Suricata Suricata - IDS on AsusWRT Merlin

[juched]

Can someone "decode" what is happening here. Is suricata just alerting on my Govee sensor hub but not deeming it a real threat?

Aug 5 08:52:41 RT-AC86U suricata[12058]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:29292 -> 18.233.186.252:80

Hard to tell. From what I see:

The Attempted Information Leak rule deals with signatures from potentially damaging information gathering attempts. Information leaks or reconnaissance attacks that are classified as Attempted Information Leaks are not proof positive that an information gathering attempt has been successful. Rather, they are a signal that an attempt has been made—that if the right conditions exist, sensitive information that could aid the attacker in compromising a system has been released.

attempted-recon​

Attempted Information Leak​

medium​

My gut is that the device using curl in a way that looks suspicous. If the IP 18.233.186.252 is the service it should be talking to, then you can ignore this.

 

[XIII]

Seems you have a functional IPS system now.

@Smokey613 Can you share your (complete) config?

 

[Smokey613]

@Smokey613 Can you share your (complete) config?

Spoiler: config file

%YAML 1.1
---

# Holds variables that would be used by the engine.
vars:

# Holds the address group vars that would be passed in a Signature.
address-groups:
HOME_NET: "[192.168.2.0/24]" ## set your CID IP LAN
EXTERNAL_NET: "any"
DNS_SERVERS: "[127.0.0.1]"
SMTP_SERVERS: "$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
FTP_SERVERS: "$HOME_NET"
SSH_SERVERS: "$HOME_NET"

# Holds the port group vars that would be passed in a Signature.
port-groups:
FTP_PORTS: "21"
HTTP_PORTS: "80"
ORACLE_PORTS: "1521"
SSH_PORTS: "22"
SHELLCODE_PORTS: "!80"
DNP3_PORTS: "20000"
FILE_DATA_PORTS: "$HTTP_PORTS,110,143"

# Runmode the engine should use.
runmode: workers

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
- interface: eth0
copy-mode: ips
copy-iface: br0
use-mmap: yes
tpacket-v3: no
- interface: br0
copy-mode: ips
copy-iface: eth0
use-mmap: yes
tpacket-v3: no
# IPS Mode Configuration
# PCAP
pcap:
- interface: auto
checksum-checks: auto
promisc: yes

legacy:
uricontent: enabled

max-pending-packets: 1024

# The default logging directory.
default-log-dir: /opt/var/log/suricata

stats:
enabled: no
# The interval field (in seconds) controls at what interval
# the loggers are invoked.
interval: 8
decoder-events-prefix: "decoder.event"

# Configure the type of alert (and other) logging.
outputs:

# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: fast.log
append: yes
filetype: regular

# alert output for use with Barnyard2
- unified2-alert:
enabled: no
filename: unified2.alert
limit: 32mb
sensor-id: 0
xff:
enabled: no

- http-log:
enabled: no
filename: http.log
append: yes
extended: yes
filetype: regular

- pcap-log:
enabled: no
filename: log.pcap
limit: 32mb
max-files: 1000
mode: normal

- tls-log:
enabled: no
filename: tls.log
extended: yes

- tls-store:
enabled: no
certs-log-dir: certs

- stats:
enabled: yes
filename: stats.log
interval: 10
append: no

- syslog:
enabled: yes
identity: suricata
facility: local1
level: notice

- drop:
enabled: no
filename: drop.log
append: yes
filetype: regular

- file-store:
enabled: no
log-dir: files
force-magic: no

- file-log:
enabled: no
filename: files-json.log
append: yes
filetype: regular
force-magic: no
#force-hash: [md5]

- dns-log:
enabled: no
filename: dns.log
append: yes
filetype: regular

- eve-log:
enabled: no
filetype: regular
filename: eve-%Y-%m-%d-%H:%M.json

types:
- alert:
tagged-packets: yes
app-layer: true
flow: true
rule: true
metadata: true
raw: false

- drop:
alerts: yes
flows: all

# - http
# - dns
# - tls

# Magic file. The extension .mgc is added to the value here.
magic-file: /opt/share/misc/magic

## Netfilter configuration
##

nflog:
# netlink multicast group
# (the same as the iptables --nflog-group param)
# Group 0 is used by the kernel, so you can't use it
- group: 2
# netlink buffer size
buffer-size: 18432
# put default value here
- group: default
# set number of packet to queue inside kernel
qthreshold: 1
# set the delay before flushing packet in the queue inside kernel
qtimeout: 100
# netlink max buffer size
max-size: 20000

# Specify a threshold config file
threshold-file: /opt/etc/suricata/threshold.config

detect-engine:
- profile: medium
- custom-values:
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000


# Suricata is multi-threaded. Here the threading can be influenced.
threading:
set-cpu-affinity: no
detect-thread-ratio: 1.5

# Defrag settings:
defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535
max-frags: 65535
prealloc: yes
timeout: 60

# Flow settings:
flow:
memcap: 32mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
prune-flows: 5

# This option controls the use of vlan ids in the flow (and defrag)
# hashing.
vlan:
use-for-tracking: true

# Specific timeouts for flows.
flow-timeouts:

default:
new: 30
established: 300
closed: 0
emergency-new: 10
emergency-established: 100
emergency-closed: 0
tcp:
new: 60
established: 3600
closed: 120
emergency-new: 10
emergency-established: 300
emergency-closed: 20
udp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
icmp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100

stream:
memcap: 32mb
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 64mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
#randomize-chunk-range: 10
#raw: yes
#segment-prealloc: 2048
#check-overlap-different-data: true

# Host table is used by tagging and per host thresholding subsystems.
host:
hash-size: 4096
prealloc: 1000
memcap: 16554432

# Host specific policies for defragmentation and TCP stream reassembly.
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: []
old-solaris: []
solaris: []
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []

# Logging configuration. This is not about logging IDS alerts, but
# IDS output about what its doing, errors, etc.
logging:

# This value is overriden by the SC_LOG_LEVEL env var.
default-log-level: info

# Define your logging outputs.
outputs:
- console:
enabled: no
- file:
enabled: yes
filename: /opt/var/log/suricata/suricata.log
- syslog:
enabled: yes
facility: local1

legacy:
uricontent: enabled

default-rule-path: /opt/var/lib/suricata/rules

rule-files:
- botcc.rules
- botcc.portgrouped.rules
- compromised.rules
- drop.rules
- dshield.rules
- emerging-malware.rules
- emerging-mobile_malware.rules
- emerging-worm.rules
- emerging-dos.rules
- emerging-dns.rules
- ciarmy.rules
- emerging-misc.rules
- emerging-scan.rules
- emerging-icmp_info.rules
- emerging-icmp.rules
- emerging-user_agents.rules
- emerging-policy.rules
- emerging-attack_response.rules
- emerging-ftp.rules
- emerging-games.rules

classification-file: /opt/etc/suricata/classification.config
reference-config-file: /opt/etc/suricata/reference.config
threshold-file: /opt/etc/suricata/threshold.config

# action-order:
# - pass
# - drop
# - reject
# - alert

# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256

engine-analysis:
rules-fast-pattern: yes
rules: yes

#recursion and match limits for PCRE where supported
pcre:
match-limit: 3500
match-limit-recursion: 1500

# Holds details on the app-layer. The protocols section details each protocol.
app-layer:
protocols:
krb5:
enabled: no # Requires rust
ikev2:
enabled: yes
tls:
enabled: yes
detection-ports:
dp: "[443,444,465,853,993,995]"

dcerpc:
enabled: yes
ftp:
enabled: yes
ssh:
enabled: yes
smtp:
enabled: yes
imap:
enabled: detection-only
msn:
enabled: detection-only
smb:
enabled: yes
detection-ports:
dp: 139, 445
dns:
global-memcap: 16777216
state-memcap: 524288
request-flood: 500

tcp:
enabled: yes
detection-ports:
dp: 53
udp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes
memcap: 16108864

###########################################################################
# Configure libhtp.
libhtp:
default-config:
personality: IDS
request-body-limit: 2mb
response-body-limit: 2mb
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 32kb
response-body-inspect-window: 4kb
http-body-inline: auto
double-decode-path: no
double-decode-query: no
ntp:
enabled: yes
dhcp:
enabled: yes
sip:
enabled: yes

coredump:
max-dump: unlimited

# Suricata user pass through configuration

 

[XIII]

Thank you!

 

[Smokey613]

UPDATE: I had to remove suricata. In the IPS configuration it was causing an issue with my bridged ISP modem. It seems that it was passing my internal network devices on to the ISP router and that router was assigning IPv4 and IPv6 addresses to my internal devices. This was wreaking havoc. Running suricata in the standard IDS mode does not cause this issue. Since suricata in IDS mode is not providing what I need, I just uninstalled it completely. It was a good idea but alas, not useful for me. I may look at a dedicated IPS appliance but not really wanting to put more money into my network.

 

[heysoundude]

I did some more test and it seems that cake and suricata do not play well together. If I run either program by itself my speedtest BW is 48/4.5 on my 50/5 service. If I run them together I get 40 /2.6 for results. I even tried starting suricata first then cake and then starting cake first and then suricata. The results were the same.

speedtest? spdMerlin, @Jack Yaz 's script? You should reference that/those to dslreports' speedtest with bufferbloat.
I would offer that performance "hits" are directly attributable to configuration of these scripts - now that you've optimized Suricata for your network, it might be time to turn some of your attention to cake-qos - it has variables that need configuration as well.

 

[Mutzli]

speedtest? spdMerlin, @Jack Yaz 's script? You should reference that/those to dslreports' speedtest with bufferbloat.
I would offer that performance "hits" are directly attributable to configuration of these scripts - now that you've optimized Suricata for your network, it might be time to turn some of your attention to cake-qos - it has variables that need configuration as well.

I did some testing with Cake-QoS and Suricata. Here are my results and settings, tested every option three times and this is the average result. This is on a Comcast business line with 100Mbps/25Mpbs.
Cake and Suricata both running:
fast.com 73Mbps down and 8Mbps up
speedtest.com 101Mbps down and 10.9Mbps up

Cake running - Suricata off
fast.com 73Mbps down and 15Mbps up
speedtest.com 101.2Mbps down and 21.7Mbps up

Cake off - Suricata running
fast.com 81Mbps down and 16Mbps up
speedtest.com 101.2Mbps down and 27.9Mbps up

On my configuration it looks like that the upload speeds are affected, they are basically cut in half when both are running. So deffinitly something to investigate. I'll play around with some of Suricatas settings. Right now my suricata.yaml looks like this:

%YAML 1.1
---

# Holds variables that would be used by the engine.
vars:

  # Holds the address group vars that would be passed in a Signature.
  address-groups:
    HOME_NET: "[192.168.0.0/16]" ## set your CID IP LAN
    EXTERNAL_NET: "any"
    DNS_SERVERS: "[192.168.1.1]"
    SMTP_SERVERS: "$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    FTP_SERVERS: "$HOME_NET"
    SSH_SERVERS: "$HOME_NET"
   
# Holds the port group vars that would be passed in a Signature.
  port-groups:
    FTP_PORTS: "21"
    HTTP_PORTS: "80"
    ORACLE_PORTS: "1521"
    SSH_PORTS: "50022"
    SHELLCODE_PORTS: "!80"
    DNP3_PORTS: "20000"
    FILE_DATA_PORTS: "$HTTP_PORTS,110,143"  

# Runmode the engine should use.
runmode: workers

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
## set your wan interface
  - interface: eth0          
    copy-mode: ips      
    copy-iface: br0                
    use-mmap: yes          
    tpacket-v3: yes          
  - interface: br0          
    copy-mode: ips  
    copy-iface: eth0                                          
    use-mmap: yes    
    tpacket-v3: yes
# IPS Mode Configuration
# PCAP
pcap:
  - interface: auto
    checksum-checks: auto
    promisc: yes

legacy:
  uricontent: enabled

max-pending-packets: 1024

 

[rgnldo]

Running suricata in the standard IDS mode does not cause this issue.

IPS works on the Merlin FW. The INLINE mode depends on the NIC drivers. It's functional. There is confusion between IDS and IPS.
Perhaps the option use-mmap: yes is giving problems.
I have been using Suricata for some time. I have version 5.0.3 and I am totally dependent.

 

[rgnldo]

On my configuration it looks like that the upload speeds are affected

Understand, all monitoring systems will require some bandwidth.
In my system I have Suricata, PF rules, squid, squidquard (block ads) and clamav.

 

[Mutzli]

I already found the problem, it does have to do with enabling IPS in suricata.yaml. When running as an IDS solution the uploads are back what is expected:
Cake and Suricata both running:
fast.com 73Mbps down and 15Mbps up
speedtest.com 101Mbps down and 22.1Mbps up

And here is the suricata.yaml:

%YAML 1.1
---

# Holds variables that would be used by the engine.
vars:

  # Holds the address group vars that would be passed in a Signature.
  address-groups:
    HOME_NET: "[192.168.0.0/16]" ## set your CID IP LAN
    EXTERNAL_NET: "any"
    DNS_SERVERS: "[192.168.1.1]"
    SMTP_SERVERS: "$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    FTP_SERVERS: "$HOME_NET"
    SSH_SERVERS: "$HOME_NET"
    
 # Holds the port group vars that would be passed in a Signature.
  port-groups:
    FTP_PORTS: "21"
    HTTP_PORTS: "80"
    ORACLE_PORTS: "1521"
    SSH_PORTS: "50022"
    SHELLCODE_PORTS: "!80"
    DNP3_PORTS: "20000"
    FILE_DATA_PORTS: "$HTTP_PORTS,110,143"   
 
# Runmode the engine should use.
runmode: workers

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
## set your wan interface
  - interface: eth0           

# IPS Mode Configuration
# PCAP
pcap:
  - interface: auto
    checksum-checks: auto
    promisc: yes

legacy:
  uricontent: enabled

max-pending-packets: 1024

 

[Mutzli]

Another interesting observation, when I have juched configuration running (IPS) then Suricata uses 772MB memory, with the standard rgnldo configuration (IDS) it uses 505MB.

 

[Mutzli]

Understand, all monitoring systems will require some bandwidth.
In my system I have Suricata, PF rules, squid, squidquard (block ads) and clamav.

I agree, better save than sorry.

 

[rgnldo]

I recommend Cake-QOS because it is open source and has good efficiency. The point is, install and let the software do the job.
I am thinking of implementing Privoxy (block ads) in Merlin. Since the squid is not viable on ARM router´s.

 

[Smokey613]

IPS works on the Merlin FW. The INLINE mode depends on the NIC drivers. It's functional. There is confusion between IDS and IPS.
Perhaps the option use-mmap: yes is giving problems.
I have been using Suricata for some time. I have version 5.0.3 and I am totally dependent.

To be clear, are you running the Merlin FW version of suricata on an Asus Merlin router?

 

[Smokey613]

I reinstalled suricata. In my config, I now have: use-mmap: no instead of use-mmap: yes

I am no longer having issues with my ISP router. I will do some speed tests and see what happens. I also have cake running.

af-packet:
## set your wan interface
- interface: eth0
copy-mode: ips
copy-iface: br0
use-mmap: no <<<<<<< NOTE
tpacket-v3: yes
- interface: br0
copy-mode: ips
copy-iface: eth0
use-mmap: no <<<<<<<< NOTE
tpacket-v3: yes

 

[Smokey613]

IPS works on the Merlin FW. The INLINE mode depends on the NIC drivers. It's functional. There is confusion between IDS and IPS.
Perhaps the option use-mmap: yes is giving problems.
I have been using Suricata for some time. I have version 5.0.3 and I am totally dependent.

As usual, you are right on point. I made changes to use-mmap: no and now suricata and cake play nice together!

Thanks @rgnldo !!

 

[Smokey613]

Latest config entry for IPS

af-packet:
- interface: eth0
cluster-id: 98
copy-mode: ips
copy-iface: br0
use-mmap: no
tpacket-v3: no
- interface: br0
cluster-id: 97
copy-mode: ips
copy-iface: eth0
use-mmap: no
tpacket-v3: no

 

[XIII]

I made changes to use-mmap: no

But isn't mmap required for IPS?

For AF_PACKET IPS mode:

The implementation of this mode is dependent of the zero copy mode of AF_PACKET. Thus you need to set use-mmap to yes on both interface.

 

[rgnldo]

AF_PACKET IPS mode:

copy-mode: ips is dual layer
This setting is for IPS INLINE mode, layer 2. IPS inline mode is not always possible to configure. Therefore, it is necessary to configure netfilter with iptables and other configurations. The default configuration is sufficient for an IDS/IPS. It's functional.

 

[rgnldo]

Latest config entry for IPS

af-packet:
- interface: eth0
cluster-id: 98
copy-mode: ips
copy-iface: br0
use-mmap: no
tpacket-v3: no
- interface: br0
cluster-id: 97
copy-mode: ips
copy-iface: eth0
use-mmap: no
tpacket-v3: no

Leave it as it is in the default file.