rgnldo
Very Senior Member
ppp0 is my WAN interface.eth0 again
ppp0 is my WAN interface.eth0 again
# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto
# Linux high speed capture support
af-packet:
- interface: br0
# IPS Mode Configuration
# PCAP
pcap:
- interface: auto
checksum-checks: auto
promisc: yes
legacy:
uricontent: enabled
here are my updated settings...please confirm ok.
Code:# If set to auto, the variable is internally switched to 'router' in IPS # mode and 'sniffer-only' in IDS mode. host-mode: auto # Linux high speed capture support af-packet: - interface: br0 # IPS Mode Configuration # PCAP pcap: - interface: auto checksum-checks: auto promisc: yes legacy: uricontent: enabled # copy-mode: ips # copy-iface: br0 # defrag: yes # use-mmap: yes # netmap: # - interface: br0
If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto
# Linux high speed capture support
af-packet:
- interface: eth0
- interface: br0
# IPS Mode Configuration
# PCAP
pcap:
- interface: auto
checksum-checks: auto
promisc: yes
legacy:
uricontent: enabled
Use bothCode:If set to auto, the variable is internally switched to 'router' in IPS # mode and 'sniffer-only' in IDS mode. host-mode: auto # Linux high speed capture support af-packet: - interface: eth0 - interface: br0 # IPS Mode Configuration # PCAP pcap: - interface: auto checksum-checks: auto promisc: yes legacy: uricontent: enabled
07/06/2020-18:47:28.334783 [**] [1:2016870:13] ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxxxxx:11106 -> xxx.xxx.xxx.xxx:80
07/06/2020-18:47:28.515450 [**] [1:2016870:13] ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxxxxx:28486 -> xxx.xxx.xxx.xxx:80
07/06/2020-18:52:28.888456 [**] [1:2016870:13] ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxxxxx:11466 -> xxx.xxx.xxx.xxx:80
07/06/2020-18:52:29.027591 [**] [1:2016870:13] ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxxxxx:28846 -> xxx.xxx.xxx.xxx:80
07/06/2020-18:53:31.576049 [**] [1:2014169:2] ET DNS Query for .su TLD (Soviet Union) Often Malware Related [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} xxx.xxx.xxx.243:38897 -> xxx.xxx.xxx.xxx:53
07/06/2020-18:56:13.474169 [**] [1:2014169:2] ET DNS Query for .su TLD (Soviet Union) Often Malware Related [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} xxx.xxx.xxx.243:55734 -> xxx.xxx.xxx.xxx:53
07/06/2020-18:58:18.516431 [**] [1:2012811:5] ET DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} xxx.xxx.xxx.243:44734 -> xxx.xxx.xxx.xxx:53
07/06/2020-18:58:18.516567 [**] [1:2012811:5] ET DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} xxx.xxx.xxx.243:44734 -> xxx.xxx.xxx.xxx:53
07/06/2020-19:07:41.441189 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:38186 -> 91.189.91.38:80
07/06/2020-19:07:41.479364 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:38186 -> 91.189.91.38:80
07/06/2020-19:07:41.624133 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:38186 -> 91.189.91.38:80
07/06/2020-19:07:41.695945 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:38186 -> 91.189.91.38:80
07/06/2020-19:07:41.815224 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:58198 -> 104.31.95.73:80
07/06/2020-19:07:42.019690 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:38186 -> 91.189.91.38:80
07/06/2020-19:07:42.073266 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:38186 -> 91.189.91.38:80
07/06/2020-19:07:42.115885 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:58198 -> 104.31.95.73:80
07/06/2020-19:09:01.683591 [**] [1:2014169:2] ET DNS Query for .su TLD (Soviet Union) Often Malware Related [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} xxx.xxx.xxx.243:35771 -> xxx.xxx.xxx.xxx:53
07/06/2020-19:09:38.636501 [**] [1:2014169:2] ET DNS Query for .su TLD (Soviet Union) Often Malware Related [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} xxx.xxx.xxx.243:36942 -> xxx.xxx.xxx.xxx:53
07/06/2020-19:09:55.247738 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:42618 -> 91.189.91.38:80
07/06/2020-19:09:55.292492 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:42618 -> 91.189.91.38:80
07/06/2020-19:09:55.347152 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:42618 -> 91.189.91.38:80
07/06/2020-19:09:55.376757 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:40250 -> 91.189.95.83:80
07/06/2020-19:09:55.435468 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:42618 -> 91.189.91.38:80
07/06/2020-19:09:55.562836 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} xxx.xxx.xxxxxx:40xxx -> 91.189.95.83:80
07/06/2020-19:23:57xxx437 [**] [1:2016870:13] ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxxxxx:30742 -> xxx.xxx.xxx.xxx:80
07/06/2020-19:23:57.370362 [**] [1:2016870:13] ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxxxxx:50328 -> xxx.xxx.xxx.xxx:80
Potential Corporate Privacy Violation
Thats what the rule says.
I'm new to this.
Is there an easier way to install suricata? Like unbound_manager?
Does this work with skynet?
I have a feelings of both love and hate watching threads like this evolve: I love seeing progress in making things work better, but I hate having to play catch-up to wrap my head around making it work on my system.
Can it be as simple as just running an update script that’s built in?
Sent from my iPhone using Tapatalk
Slowly but surely....just time is the killer right now....
Good to get the latest suricata.yaml file as I think it has changed a bit in the last couple of weeks. I have been following the thread but get confused when snippets of the yaml file are posted as I don't know if I need to remove stuff from it...
Organizes the steps, detailed.Take a backup of existing and re-pull, do a diff compare and swap. Most of @rgnldo edits are at the top. My logging edits are a bit lower. Will eventually hopefully get to a place where script and supporting files are in one spot....
@rgnldo I have the latest config (with my additional special edits for logging), running for eth0/br0 using FlexQOS script without errors about buggy protocol that I previously had with FreshQoS. This is wicked if it is stable and performs as well!
Wonder what this does to pixelserv-tls since it also uses br0? Do you have pixelserv running on your router and if so does fast.log report anything on its IP (192.168.1.2)?here are my updated settings...please confirm ok.
Code:# If set to auto, the variable is internally switched to 'router' in IPS # mode and 'sniffer-only' in IDS mode. host-mode: auto # Linux high speed capture support af-packet: - interface: br0 # IPS Mode Configuration # PCAP pcap: - interface: auto checksum-checks: auto promisc: yes legacy: uricontent: enabled
Take a look at IP Reputation. You could also create a custom.rules file and indicates the IP range to pass using your own rule. Take a look at creating rule if you want to go this route.
https://suricata.readthedocs.io/en/suricata-5.0.2/reputation/index.html
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic
Wonder what this does to pixelserv-tls since it also uses br0? Do you have pixelserv running on your router and if so does fast.log report anything on its IP (192.168.1.2)?
@rgnldo I have the latest config (with my additional special edits for logging), running for eth0/br0 using FlexQOS script without errors about buggy protocol that I previously had with FreshQoS. This is wicked if it is stable and performs as well!
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!