Suricata Suricata - IDS on AsusWRT Merlin

[faux123]

On the subject of DNS: what value(s) should be use for "DNS_SERVERS"?

Only your local (router) IP address? Or a list that also includes the IP addresses of the external DNS servers you use? (like those of NextDNS)

There are, unfortunately, no 1 correct answer for this. It all depends on your setup. For example, I have unbound acting as a local recursive server, so it will reach out to root servers and other DNS servers if the address is not already in its local cache (also depending on the TTL of each request, it will need to periodically update based on TTL rules). Then you have variations on DOT or DOH with different servers, services, getting the right "rules" and setting for Suricata will need ton of time to investigate the complex interaction with the rules and setup...

At this moment, it's way beyond my current DNS knowledge and the time I want to sink into this, so I simply don't want to deal with it thus my recommendation of commenting out the rules check for DNS altogether.

 

[rgnldo]

I can log into the ssh from by mobile phone app JuiceSSH and turn off suricata. After it's turned off, I can get back into the router from my desktop.
I update the router on Friday and it worked since. Earlier today I tried to open a SSH session and was denied. Here are the only two log lines mentioning my IP address:

If Suricata is enabled, it “intercepts” any traffic on the interfaces for which it has been configured. These are informational IPS instances because something queried a domain, which can be suspicious depending on your environment. In particular, UDP traffic on port 53 is less secure, subject to interception. No problem. Suricata sniffing

 

[rgnldo]

getting the right "rules" and setting for Suricata will need ton of time to investigate the complex interaction with the rules and setup...

I agree. The advantage of being open source, the rules are also open. It is clear what will be intercepted.
Along the Talos list, there is a lot of contribution.

 

[rgnldo]

Only your local (router) IP address? Or a list that also includes the IP addresses of the external DNS servers

Your local DNS IP, which is likely to be the router's IP.

 

[juched]

Couple of observations with new install script...
> With original manger install script could run 'suricata_manager' from any directory now must be in .../addons/suricata to run manager './suricata_manager.sh'

> After running 'suricata_manager test' nothing shows up in UI addons suricata tab however it does show an entry in the fast.log

I also appreciate all the hard work that all the volunteers are providing and understand that any issue resolution is done on a 'when time allows' bases. I only list this observations as potential help.

It takes up to an hour to show up in the stats currently. If you see it in the fast.log, then you tested it. Logs are scraped hourly at 13minutes past.

 

[heysoundude]

Thank you for the GUI, @juched


I have a need for assistance sorting what a Threat might mean:

.51 is a laptop, .105 is a printer/scanner. User wasn't trying to do either. "worm" and "linksys.router" are what alarmed me.

Help?

 

[XIII]

Today 2419 log lines where a rule is hit and it's only 20:40...

How many log lines do you people see per day?

 

[juched]

Today 2419 log lines where a rule is hit and it's only 20:40...

How many log lines do you people see per day?

I see 26 or so.

I am only doing br0 (LAN) to eth0(WAN) and so I do not see anything external. What interfaces are you using?

 

[XIII]

I'm also only using br0 and eth0.

I did run some command line tools on the log; there seem to be 496 unique IP's involved in those logs...

 

[juched]

I have a need for assistance sorting what a Threat might mean:
View attachment 25546

.51 is a laptop, .105 is a printer/scanner. User wasn't trying to do either. "worm" and "linksys.router" are what alarmed me.

Help?

Interesting... my gut tells me this is likely a false positive for something that looks like the attack.

ET WORM TheMoon.linksys.router 1 - Knowledgebase - Brookwin Technology Solutions Private Limited

The rule definition is here:

2018131 < Main < EmergingThreats

doc.emergingthreats.net

alert http any any -> $HOME_NET 8080
(msg:"ET WORM TheMoon?.linksys.router 1";
flow:established;
urilen:7;
content:"GET";
http_method;
content:"/HNAP1/";
http_uri; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W";
reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630;
classtype:trojan-activity;
sid:2018131;
rev:5;
metadata:created_at 2014_02_13,
updated_at 2014_02_13;)

So, at a high level from what I see:

1. HTTP connection is made
2. Using GET verb
3. to content including type /HNAP1/
4. URI requested seems to be IP based

Seems a little too generic perhaps? I think your printer uses HNAP protocol. Is it an old one? Seems like an old protocol now.

Router Security HNAP Updates

Router Security HNAP

www.routersecurity.org

 

[XIII]

I ran a reverse lookup on the IP addresses. For most I don't get a hostname, but some of them seem to be valid sites (so blindly blocking all those IP's is not a smart thing it seems?):

• *.compute.amazonaws.com
• *.github.com
• *.googleusercontent.com

Oh, shodan.io is also scanning my network...

 

[MoonPie2000]

Thanks Juched you are correct - Patients is a virtue and I now have reporting. Again thanks for all your hard work on this I am really excited to use this and look forward to future improvements/updates.

 

[heysoundude]

Interesting... my gut tells me this is likely a false positive for something that looks like the attack.

ET WORM TheMoon.linksys.router 1 - Knowledgebase - Brookwin Technology Solutions Private Limited

The rule definition is here:

2018131 < Main < EmergingThreats

doc.emergingthreats.net

alert http any any -> $HOME_NET 8080
(msg:"ET WORM TheMoon?.linksys.router 1";
flow:established;
urilen:7;
content:"GET";
http_method;
content:"/HNAP1/";
http_uri; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W";
reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630;
classtype:trojan-activity;
sid:2018131;
rev:5;
metadata:created_at 2014_02_13,
updated_at 2014_02_13;)

So, at a high level from what I see:

1. HTTP connection is made
2. Using GET verb
3. to content including type /HNAP1/
4. URI requested seems to be IP based

Seems a little too generic perhaps? I think your printer uses HNAP protocol. Is it an old one? Seems like an old protocol now.

Router Security HNAP Updates

Router Security HNAP

www.routersecurity.org

It's an HP Printer-scanner. maybe 5 yrs old...which puts it in the timeframe of the linked articles.
You've pointed me in a good direction, I think. Thanks! I'm going to dig deeper here

 

[Mutzli]

Can't figure out what is going on with my desktop getting dropped by Suricata. I had to switch back to IDS only to avoid getting locked out. Disabling DNS rules didn't help either. The last entry in fast.log related to this system are three entries observing a potential corporate privacy violation on some ports to the DNS at 1.1.1.1:

08/18/2020-16:08:18.415970  [**] [1:2027695:2] ET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.1.166:50114 -> 1.1.1.1:443
08/18/2020-17:03:30.391798  [**] [1:2027695:2] ET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.1.166:51236 -> 1.1.1.1:443
08/18/2020-18:03:35.819082  [**] [1:2027695:2] ET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.1.166:52332 -> 1.1.1.1:443

First I tried to disable DNS rules as suggested by faux123, than I tried to switch the assigned IP address on this system to .166 from .134, that worked for about 3-4 hours before I got locked out again. I wish Suricata would have more adjustments on what it's doing when blocking certain ports and IP's. Corporate Privacy Violations should not trigger a lockout of this workstation to access certain ports locally. I'm happy to try other suggestions, but for now I'm content with IDS mode. I'll just manually add any flagged IP's into Skynet.

 

[rgnldo]

but for now I'm content with IDS mode. I'll just manually add any flagged IP's into Skynet.

I would rely more on Suricata alerts. Something is wrong.
If you trust traffic, edit and comment on rule emerging-policy.rules:

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"cloudflare-dns.com"; isdataat:!1,relative; threshold: type both, track by_src, count 1, seconds 600; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/json-format; classtype:policy-violation; sid:2027695; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_09, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_09_28;)

 

[heysoundude]

Wow - suricata has dropped 16 attempts to spam my HTPC today as of right now.
I need to dig MUCH deeper into this.
Thanks devs...keep up your spectacular work! (I'm looking forward to picking up the AX68u for its quad processors and 1GB RAM...once @RMerlin has firmware for it...in the hopes that suricata is IPS & IDS capable on it. Maybe for my birthday in November)

 

[XIII]

To all the people reporting drops: are you all using the special fork?

Reason for asking: the failure of the simple test that should block a URL, when using the regular Asuswrt-Merlin firmware.

 

[Mutzli]

To all the people reporting drops: are you all using the special fork?

Reason for asking: the failure of the simple test that should block a URL, when using the regular Asuswrt-Merlin firmware.

I'm using the latest juched's script from the first page with a custom suricata.yaml.

 

[glehel]

#action-order:
# - pass
# - drop
# - reject
# - alert

why are these lines commented out?
Does the discard rule work without it?

 

[Milan]

i am back to IDS mode as for me after 1 day in IPS it started dropping near any communication - DNS problems, even the router page was blocked. SSH was actively blocked too for some time:
f.e. it connects but then after one min it dropped connection actively and don't allow connect again, but after some retries, it connects for some time

using juched script + YAML with enabled IPS from faux123.