Suricata Suricata - IDS on AsusWRT Merlin

[rgnldo]

eth0 again

ppp0 is my WAN interface.

 

[ttgapers]

here are my updated settings...please confirm ok.

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
 - interface: br0

# IPS Mode Configuration
# PCAP
pcap:
  - interface: auto
    checksum-checks: auto
    promisc: yes

legacy:
  uricontent: enabled

 

[rgnldo]

here are my updated settings...please confirm ok.

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
 - interface: br0

# IPS Mode Configuration
# PCAP
pcap:
  - interface: auto
    checksum-checks: auto
    promisc: yes

legacy:
  uricontent: enabled

# copy-mode: ips
# copy-iface: br0
# defrag: yes
# use-mmap: yes

# netmap:
# - interface: br0

If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
 - interface: eth0
 - interface: br0

# IPS Mode Configuration
# PCAP
pcap:
  - interface: auto
    checksum-checks: auto
    promisc: yes

legacy:
  uricontent: enabled

Use both

 

[ttgapers]

If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
 - interface: eth0
 - interface: br0

# IPS Mode Configuration
# PCAP
pcap:
  - interface: auto
    checksum-checks: auto
    promisc: yes

legacy:
  uricontent: enabled

Use both

Thanks, logs are much busier since adding br0 to the setup. Wondering why that traffic wouldn't be caught leaving eth0 @rgnldo? There are some that go to internally (site to site VPN) so that's expected.....

Sample logs:

07/06/2020-18:47:28.334783  [**] [1:2016870:13] ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxxxxx:11106 -> xxx.xxx.xxx.xxx:80
07/06/2020-18:47:28.515450  [**] [1:2016870:13] ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxxxxx:28486 -> xxx.xxx.xxx.xxx:80
07/06/2020-18:52:28.888456  [**] [1:2016870:13] ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxxxxx:11466 -> xxx.xxx.xxx.xxx:80
07/06/2020-18:52:29.027591  [**] [1:2016870:13] ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxxxxx:28846 -> xxx.xxx.xxx.xxx:80
07/06/2020-18:53:31.576049  [**] [1:2014169:2] ET DNS Query for .su TLD (Soviet Union) Often Malware Related [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} xxx.xxx.xxx.243:38897 -> xxx.xxx.xxx.xxx:53
07/06/2020-18:56:13.474169  [**] [1:2014169:2] ET DNS Query for .su TLD (Soviet Union) Often Malware Related [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} xxx.xxx.xxx.243:55734 -> xxx.xxx.xxx.xxx:53
07/06/2020-18:58:18.516431  [**] [1:2012811:5] ET DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} xxx.xxx.xxx.243:44734 -> xxx.xxx.xxx.xxx:53
07/06/2020-18:58:18.516567  [**] [1:2012811:5] ET DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} xxx.xxx.xxx.243:44734 -> xxx.xxx.xxx.xxx:53
07/06/2020-19:07:41.441189  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:38186 -> 91.189.91.38:80
07/06/2020-19:07:41.479364  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:38186 -> 91.189.91.38:80
07/06/2020-19:07:41.624133  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:38186 -> 91.189.91.38:80
07/06/2020-19:07:41.695945  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:38186 -> 91.189.91.38:80
07/06/2020-19:07:41.815224  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:58198 -> 104.31.95.73:80
07/06/2020-19:07:42.019690  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:38186 -> 91.189.91.38:80
07/06/2020-19:07:42.073266  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:38186 -> 91.189.91.38:80
07/06/2020-19:07:42.115885  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:58198 -> 104.31.95.73:80
07/06/2020-19:09:01.683591  [**] [1:2014169:2] ET DNS Query for .su TLD (Soviet Union) Often Malware Related [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} xxx.xxx.xxx.243:35771 -> xxx.xxx.xxx.xxx:53
07/06/2020-19:09:38.636501  [**] [1:2014169:2] ET DNS Query for .su TLD (Soviet Union) Often Malware Related [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} xxx.xxx.xxx.243:36942 -> xxx.xxx.xxx.xxx:53
07/06/2020-19:09:55.247738  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:42618 -> 91.189.91.38:80
07/06/2020-19:09:55.292492  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:42618 -> 91.189.91.38:80
07/06/2020-19:09:55.347152  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:42618 -> 91.189.91.38:80
07/06/2020-19:09:55.376757  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:40250 -> 91.189.95.83:80
07/06/2020-19:09:55.435468  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:42618 -> 91.189.91.38:80
07/06/2020-19:09:55.562836  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:40xxx -> 91.189.95.83:80
07/06/2020-19:23:57xxx437  [**] [1:2016870:13] ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxxxxx:30742 -> xxx.xxx.xxx.xxx:80
07/06/2020-19:23:57.370362  [**] [1:2016870:13] ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxxxxx:50328 -> xxx.xxx.xxx.xxx:80

 

[vdemarco]

me too. this stuff showed up now

07/06/2020-17:10:08.520020 [**] [1:2012647:5] ET POLICY Dropbox.com Offsite File Backup in Use [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 162.125.35.135:443 -> 10.0.0.155:55512
07/06/2020-17:11:23.364419 [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 37.49.230.252:58572 -> 10.0.0.155:22
07/06/2020-17:11:43.208354 [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 222.186.30.76:57387 -> 10.0.0.155:22
07/06/2020-17:13:37.244464 [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 37.49.230.252:60008 -> 10.0.0.155:22
07/06/2020-17:21:03.488885 [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 222.186.30.218:61909 -> 10.0.0.155:22
07/06/2020-17:36:54.693995 [**] [1:2012647:5] ET POLICY Dropbox.com Offsite File Backup in Use [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 162.125.35.136:443 -> 10.0.0.155:55519
07/06/2020-17:40:03.879449 [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 222.186.30.218:10422 -> 10.0.0.155:22

I have an ssh server set up, and am using dropbox. So way more stuff now.

 

[rgnldo]

Potential Corporate Privacy Violation

 

[vdemarco]

Thats what the rule says.
sid-msg.map:2012647 || ET POLICY Dropbox.com Offsite File Backup in Use || url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/ || url,www.dropbox.com

Would like to shut those off, but for now its okay.

 

[Ubimo]

I'm new to this.
Is there an easier way to install suricata? Like unbound_manager?
Does this work with skynet?

 

[vdemarco]

I will stop posting all of this after this last one, but it all is working quit well now

just got this one too.
07/06/2020-18:18:51.181747 [**] [1:2403359:58313] ET CINS Active Threat Intelligence Poor Reputation IP group 60 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 65.49.20.90:39592 -> 10.0.0.155:22

THis is a attempt to log into the ssh server. my ssh server only accepts keys passwords will not work.

 

[heysoundude]

I have a feelings of both love and hate watching threads like this evolve: I love seeing progress in making things work better, but I hate having to play catch-up to wrap my head around making it work on my system.

Can it be as simple as just running an update script that’s built in?


Sent from my iPhone using Tapatalk

 

[ttgapers]

I'm new to this.
Is there an easier way to install suricata? Like unbound_manager?
Does this work with skynet?

I have a feelings of both love and hate watching threads like this evolve: I love seeing progress in making things work better, but I hate having to play catch-up to wrap my head around making it work on my system.

Can it be as simple as just running an update script that’s built in?


Sent from my iPhone using Tapatalk

Slowly but surely....just time is the killer right now....

 

[heysoundude]

Slowly but surely....just time is the killer right now....

So I’ll keep following along and wrapping my noodle around it all and hopefully have a penny drop before time runs out [emoji6][emoji6]


Sent from my iPhone using Tapatalk

 

[jata]

Good to get the latest suricata.yaml file as I think it has changed a bit in the last couple of weeks. I have been following the thread but get confused when snippets of the yaml file are posted as I don't know if I need to remove stuff from it...

 

[ttgapers]

Good to get the latest suricata.yaml file as I think it has changed a bit in the last couple of weeks. I have been following the thread but get confused when snippets of the yaml file are posted as I don't know if I need to remove stuff from it...

Take a backup of existing and re-pull, do a diff compare and swap. Most of @rgnldo edits are at the top. My logging edits are a bit lower. Will eventually hopefully get to a place where script and supporting files are in one spot....

@rgnldo I have the latest config (with my additional special edits for logging), running for eth0/br0 using FlexQOS script without errors about buggy protocol that I previously had with FreshQoS. This is wicked if it is stable and performs as well!

 

[rgnldo]

It was not easy to adapt Suricata at FW Merlin. An ARM router has limitations. I don't have time to support this post. I am involved with my own system. I contribute here as much as possible. Organizing a user-friendly script takes incredible effort. If it is a script for Suricata, double the effort.

Whoever has ideas here can organize forks or even scripts. I help in any way possible.
I advance that it is that gratifying.

 

[rgnldo]

Take a backup of existing and re-pull, do a diff compare and swap. Most of @rgnldo edits are at the top. My logging edits are a bit lower. Will eventually hopefully get to a place where script and supporting files are in one spot....

@rgnldo I have the latest config (with my additional special edits for logging), running for eth0/br0 using FlexQOS script without errors about buggy protocol that I previously had with FreshQoS. This is wicked if it is stable and performs as well!

Organizes the steps, detailed.

 

[Mutzli]

here are my updated settings...please confirm ok.

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
 - interface: br0

# IPS Mode Configuration
# PCAP
pcap:
  - interface: auto
    checksum-checks: auto
    promisc: yes

legacy:
  uricontent: enabled

Wonder what this does to pixelserv-tls since it also uses br0? Do you have pixelserv running on your router and if so does fast.log report anything on its IP (192.168.1.2)?

 

[Smokey613]

Take a look at IP Reputation. You could also create a custom.rules file and indicates the IP range to pass using your own rule. Take a look at creating rule if you want to go this route.

https://suricata.readthedocs.io/en/suricata-5.0.2/reputation/index.html

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic

It would be real nice if there was an easy way to create an allow list. I have a chatty IoT device and it is not a security threat but it fills the logs with:


User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:10024 -> 34.199.145.138:80
Jul 7 10:26:17 RT-AC86U suricata[31108]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:24265 -> 34.199.145.138:80
Jul 7 10:26:59 RT-AC86U suricata[31108]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:21566 -> 34.199.145.138:80
Jul 7 10:27:17 RT-AC86U suricata[31108]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:4273 -> 34.199.145.138:80

 

[ttgapers]

Wonder what this does to pixelserv-tls since it also uses br0? Do you have pixelserv running on your router and if so does fast.log report anything on its IP (192.168.1.2)?

pixelserv just have the tls variant disabled. No issues....

 

[ttgapers]

@rgnldo I have the latest config (with my additional special edits for logging), running for eth0/br0 using FlexQOS script without errors about buggy protocol that I previously had with FreshQoS. This is wicked if it is stable and performs as well!

Update, don't do it, it slows the router down to a halt. Had to remove Suricata on the RT-AC68U this morning

Gunning and running on the RT-AC86Us though! Perhaps time to upgrade the AC68U now.....get rid of any Trend Micro for GOOD!