Suricata Suricata - IDS on AsusWRT Merlin

[RMerlin]

i'm wondering what's the likelihood of merlin's FW including the cakeqos module at some point... sounds like for proper support it would be a requirement?

Not at this time, as it requires kernel patching, something I try to avoid as much as possible to avoid unforeseen impacts on the rest of the proprietary modules. For example, enabling the kernel cipher for IPSEC support on the RT-AC68U was preventing some modules from loading properly due to kernel symbols changes. Even if it worked now, I don`t want to have to deal with it if a few months later Asus/Broadcom/Trend Micro made any change that broke compatibility.

 

[XIII]

How can I check that when I use @faux123's configuration that packets are indeed being dopped? (IPS instead of IDS)

Or do I need her/his fork to have that work?

 

[mike37]

[ QUOTE="XIII, post: 610720, member: 26720"]
How can I check that when I use [ USER=65319]@faux123[ /USER]'s configuration that packets are indeed being dopped? (IPS instead of IDS)

Or do I need her/his fork to have that work?
[ /QUOTE]
.

Suricata - IDS/IPS on AsusWRT Merlin

To be clear, are you running the Merlin FW version of suricata on an Asus Merlin router? No longer. I use OpenBSD. System with its own configuration. Suricata 5.0.3 and Talos rules

www.snbforums.com

 

[XIII]

@mike37 That test still fails: the blocked IP can still be opened (browser, curl, wget); so no drops?

Additionally: is there any way I can split the log in inbound and outbound traffic (maybe using Scribe?)?

I'm way more interested in outbound than inbound (because I have only control over outbound traffic).

 

[mike37]

@mike37 That test still fails: the blocked IP can still be opened (browser, curl, wget); so no drops?

Additionally: is there any way I can split the log in inbound and outbound traffic (maybe using Scribe?)?

I'm way more interested in outbound than inbound (because I have only control over outbound traffic).

.
Yep.... you need the fork.

Jchud's script/display seems to display inbound/outbound nicely. tail can also (probably) be tweaked with grep to print out only outbound.

But lacking IPS, ISTM you have equivalent, cumbersome control over inbound and outbound: Iptables blocklist manually effected through Diversion, Skynet, or some script/editor.

Clearly IPS is preferred (especially in inline mode).

ISTM faux123, rgnldo, et. al. are making good progress - be thankful and watch the fun!

 

[faux123]

[ QUOTE="XIII, post: 610720, member: 26720"]
How can I check that when I use [ USER=65319]@faux123[ /USER]'s configuration that packets are indeed being dopped? (IPS instead of IDS)

Or do I need her/his fork to have that work?
[ /QUOTE]
.

Suricata - IDS/IPS on AsusWRT Merlin

To be clear, are you running the Merlin FW version of suricata on an Asus Merlin router? No longer. I use OpenBSD. System with its own configuration. Suricata 5.0.3 and Talos rules

www.snbforums.com

It's not like people are attacking all the time, as you can see from my own logs, it happens a few times a day esp if you have some services running.

tail -n 10000 /opt/var/log/suricata/fast.log | grep DROP in your ssh console to see the latest attack events.

 

[XIII]

It's not like people are attacking all the time, as you can see from my own logs, it happens a few times a day esp if you have some services running.

I might be less lucky, as this is just the logging for the first 5 minutes that I tried your YAML file:

Aug 14 22:05:20 ac86u suricata[25367]: [1:2010937:3] ET SCAN Suspicious inbound to mySQL port <PORT> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:05:23 ac86u suricata[25367]: [1:2008578:4] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:05:23 ac86u suricata[25367]: [1:2011716:3] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [Classification: Attempted Information Leak] [Priority: 2] {UDP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:05:33 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:05:51 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:06:16 ac86u suricata[25367]: [1:2403389:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 90 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:06:37 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:06:37 ac86u suricata[25367]: [1:2403388:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 89 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:06:43 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:06:50 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:06:50 ac86u suricata[25367]: [1:2403325:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 26 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:07:37 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:07:37 ac86u suricata[25367]: [1:2403390:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 91 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:07:49 ac86u suricata[25367]: [1:2403390:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 91 [Classification: Misc Attack] [Priority: 2] {UDP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:08:06 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:08:44 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:08:44 ac86u suricata[25367]: [1:2403325:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 26 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:09:30 ac86u suricata[25367]: [1:2403374:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 75 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:10:07 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:10:08 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:10:23 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>

 

[mike37]

I might be less lucky, as this is just the logging for the first 5 minutes that I tried your YAML file:

Aug 14 22:05:20 ac86u suricata[25367]: [1:2010937:3] ET SCAN Suspicious inbound to mySQL port <PORT> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:05:23 ac86u suricata[25367]: [1:2008578:4] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:05:23 ac86u suricata[25367]: [1:2011716:3] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [Classification: Attempted Information Leak] [Priority: 2] {UDP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:05:33 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:05:51 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:06:16 ac86u suricata[25367]: [1:2403389:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 90 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:06:37 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:06:37 ac86u suricata[25367]: [1:2403388:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 89 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:06:43 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:06:50 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:06:50 ac86u suricata[25367]: [1:2403325:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 26 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:07:37 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:07:37 ac86u suricata[25367]: [1:2403390:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 91 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:07:49 ac86u suricata[25367]: [1:2403390:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 91 [Classification: Misc Attack] [Priority: 2] {UDP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:08:06 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:08:44 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:08:44 ac86u suricata[25367]: [1:2403325:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 26 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:09:30 ac86u suricata[25367]: [1:2403374:59431] ET CINS Active Threat Intelligence Poor Reputation IP group 75 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:10:07 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:10:08 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>
Aug 14 22:10:23 ac86u suricata[25367]: [1:2402000:5636] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} <OTHER-IP>:<PORT> -> <MY-IP>:<PORT>

.
.
The question remains: are the REPORTED drops in fact being dropped?

 

[rgnldo]

drops in fact being dropped?

How do you imagine? Suricata is doing the job.

In Suricata 5.0.3 the rules are tougher. My Alexa devices are blocked by Suricata. I still haven't been able to identify which rule is blocking. To use Amazon Alexa I added the device's IP to the allowed list. I don't like the idea of releasing IP. I prefer to find the rule.

08/10/2020-20:00:33.524388  [Drop] [**] [1:2027863:3] ET INFO Observed DNS Query to .biz TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}  ->
08/10/2020-20:00:38.525198  [Drop] [**] [1:2027863:3] ET INFO Observed DNS Query to .biz TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}  ->
08/10/2020-20:00:39.529793  [Drop] [**] [1:2027863:3] ET INFO Observed DNS Query to .biz TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}  ->
08/10/2020-20:00:41.533689  [Drop] [**] [1:2027863:3] ET INFO Observed DNS Query to .biz TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}  ->
08/10/2020-20:00:42.987444  [Drop] [**] [1:2027863:3] ET INFO Observed DNS Query to .biz TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}  ->
08/10/2020-20:00:45.542243  [Drop] [**] [1:2027863:3] ET INFO Observed DNS Query to .biz TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}  ->
08/10/2020-20:00:45.548117  [Drop] [**] [1:2027863:3] ET INFO Observed DNS Query to .biz TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}  ->
08/10/2020-20:00:53.547063  [Drop] [**] [1:2027863:3] ET INFO Observed DNS Query to .biz TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}  ->
08/10/2020-20:01:09.557927  [Drop] [**] [1:2027863:3] ET INFO Observed DNS Query to .biz TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}  ->
08/10/2020-20:06:59.234411  [Drop] [**] [1:2029340:2] ET INFO TLS Handshake Failure [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}  -> 100.64.2>
08/10/2020-20:07:00.148204  [Drop] [**] [1:2029340:2] ET INFO TLS Handshake Failure [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}  -> 100.64>
08/10/2020-20:16:50.340646  [Drop] [**] [1:2029340:2] ET INFO TLS Handshake Failure [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}  -> 100.64>
08/10/2020-20:16:51.565750  [Drop] [**] [1:2029340:2] ET INFO TLS Handshake Failure [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}  -> 100.64>
08/10/2020-20:31:28.824593  [Drop] [**] [1:2029753:2] ET HUNTING Suspicious GET Request with Possible COVID-19 URI M1 [**] [Classification: Potentially Bad Traffic] [Priority: 2]>
08/10/2020-20:32:05.497780  [Drop] [**] [1:2029754:2] ET HUNTING Suspicious GET Request with Possible COVID-19 URI M2 [**] [Classification: Potentially Bad Traffic] [Priority: 2]>
08/10/2020-20:32:08.243963  [Drop] [**] [1:2029754:2] ET HUNTING Suspicious GET Request with Possible COVID-19 URI M2 [**] [Classification: Potentially Bad Traffic] [Priority: 2]>
08/10/2020-20:32:15.922188  [Drop] [**] [1:2029753:2] ET HUNTING Suspicious GET Request with Possible COVID-19 URI M1 [**] [Classification: Potentially Bad Traffic] [Priority: 2]>
08/10/2020-20:36:37.856706  [Drop] [**] [1:2029753:2] ET HUNTING Suspicious GET Request with Possible COVID-19 URI M1 [**] [Classification: Potentially Bad Traffic] [Priority: 2]>
08/10/2020-20:45:48.406294  [Drop] [**] [1:2029340:2] ET INFO TLS Handshake Failure [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} -> 100.64>
08/10/2020-20:45:50.962482  [Drop] [**] [1:2029340:2] ET INFO TLS Handshake Failure [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} -> 100.64>
08/10/2020-21:04:11.119112  [Drop] [**] [1:2002878:9] ET POLICY iTunes User Agent [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.30.16:5996>
08/10/2020-21:12:56.187318  [Drop] [**] [1:2029340:2] ET INFO TLS Handshake Failure [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}  -> 100.64>
08/10/2020-21:12:59.010886  [Drop] [**] [1:2029340:2] ET INFO TLS Handshake Failure [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}  -> 100.64>
08/10/2020-21:30:33.008153  [Drop] [**] [1:2002878:9] ET POLICY iTunes User Agent [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} >
08/10/2020-22:14:00.386864  [Drop] [**] [1:2029340:2] ET INFO TLS Handshake Failure [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}  -> 100.64>
08/10/2020-22:14:02.535539  [Drop] [**] [1:2029340:2] ET INFO TLS Handshake Failure [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}  -> 100.64>
08/10/2020-22:18:49.925682  [Drop] [**] [1:2025194:2] ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) [**] [Classification: Potentially Bad Traffic] [Prio>
08/10/2020-22:32:35.827070  [Drop] [**] [1:2002878:9] ET POLICY iTunes User Agent [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} >
08/10/2020-22:32:45.377145  [Drop] [**] [1:2025194:2] ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) [**] [Classification: Potentially Bad Traffic] [Prio>
08/11/2020-06:40:19.417377  [Drop] [**] [1:2002878:9] ET POLICY iTunes User Agent [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} >
08/11/2020-06:48:39.555903  [Drop] [**] [1:2002878:9] ET POLICY iTunes User Agent [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} >
08/11/2020-07:03:25.917483  [Drop] [**] [1:2002878:9] ET POLICY iTunes User Agent [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} >
08/11/2020-07:10:13.951773  [Drop] [**] [1:2002878:9] ET POLICY iTunes User Agent [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}

 

[heysoundude]

Actually I just used "best effort" and adjusted the initial bandwidth of my up/down speeds based on my average speedtest speeds. So far default setting is serving me well as my family were doing tons of streaming (youtube, disney+) while I was using video conferencing apps for work. So far I haven't experienced any issues where I needed to tweak cake setting at all.. I'm super happy with the default setting of "best effort". I love cake, just set and forget.. now with Suricata, this is match made in heaven as I now have a complete GPL (open source) software solutions to serve all my needs (I'm willing to give up some bandwidth for IPS/IDS as this will protect my entire family's internet experience).

Thank you.
I hope it'll be ok if I crosspost this over on the cake thread for people with faster ISP speeds to reference. There's a bit of disagreement as to it working correctly (as designed) over 100Mbps speeds and/or how to configure.

 

[heysoundude]

complete GPL (open source) software solutions. Just set and forget. That's what I always mention.



This fork is what I recommend. But use if you have intermediate knowledge in linux. I'm using it on my other router.

I will wait for @juched to check the status of the Suricata manager and stats.

I'm not sure I have the skills necessary. Perhaps this will catch @RMerlin 's eye and he'll decide try to incorporate what he needs to into his version, if he can or wants to.

 

[heysoundude]

In Suricata 5.0.3 the rules are tougher. My Alexa devices are blocked by Suricata. I still haven't been able to identify which rule is blocking. To use Amazon Alexa I added the device's IP to the allowed list. I don't like the idea of releasing IP. I prefer to find the rule.

I don't have enough thumbs to "thumbs up" the statements that I like here... Clear rules are always better than broad generalizations, I agree.

 

[Mutzli]

With the IPS settings active I was able to catch a network trojan on one of the desktops.

08/14/2020-21:06:03.024220 [**] [1:2027151:2] ET ATTACK_RESPONSE LaZagne Artifact Outbound in FTP [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.1.1:445 -> 192.168.1.174:61479

 

[rgnldo]

Clear rules are always better than broad generalizations, I agree.

The rules are clear. I use Talos rules, which are many and I need to adapt to my scenario. It turns out that the team that develops the rules understands that privacy violation should also be questioned. I have already found and disabled several rules. After verifying that it does not represent so much risk. There are some false positives.

Perhaps this will catch @RMerlin 's eye and he'll decide try to incorporate what he needs to into his version, if he can or wants to.

I'm not sure I have the skills necessary.

The FW Fork only you will not use the features of TrendMicro, AiProtection, adaptive QoS and some adjustment.

The source code based on the TrendMicro engine prevents any implementation without breaking something in the FW. Difficult task.

over 100Mbps speeds and/or how to configure.

My bandwidth is 200 full time. It works.

 

[mike37]

View attachment 25435

It's not like people are attacking all the time, as you can see from my own logs, it happens a few times a day esp if you have some services running.

tail -n 10000 /opt/var/log/suricata/fast.log | grep DROP in your ssh console to see the latest attack events.

Well yes - 99% of the WAN "attacks" are internet noise filtered out by IPtables. And once it is tuned for my router, suricata will be quiet almost all of the time. no news is good news.

For me the importance of suricata will not be telling me about inbound noise, but will be for monitoring/protecting my increasing number of IOT devices for outbound anomalies. I have them on protected subnets (thanks YazFi), but those things seem nonetheless generally vulnerable and if something does get in and they try to connect to places they shouldn't I want them stopped immediately - an extremely rare event I'd hope.

I supose if there are attempts connecting to, say, a VPN server using some sort of "emerging" exploit technique, I also want that IPA blocked instantly and for a while.

 

[mike37]

How do you imagine?

Because I've seen it in earlier versions of suricata - nice logs saying stuff was dropped; in fact not dropped.

Suricata is doing the job.

Well, maybe Suricata 5.0.3 is doing the job (IPS) on your new box, but not necessarily the earlier versions on Merlin. That simple test can help prove it for Merlin.

In Suricata 5.0.3 the rules are tougher. My Alexa devices are blocked by Suricata. I still haven't been able to identify which rule is blocking. To use Amazon Alexa I added the device's IP to the allowed list. I don't like the idea of releasing IP. I prefer to find the rule.

Yep! Suricata/Snort is all about understanding and tuning the rules and your computer(s) - NOT about exempting IPs so that symptoms go away.

 

[MoonPie2000]

I am a novice but am very interested in continuing my use of Suricata however since I am new and this implementation is still in 'testing' I am looking for some good places that I can reference to help understand how to configure Suricata. Specifically my current question is how to exempt my DDNS URL. When I try to locally attempt to access any URL using my DDNS address Suricata blocks it with the below message. Anyway if anyone can help with my generic or specific request for information I would appreciate it. Also I would be willing to try the fork if there is one or someone could compile it for the AX88U. Thanks...

ET POLICY DNS Query to DynDNS Domain *.domainname.org

Classification: Potentially Bad Traffic

Priority 2

 

[juched]

I finally got Suricata to operate in IDS/IPS on af-packet mode (which is the ONLY mode available for our Entware build, I was trying to get a PF_RING build but was having some issues with libraries and other Entware dependencies). Below is the relevant yaml code from my own config. mmap (memory mapped ring buffers) must be enabled for IPS to work, without it, it's only running in IDS mode. I'm running this on my AC86U (with suricata, I kinda wish I have the newer AX88U not for its wifi but for its quad core CPU and 1 GB of real RAM). The configuration is a good compromise for my own build, the average load on my router is around 3.50 so your router will be hotter with it. Download speed is close to my native ISP speed (which is around 200 Mbps), upload speed is somewhat limited around 160 Mbps which is far below my normal ISP speed of 225 Mbps (this is due to AC86U's CPU capability). I'm running CakeQoS as well (I don't like the proprietary closed sourced solutions from TrendMicro as it causes some random kernel panics on my own fork with their modules which I can't fix, I much prefer the GPL alternative which is Suricata+CakeQoS). You will experience around 2.1% packet drops (again this is due to dual core and limited real RAM of AC86U). I can live with this small amount of packet drops as I didn't experience any real usage issues with such packet loss.

Thanks to all those who contributed so far, it took me a while to read through tons of source code from Suricata and their piss poor documentations/examples to finally crack this.

# Linux high speed capture support
af-packet:
- interface: eth0 ## set your wan interface
   copy-mode: ips
   copy-iface: br0
   buffer-size: 3072
   cluster-id: 99
   cluster-type: cluster_flow
   use-mmap: yes
#   mmap-locked: yes
   tpacket-v2: yes
   ring-size: 3072
- interface: br0
   copy-mode: ips
   copy-iface: eth0
   buffer-size: 3072
   cluster-id: 98
   cluster-type: cluster_flow
   use-mmap: yes
#   mmap-locked: yes
   tpacket-v2: yes
   ring-size: 3072

EDIT: changed tpacket-v3 to tpacket-v2 for better latency

Thanks for sharing. I tried this, which was mainly the setting tpacket-v2:yes and the ringbuffer and buffer size changes. For me, devices on the guest network no longer have access to the internet. It seems to now work for some, but with a delay and flaky. Do you have any issues with this setup and guest wifi?

 

[faux123]

Thanks for sharing. I tried this, which was mainly the setting tpacket-v2:yes and the ringbuffer and buffer size changes. For me, devices on the guest network no longer have access to the internet. It seems to now work for some, but with a delay and flaky. Do you have any issues with this setup and guest wifi?

This is where our router CPU/memory become the main bottleneck. The more I read about Suricata the more I realized it's geared for enterprise level IDS/IPS solution running on multi-core Intel Xenons with TONS of memory (talking about 16GB+ of RAM). It's very threaded nature is both a blessing (these giant net appliances who's job is to do ONLY IDS/IPS) and a curse (small embedded devices with limited CPU and memory) for our usage. I have been seriously playing with Suricata for about 1 week now (both in terms of reading it's source code, optimizing Linux kernels with my own builds, playing with various settings with its YAML etc), my conclusion at this moment is that at least with AC86U, it's woefully underpowered to run Suricata smoothly without hiccups (some of your experiences) in IPS mode. It can run in IDS mode okay with some tweaks. EDIT: this was caused by a setting:

tpacket-v2: yes

Switching back to

tpacket-v3: yes

and everything is good again!

My AC86U in IPS/IDS settings requires an external fan as it will VERY quickly heat up my poor AC86U (I've experienced 100 degree C and got throttled badly by its thermal protection). The intermittent internet connectivity issues you experienced are probably related to CPU loading. Even with AF_PACKET and ring buffers (mmap), it supposed to be the optimal setting for Suricata and depends on your network bandwidth (mine is around 200 mbps symmetrical), it struggles to inspect every packet in time without some sort of HW acceleration to keep up with the speed (network packet losses due to CPU not able to keep up with the speed of the NIC).

 

[juched]

This is where our router CPU/memory become the main bottleneck. The more I read about Suricata the more I realized it's geared for enterprise level IDS/IPS solution running on multi-core Intel Xenons with TONS of memory (talking about 16GB+ of RAM). It's very threaded nature is both a blessing (these giant net appliances who's job is to do ONLY IDS/IPS) and a curse (small embedded devices with limited CPU and memory) for our usage. I have been seriously playing with Suricata for about 1 week now (both in terms of reading it's source code, optimizing Linux kernels with my own builds, playing with various settings with its YAML etc), my conclusion at this moment is that at least with AC86U, it's woefully underpowered to run Suricata smoothly without hiccups (some of your experiences) in IPS mode. It can run in IDS mode okay with some tweaks.

My AC86U in IPS/IDS settings requires an external fan as it will VERY quickly heat up my poor AC86U (I've experienced 100 degree C and got throttled badly by its thermal protection). The intermittent internet connectivity issues you experienced are probably related to CPU loading. Even with AF_PACKET and ring buffers (mmap), it supposed to be the optimal setting for Suricata and depends on your network bandwidth (mine is around 200 mbps symmetrical), it struggles to inspect every packet in time without some sort of HW acceleration to keep up with the speed (network packet losses due to CPU not able to keep up with the speed of the NIC).

On my AX88U the CPU isnt heavily loaded. Even during Speedtest which gives full speed the CPU is pretty low. With 4 threads per copy interface so 8 in total.

The main network connection works fine with no real latency. Just the guest wifi which doesn’t work properly. Believe this is because all the packets from eth0 are being copied to br0.