Suricata Suricata - IDS on AsusWRT Merlin

[rgnldo]

remove some valid rules

Let's define which ones to leave by default

confusion

I agree.

 

[faux123]

ok - doesn't the swap most of us install help? I'd have to check, but I seem to recall I've got 2GB set up for that that I've only seen get gently caressed when I've looked - does IPS look for more than that?

The problem is lack of enough real RAM on AC86U. Whenever you swap, even with SSD, it's NOT fast enough to do "inline" IPS where the packet is intercepted as it come in and inspected against various rule then "copy" back out. If the system needs to rely on "swapping", the effects of this slowness will manifest as packet loss or "lag" in the connection. You want to do all these copy in ->inspect->copy out all in RAM where it's faster than you can notice and not drop packets.

So with 512MB on AC86U (and more than 1/2 of that is reserved for other critical system services), the constant swapping in/out to disk (SSD or HDD) will lead to packet loss and lag. So virtual memory via SWAP isn't ideal or option for Suricata (fun fact, if you disabled swap, Suricata won't even start and will tell you that you lack memory run it).


ON TOPIC: My internal beta testing of my settings from yesterday was inconsistent...on some instances, it would work flawlessly for almost 18 hours then experience large number of TCP_Fragment and packet loss, and on some instances the packet loss were immediate after a couple of minutes all without touching anything. I monitored the memory usage throughout and didn't notice the memory growth issues between 18 hours and 2 mins runs. I'm at a loss as to why it is NOT consistently reproducible. There's a running thread on Suricata's own issue tracker and that issue has been opened for more than 1 year and people are still reporting inconsistencies.

So for those of you experienced "drops", it's not a real "drop" based on rules, but it's a "failure to establish TCP connection" with the remote hosts. Based on my debugging with wireshark, it's NOT due to DNS failures of any sort (in fact you will see the DNS request made and the right responses come back). The issue is TCP Syn requests are NOT being established with remote hosts, then followed by bunch of TCP SYN resets (this tells the remote hosts to close the previous attempts and restart over), but those TCP Syn resets had no effect and therefore you experienced "drops". There's something NOT quite right with our setup at this moment, I'm looking deeper into the kernel sources to see if I can see something there. There's 1 unfortunate part is the ethernet driver from Broadcom is "closed" source.. so if the problem exists at that driver, then we are hosed.

 

[rgnldo]

The problem is lack of enough real RAM on AC86U. Whenever you swap, even with SSD, it's NOT fast enough to do "inline" IPS where the packet is intercepted as it come in and inspected against various rule then "copy" back out. If the system needs to rely on "swapping", the effects of this slowness will manifest as packet loss or "lag" in the connection. You want to do all these copy in ->inspect->copy out all in RAM where it's faster than you can notice and not drop packets.

So with 512MB on AC86U (and more than 1/2 of that is reserved for other critical system services), the constant swapping in/out to disk (SSD or HDD) will lead to packet loss and lag. So virtual memory via SWAP isn't ideal or option for Suricata (fun fact, if you disabled swap, Suricata won't even start and will tell you that you lack memory run it).


ON TOPIC: My internal beta testing of my settings from yesterday was inconsistent...on some instances, it would work flawlessly for almost 18 hours then experience large number of TCP_Fragment and packet loss, and on some instances the packet loss were immediate after a couple of minutes all without touching anything. I monitored the memory usage throughout and didn't notice the memory growth issues between 18 hours and 2 mins runs. I'm at a loss as to why it is NOT consistently reproducible. There's a running thread on Suricata's own issue tracker and that issue has been opened for more than 1 year and people are still reporting inconsistencies.

So for those of you experienced "drops", it's not a real "drop" based on rules, but it's a "failure to establish TCP connection" with the remote hosts. Based on my debugging with wireshark, it's NOT due to DNS failures of any sort (in fact you will see the DNS request made and the right responses come back). The issue is TCP Syn requests are NOT being established with remote hosts, then followed by bunch of TCP SYN resets (this tells the remote hosts to close the previous attempts and restart over), but those TCP Syn resets had no effect and therefore you experienced "drops". There's something NOT quite right with our setup at this moment, I'm looking deeper into the kernel sources to see if I can see something there. There's 1 unfortunate part is the ethernet driver from Broadcom is "closed" source.. so if the problem exists at that driver, then we are hosed.

That's what you mention, the lack of memory on the ARM routers makes any solution action along the lines of INLINE IPS unviable or in dual layer IPS mode
As I understand it, the HND router's a reserved memory cache. In IDS mode, just adding all the rules, we will have memory problems. Try to add all the rules in IDS mode.
It is probably a dedicated feature or module for VPN or Trend Micro.

 

[Mutzli]

That's what you mention, the lack of memory on the ARM routers makes any solution action along the lines of INLINE IPS unviable or in dual layer IPS mode
As I understand it, the HND router's a reserved memory cache. In IDS mode, just adding all the rules, we will have memory problems. Try to add all the rules in IDS mode.
It is probably a dedicated feature or module for VPN or Trend Micro.

I think the AX88U should have enough memory to handle Suricata as an IPS solution. With IPS on, my router shows 206MB free with Suricata using 521MB and unbound 106MB the rest is all small. A configuration script should probably recognize what router is being configured and set it to IDS or IPS depending on how much memory is available.

 

[rgnldo]

I think the AX88U should have enough memory

It tends to add all the rules.
@KW. How is the memory consumption on NETGEAR devices? Observe enabling all rules.

 

[KW.]

Right now I use the first Yaml you posted here some time ago. Do you want me to test another configuration?

I am happy to do that, just so I understand what you want to test

It tends to add all the rules.
@KW. How is the memory consumption on NETGEAR devices? Observe enabling all rules.

EDIT: Is it this you are interested in?

Mem: 886300K used, 144288K free, 0K shrd, 4924K buff, 26132K cached
Load average: 2.29 1.54 1.17
  PID USER     STATUS   NI   RSS  PPID %CPU %MEM COMMAND
18267 root     S        0  80664     1  1.1  7.8 Suricata-Main
 1430 root     S        0  84308     1  1.0  8.1 Suricata-Main
22539 root     S        0  65720     1  1.0  6.3 Suricata-Main
14895 root     S        0  58856     1  1.0  5.7 Suricata-Main
17732 root     S        0  84272     1  0.9  8.1 Suricata-Main
 4882 root     S        0   5340 28744  0.2  0.5 Plex DLNA Serve

 

[rgnldo]

Is it this you are interested in?

Your Suricata has four PID?

 

[heysoundude]

Your Suricata has four PID?

Look again - there are 5, totalling about 35% of memory! Something is definitely not right there...

 

[heysoundude]

The problem is lack of enough real RAM on AC86U. Whenever you swap, even with SSD, it's NOT fast enough to do "inline" IPS where the packet is intercepted as it come in and inspected against various rule then "copy" back out. If the system needs to rely on "swapping", the effects of this slowness will manifest as packet loss or "lag" in the connection. You want to do all these copy in ->inspect->copy out all in RAM where it's faster than you can notice and not drop packets.

So with 512MB on AC86U (and more than 1/2 of that is reserved for other critical system services), the constant swapping in/out to disk (SSD or HDD) will lead to packet loss and lag. So virtual memory via SWAP isn't ideal or option for Suricata (fun fact, if you disabled swap, Suricata won't even start and will tell you that you lack memory run it).

Real RAM (and enough of it) that is fast enough...ok, that makes sense. Thank you.

 

[KW.]

I am sorry but I don't have the knowledge to know what is "normal" about PID:s. I had to google it to even know what it means.

MY theory before was that the many PIDs was because suricata uses four cores. (But now I also notice it is five PIDS) But maybe I have installed many suricatas and need to clean the system? As I said I am using your Yaml, and I am happy how it works. I see it as a IDS and I like it very much. Thanks for the Yaml and instructions how to install that you shared!

EDIT: This morning I have six Suricata PIDS:

Mem: 837644K used, 192944K free, 0K shrd, 4224K buff, 28280K cached
Load average: 0.49 0.71 0.82
  PID USER     STATUS   NI   RSS  PPID %CPU %MEM COMMAND
22539 root     S        0  47412     1  0.5  4.5 Suricata-Main
14895 root     S        0  34140     1  0.5  3.3 Suricata-Main
29001 root     S        0  34080     1  0.5  3.3 Suricata-Main
17732 root     S        0  33724     1  0.5  3.2 Suricata-Main
18267 root     S        0  34044     1  0.5  3.2 Suricata-Main
 1430 root     S        0  33704     1  0.5  3.2 Suricata-Main

/opt/bin/suricata -T
24/8/2020 -- 08:44:56 - <Info> - Running suricata under test mode
24/8/2020 -- 08:44:56 - <Info> - Configuration node 'legacy' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
24/8/2020 -- 08:44:56 - <Notice> - This is Suricata version 4.1.8 RELEASE
24/8/2020 -- 08:44:56 - <Info> - CPUs/cores online: 4
24/8/2020 -- 08:44:57 - <Info> - fast output device (regular) initialized: fast.log
24/8/2020 -- 08:44:57 - <Info> - stats output device (regular) initialized: stats.log
24/8/2020 -- 08:44:57 - <Info> - 20 rule files processed. 3117 rules successfully loaded, 0 rules failed
24/8/2020 -- 08:44:57 - <Info> - Threshold config parsed: 0 rule(s) found
24/8/2020 -- 08:44:57 - <Info> - 3117 signatures processed. 214 are IP-only rules, 567 are inspecting packet payload, 2475 inspect application layer, 0 are decoder event only
24/8/2020 -- 08:44:58 - <Notice> - Configuration provided was successfully loaded. Exiting.
24/8/2020 -- 08:44:58 - <Info> - cleaning up signature grouping structure... complete

Your Suricata has four PID?

 

[Milan]

I am sorry but I don't have the knowledge to know what is "normal" about PID:s. I had to google it to even know what it means.

MY theory before was that the many PIDs was because suricata uses four cores. (But now I also notice it is five PIDS) But maybe I have installed many suricatas and need to clean the system? As I said I am using your Yaml, and I am happy how it works. I see it as a IDS and I like it very much. Thanks for the Yaml and instructions how to install that you shared!

EDIT: This morning I have six Suricata PIDS:

Mem: 837644K used, 192944K free, 0K shrd, 4224K buff, 28280K cached
Load average: 0.49 0.71 0.82
  PID USER     STATUS   NI   RSS  PPID %CPU %MEM COMMAND
22539 root     S        0  47412     1  0.5  4.5 Suricata-Main
14895 root     S        0  34140     1  0.5  3.3 Suricata-Main
29001 root     S        0  34080     1  0.5  3.3 Suricata-Main
17732 root     S        0  33724     1  0.5  3.2 Suricata-Main
18267 root     S        0  34044     1  0.5  3.2 Suricata-Main
1430 root     S        0  33704     1  0.5  3.2 Suricata-Main

/opt/bin/suricata -T
24/8/2020 -- 08:44:56 - <Info> - Running suricata under test mode
24/8/2020 -- 08:44:56 - <Info> - Configuration node 'legacy' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
24/8/2020 -- 08:44:56 - <Notice> - This is Suricata version 4.1.8 RELEASE
24/8/2020 -- 08:44:56 - <Info> - CPUs/cores online: 4
24/8/2020 -- 08:44:57 - <Info> - fast output device (regular) initialized: fast.log
24/8/2020 -- 08:44:57 - <Info> - stats output device (regular) initialized: stats.log
24/8/2020 -- 08:44:57 - <Info> - 20 rule files processed. 3117 rules successfully loaded, 0 rules failed
24/8/2020 -- 08:44:57 - <Info> - Threshold config parsed: 0 rule(s) found
24/8/2020 -- 08:44:57 - <Info> - 3117 signatures processed. 214 are IP-only rules, 567 are inspecting packet payload, 2475 inspect application layer, 0 are decoder event only
24/8/2020 -- 08:44:58 - <Notice> - Configuration provided was successfully loaded. Exiting.
24/8/2020 -- 08:44:58 - <Info> - cleaning up signature grouping structure... complete

PID means process ID. as you have possibly set a ratio threads per cpu to 1.5 in YAML config it means it will execute 1.5x CPU_COUNT processes + some administrative processes.
in my case, it is executing 8 threads ...

 

[vdemarco]

I believe that IPS mode via af_packet on FW is not possible.
via pcap, yes. No errors.
I think it has to do with the NIC driver´s compatibility
Viable and lightweight IPS mode is via NFQ netfilter, with iptables, in linux.
I removed rules that will give problems for less experienced users.

for tests:
run and verify. After return, ctrl +C.

suricata -c /opt/etc/suricata/suricata.yaml --af-packet --simulate-ips

%YAML 1.1
---

# Holds variables that would be used by the engine.
vars:

  # Holds the address group vars that would be passed in a Signature.
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    EXTERNAL_NET: "any"
    SMTP_SERVERS: "$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    FTP_SERVERS: "$HOME_NET"
    SSH_SERVERS: "$HOME_NET"

# Holds the port group vars that would be passed in a Signature.
  port-groups:
    FTP_PORTS: "21"
    HTTP_PORTS: "80"
    ORACLE_PORTS: "1521"
    SSH_PORTS: "29100"
    SHELLCODE_PORTS: "!80"
    DNP3_PORTS: "20000"
    FILE_DATA_PORTS: "$HTTP_PORTS,110,143"

# Runmode the engine should use.
runmode: workers

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
  - interface: -> WAN
#    threads: auto
#    defrag: no
#    cluster-type: cluster_flow
#    cluster-id: 98
#    copy-mode: ips
#    copy-iface: br0
#    tpacket-v3: no
#    ring-size: 2048
#    use-mmap: yes
  - interface: br0
#    threads: auto
#    defrag: no
#    cluster-type: cluster_flow
#    cluster-id: 97
#    copy-mode: ips
#    copy-iface: ppp0
#    tpacket-v3: no
#    ring-size: 2048
#    use-mmap: yes

# - interface: wl0.2

# IPS Mode Configuration
# PCAP
pcap:
- interface: auto
   checksum-checks: auto
   promisc: yes
   copy-mode: ips
   copy-iface: br0

- interface: br0
   checksum-checks: auto
   promisc: yes
   copy-mode: ips
   copy-iface: ppp0
# - interface: wl0.2
#   checksum-checks: auto
#   promisc: yes

pid-file: /opt/var/run/suricata.pid

#legacy:
#  uricontent: enabled

# default-packet-size: 1480
# max-pending-packets: 1024

# The default logging directory.
default-log-dir: /opt/var/log/suricata

stats:
  enabled: no
  # The interval field (in seconds) controls at what interval
  # the loggers are invoked.
  interval: 8
  decoder-events-prefix: "decoder.event"

# Configure the type of alert (and other) logging.
outputs:

# a line based alerts log similar to Snort's fast.log
  - fast:
      enabled: yes
      filename: fast.log
      append: yes
      filetype: regular

  # alert output for use with Barnyard2
  - unified2-alert:
      enabled: no
      filename: unified2.alert
      limit: 32mb
      sensor-id: 0
      xff:
        enabled: no

  - http-log:
      enabled: yes
      filename: http.log
      append: yes
      extended: yes
      filetype: regular

  - pcap-log:
      enabled: no
      filename: log.pcap
      limit: 32mb
      max-files: 1000
      mode: normal

  - tls-log:
      enabled: no
      filename: tls.log
      extended: yes

  - tls-store:
      enabled: no
      certs-log-dir: certs

  - stats:
      enabled: yes
      filename: stats.log
      interval: 10
      append: no

  - syslog:
      enabled: no
      identity: suricata
      facility: local1
      level: notice

  - drop:
      enabled: yes
      filename: drop.log
      append: yes
      filetype: regular

  - file-store:
      enabled: no
      log-dir: files
      force-magic: no

  - file-log:
      enabled: no
      filename: files-json.log
      append: yes
      filetype: regular
      force-magic: no
      #force-hash: [md5]

  - dns-log:
      enabled: no
      filename: dns.log
      append: yes
      filetype: regular

  - eve-log:
      enabled: no
      filetype: regular
      filename: eve-%Y-%m-%d-%H:%M.json

      types:
        - alert:
          tagged-packets: yes
          app-layer: true
          flow: true
          rule: true
          metadata: true
          raw: false

        - drop:
          alerts: yes
          flows: all

        # - http
        # - dns
        # - tls

# Magic file. The extension .mgc is added to the value here.
magic-file: /opt/share/misc/magic

detect-engine:
  - profile: medium
  - custom-values:
      toclient-src-groups: 2
      toclient-dst-groups: 2
      toclient-sp-groups: 2
      toclient-dp-groups: 3
      toserver-src-groups: 2
      toserver-dst-groups: 4
      toserver-sp-groups: 2
      toserver-dp-groups: 25
  - sgh-mpm-context: auto
  - inspection-recursion-limit: 3000


# Suricata is multi-threaded. Here the threading can be influenced.
threading:
  set-cpu-affinity: no
  detect-thread-ratio: 1.0

# Defrag settings:
defrag:
  memcap: 32mb
  hash-size: 65536
  trackers: 65535
  max-frags: 65535
  prealloc: yes
  timeout: 60

# Flow settings:
flow:
  memcap: 32mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30
  prune-flows: 5

# This option controls the use of vlan ids in the flow (and defrag)
# hashing.
vlan:
  use-for-tracking: true

# Specific timeouts for flows.
flow-timeouts:

  default:
    new: 30
    established: 300
    closed: 0
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
  tcp:
    new: 60
    established: 3600
    closed: 120
    emergency-new: 10
    emergency-established: 300
    emergency-closed: 20
  udp:
    new: 30
    established: 300
    emergency-new: 10
    emergency-established: 100
  icmp:
    new: 30
    established: 300
    emergency-new: 10
    emergency-established: 100

stream:
  memcap: 32mb
  checksum-validation: yes      # reject wrong csums
  inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
  reassembly:
    memcap: 64mb
    depth: 1mb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
    #randomize-chunk-range: 10
    #raw: yes
    #segment-prealloc: 2048
    #check-overlap-different-data: true

# Host table is used by tagging and per host thresholding subsystems.
host:
  hash-size: 4096
  prealloc: 1000
  memcap: 16554432

# Host specific policies for defragmentation and TCP stream reassembly.
host-os-policy:
  # Make the default policy windows.
  windows: [0.0.0.0/0]
  bsd: []
  bsd-right: []
  old-linux: []
  linux: []
  old-solaris: []
  solaris: []
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []

# Logging configuration.  This is not about logging IDS alerts, but
# IDS output about what its doing, errors, etc.
logging:

  # This value is overriden by the SC_LOG_LEVEL env var.
  default-log-level: info

  # Define your logging outputs.
  outputs:
  - console:
      enabled: no
  - file:
      enabled: no
      filename: /opt/var/log/suricata/suricata.log
  - syslog:
      enabled: no
      facility: off
  
default-rule-path: /opt/var/lib/suricata/rules

rule-files:
   - botcc.rules
   - botcc.portgrouped.rules
   - compromised.rules
   - drop.rules
   - dshield.rules
   - emerging-malware.rules
   - emerging-mobile_malware.rules
   - emerging-worm.rules
   - ciarmy.rules
   - emerging-attack_response.rules

classification-file: /opt/etc/suricata/classification.config
reference-config-file: /opt/etc/suricata/reference.config
threshold-file: /opt/etc/suricata/threshold.config

# action-order:
#   - pass
#   - drop
#   - reject
#   - alert

# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256

engine-analysis:
  rules-fast-pattern: yes
  rules: yes

#recursion and match limits for PCRE where supported
pcre:
  match-limit: 3500
  match-limit-recursion: 1500

# Holds details on the app-layer. The protocols section details each protocol.
app-layer:
  protocols:
    krb5:
      enabled: no # Requires rust
    ikev2:
      enabled: yes
    tls:
      enabled: yes
      detection-ports:
      dp: "[443,444,465,853,993,995]"

    dcerpc:
      enabled: yes
    ftp:
      enabled: no
    ssh:
      enabled: yes
    smtp:
      enabled: yes
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
          dp: 139, 445
    dns:
      global-memcap: 16777216
      state-memcap: 524288
      request-flood: 500

      tcp:
       enabled: yes
       detection-ports:
          dp: 53
      udp:
       enabled: yes
       detection-ports:
         dp: 53
    http:
       enabled: yes
       memcap: 16108864

###########################################################################
# Configure libhtp.
libhtp:
    default-config:
      personality: IDS
      request-body-limit: 2mb
      response-body-limit: 2mb
      request-body-minimal-inspect-size: 32kb
      request-body-inspect-window: 4kb
      response-body-minimal-inspect-size: 32kb
      response-body-inspect-window: 4kb
      http-body-inline: auto
      double-decode-path: no
      double-decode-query: no
    ntp:
      enabled: yes
    dhcp:
      enabled: yes
    sip:
      enabled: yes

coredump:
    max-dump: unlimited

# Suricata user pass through configuration

So i tried the above, got it to pass the test, but it loads up once, and will then never load up again.

Do i need a different version of suricata? i have 4.1.8, is there a newer version available?

 

[rgnldo]

Do i need a different version of suricata? i have 4.1.8, is there a newer version available?

for testing. Use the script installation.

 

[rgnldo]

@faux123 don't forget, i'm following your commits. Great job.

 

[faux123]

completely off-topic:

I got snort running in IPS mode using af_packet... testing right now... seems to be working okay so far without sudden drop in connections.. gonna let it brew for a while. The biggest drawback using snort is its single threaded (but from a packet inspection perspective, it's a lot simpler to do so than with multithreaded Suricata).

If snort in af_packet mode is working, then the issue must be with Suricata's af_packet implementation.. this is the one of the way to validate if the base Linux kernel af_packet is at fault or the application itself.

 

[Olivier L]

Hello, trying to get suricata working on my AX88U.
1- at router reboot, suricata is not launched. How to make it auto-start ?
2- Am I wrong if I say, with default conf Suricata is not blocking suspicious traffic, it only logs things ?
I am reading the doc, but this is huge. Do you know where I could find a suricata for dummies to learn things smoothly ?

 

[Mutzli]

I believe that IPS mode via af_packet on FW is not possible.
via pcap, yes. No errors.
I think it has to do with the NIC driver´s compatibility
Viable and lightweight IPS mode is via NFQ netfilter, with iptables, in linux.
I removed rules that will give problems for less experienced users.

Thank you @rgnldo for this configuration with IPS through pcap. This configuration is running now on my router that had problems with af-packet and IPS. It's running in pcap/IPS mode since Monday without any issues. I did make a couple of changes to get it to work. First one I had to add back the DNS_SERVERS: "[192.168.1.1]" under address-groups. It didn't load without that definition and second, under pcap: - interface and copy-iface should match your WAN interface. So here is the important first 1/3 of my suricata.yaml if anyone else want to try it out:

%YAML 1.1
---

# Holds variables that would be used by the engine.
vars:

  # Holds the address group vars that would be passed in a Signature.
  address-groups:
    HOME_NET: "[192.168.1.0/24]"
    EXTERNAL_NET: "any"
    DNS_SERVERS: "[192.168.1.1]"
    SMTP_SERVERS: "$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    FTP_SERVERS: "$HOME_NET"
    SSH_SERVERS: "$HOME_NET"
  
# Holds the port group vars that would be passed in a Signature.
  port-groups:
    FTP_PORTS: "21"
    HTTP_PORTS: "80"
    ORACLE_PORTS: "1521"
    SSH_PORTS: "22" # your SSH port
    SHELLCODE_PORTS: "!80"
    DNP3_PORTS: "20000"
    FILE_DATA_PORTS: "$HTTP_PORTS,110,143" 

# Runmode the engine should use.
runmode: workers

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
  - interface: eth0  # your ->WAN
#    threads: 2
#    defrag: no
#    cluster-type: cluster_flow
#    cluster-id: 99
#    copy-mode: ips
#    copy-iface: br0
#    buffer-size: 3072
#    use-mmap: yes
#    tpacket-v3: yes
#    ring-size: 3072
  - interface: br0
#    threads: 2
#   cluster-id: 98
#   defrag: no
#   cluster-type: cluster_flow
#   copy-mode: ips
#   copy-iface: eth0
#   buffer-size: 3072
#   use-mmap: yes
#   tpacket-v3: yes
#   ring-size: 3072
#  - interface: wl0.2

# IPS Mode Configuration
# PCAP
pcap:
  - interface: eth0  # your ->WAN
    checksum-checks: auto
    promisc: yes
    copy-mode: ips
    copy-iface: br0
  - interface: br0
    checksum-checks: auto
    promisc: yes
    copy-mode: ips
    copy-iface: eth0  # your ->WAN

pid-file: /opt/var/run/suricata.pid
#legacy:
# uricontent: enabled

# max-pending-packets: 1024

I didn't remove any of the rules and left the rest of the file as is.

 

[Mutzli]

Hello, trying to get suricata working on my AX88U.
1- at router reboot, suricata is not launched. How to make it auto-start ?
2- Am I wrong if I say, with default conf Suricata is not blocking suspicious traffic, it only logs things ?
I am reading the doc, but this is huge. Do you know where I could find a suricata for dummies to learn things smoothly ?

1. Did you use the install script from page one?
2. Depends on how you configure Suricata. If you run it in IPS mode (see my post above) it will drop suspicious packets automatically. You can track this in fast.log and if you activate drop.log you'll see what packets have been dropped.

 

[Olivier L]

1. It worked and started automatically after the installation. But after reboot, no suricata thread in htop.

Also I am surprised to see lot of "ET POLICY External IP Lookup - checkip.dyndns.org". I use checkip.dyndns.org service to evaluate WAN IP (in the context of controlling VPN).

 

[Olivier L]

If I relaunch /jffs/addons/suricata/suricata_manager.sh install, I have :

26/8/2020 -- 18:17:51 - <Info> - Running suricata under test mode
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
26/8/2020 -- 18:17:51 - <Notice> - This is Suricata version 4.1.8 RELEASE
26/8/2020 -- 18:17:51 - <Info> - CPUs/cores online: 4
26/8/2020 -- 18:17:51 - <Info> - fast output device (regular) initialized: fast.log
26/8/2020 -- 18:17:57 - <Info> - stats output device (regular) initialized: stats.log
26/8/2020 -- 18:17:57 - <Info> - 20 rule files processed. 3119 rules successfully loaded, 0 rules failed
26/8/2020 -- 18:17:57 - <Info> - Threshold config parsed: 0 rule(s) found
26/8/2020 -- 18:17:57 - <Info> - 3119 signatures processed. 216 are IP-only rules, 567 are inspecting packet payload, 2475 inspect application layer, 0 are decoder event only
26/8/2020 -- 18:18:01 - <Notice> - Configuration provided was successfully loaded. Exiting.
26/8/2020 -- 18:18:01 - <Info> - cleaning up signature grouping structure... complete
 Starting suricata...              failed.