Suricata is the IPS side of it. Is there a way to verify that actually works on the Asus router implementation? Notification is all well and good but I need assurance it will block also.

 

[ugandy]

one more question: why does suricata work with HW acceleration enabled? i'd imagine we'd have to turn it off? (similar to qos/cake)

BTW, when i try the suggested yaml config for IPS mode, suricata eventually crashes.

 

[mike37]

...
07/06/2020-08:14:07.621201 [**] [1:2027695:2] ET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.50.244:24194 -> 104.16.249.249:443

Hard to know what the problem is here;

Was this an application doing its own encrypted DNS that is suspicious - avoiding a protected corporate DNS server; something a Trojan might do? (heh......Firefox can optionally do encrypted DNS avoiding the LAN). IF this is the logic, then you could deactivate this rule. Alternatively deactivate Firefox's encrypted DNS and force it through the router - you'd then want to know what application is doing "private" DNS.

Perhaps Suricata didn't like cloudflare contacted over 443?

Maybe someone could look at the specific rule and find out why this popped up.

 

[ugandy]

Hard to know what the problem is here;

Was this an application doing its own encrypted DNS that is suspicious - avoiding a protected corporate DNS server; something a Trojan might do? (heh......Firefox can optionally do encrypted DNS avoiding the LAN). IF this is the logic, then you could deactivate this rule.

Perhaps Suricata didn't like cloudflare contacted over 443?

Maybe someone could look at the specific rule and find out why this popped up.

sounds like some app on my PC is contacting cloudflare directly.
unfortunately when i checked the port, the process on my pc whatever is was, was gone

 

[rgnldo]

I removed the netmap. Not all network cards support it.
Mode legacy

# Linux high speed capture support
af-packet:
 - interface:  ## set your wan interface

# IPS Mode Configuration
# PCAP
pcap:
  - interface: auto
    checksum-checks: auto
    promisc: yes

legacy:
  uricontent: enabled

 

[ttgapers]

I removed the netmap. Not all network cards support it.
Mode legacy

# Linux high speed capture support
af-packet:
 - interface:  ## set your wan interface

# IPS Mode Configuration
# PCAP
pcap:
  - interface: auto
    checksum-checks: auto
    promisc: yes

legacy:
  uricontent: enabled

Going to test this now! Wonder if it may not throw errors on a FlexQoS implementation

 

[rgnldo]

I started from scratch (without the scribe changes):

This looks fine:

> suricata -c /opt/etc/suricata/suricata.yaml -T
3/7/2020 -- 21:43:47 - <Info> - Running suricata under test mode
3/7/2020 -- 21:43:47 - <Info> - Configuration node 'defrag' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
3/7/2020 -- 21:43:47 - <Notice> - This is Suricata version 4.1.8 RELEASE
3/7/2020 -- 21:43:47 - <Info> - CPUs/cores online: 2
3/7/2020 -- 21:43:47 - <Info> - fast output device (regular) initialized: fast.log
3/7/2020 -- 21:43:47 - <Info> - stats output device (regular) initialized: stats.log
3/7/2020 -- 21:43:47 - <Info> - 18 rule files processed. 2335 rules successfully loaded, 0 rules failed
3/7/2020 -- 21:43:47 - <Info> - Threshold config parsed: 0 rule(s) found
3/7/2020 -- 21:43:47 - <Info> - 2335 signatures processed. 207 are IP-only rules, 443 are inspecting packet payload, 1764 inspect application layer, 0 are decoder event only
3/7/2020 -- 21:43:49 - <Notice> - Configuration provided was successfully loaded. Exiting.
3/7/2020 -- 21:43:49 - <Info> - cleaning up signature grouping structure... complete

However, after adding these test.rules and ping-ing 192.168.1.1 I still get no alert...

alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)
alert tcp any any -> $HOME_NET 23 (msg:"TELNET connection attempt"; sid:1000003; rev:1;)

Try:
insert br0 interface

# Linux high speed capture support
af-packet:
 - interface:  ## set your wan interface
 - interface: br0
# IPS Mode Configuration
# PCAP
pcap:
  - interface: auto
    checksum-checks: auto
    promisc: yes

legacy:
  uricontent: enabled

The test will work
LAN interface on this new FW Merlin works and is in promiscuous mode. Much more compatible with Suricata now.

Jul  6 19:29:04 kernel: device ppp0 entered promiscuous mode
Jul  6 19:29:05 kernel: device br0 entered promiscuous mode

 

[rgnldo]

Going to test this now! Wonder if it may not throw errors on a FlexQoS implementation

Insert:
interface: br0
Legacy mode is more compatible

# Linux high speed capture support
af-packet:
 - interface:  ## set your wan interface
 - interface: br0
# IPS Mode Configuration
# PCAP
pcap:
  - interface: auto
    checksum-checks: auto
    promisc: yes

legacy:
  uricontent: enabled

 

[ttgapers]

Try:
insert br0 interface

# Linux high speed capture support
af-packet:
 - interface:  ## set your wan interface
 - interface: br0
# IPS Mode Configuration
# PCAP
pcap:
  - interface: auto
    checksum-checks: auto
    promisc: yes

legacy:
  uricontent: enabled

The test will work
LAN interface on this new FW Merlin works and is in promiscuous mode. Much more compatible with Suricata now.

Jul  6 19:29:04 kernel: device ppp0 entered promiscuous mode
Jul  6 19:29:05 kernel: device br0 entered promiscuous mode

ok so no need to use eth0 again? defaults should be as above - just default to br0?

 

[rgnldo]

ok so no need to use eth0 again? defaults should be as above - just default to br0?

You can use inbound and outbound traffic. The problem was the incompatibility in previous versions of FW Merlin. Detected kernel error on LAN br0 interface. Now it works.