rgnldo
Very Senior Member
Let's define which ones to leave by defaultremove some valid rules
I agree.confusion
Let's define which ones to leave by defaultremove some valid rules
I agree.confusion
The problem is lack of enough real RAM on AC86U. Whenever you swap, even with SSD, it's NOT fast enough to do "inline" IPS where the packet is intercepted as it come in and inspected against various rule then "copy" back out. If the system needs to rely on "swapping", the effects of this slowness will manifest as packet loss or "lag" in the connection. You want to do all these copy in ->inspect->copy out all in RAM where it's faster than you can notice and not drop packets.ok - doesn't the swap most of us install help? I'd have to check, but I seem to recall I've got 2GB set up for that that I've only seen get gently caressed when I've looked - does IPS look for more than that?
That's what you mention, the lack of memory on the ARM routers makes any solution action along the lines of INLINE IPS unviable or in dual layer IPS modeThe problem is lack of enough real RAM on AC86U. Whenever you swap, even with SSD, it's NOT fast enough to do "inline" IPS where the packet is intercepted as it come in and inspected against various rule then "copy" back out. If the system needs to rely on "swapping", the effects of this slowness will manifest as packet loss or "lag" in the connection. You want to do all these copy in ->inspect->copy out all in RAM where it's faster than you can notice and not drop packets.
So with 512MB on AC86U (and more than 1/2 of that is reserved for other critical system services), the constant swapping in/out to disk (SSD or HDD) will lead to packet loss and lag. So virtual memory via SWAP isn't ideal or option for Suricata (fun fact, if you disabled swap, Suricata won't even start and will tell you that you lack memory run it).
ON TOPIC: My internal beta testing of my settings from yesterday was inconsistent...on some instances, it would work flawlessly for almost 18 hours then experience large number of TCP_Fragment and packet loss, and on some instances the packet loss were immediate after a couple of minutes all without touching anything. I monitored the memory usage throughout and didn't notice the memory growth issues between 18 hours and 2 mins runs. I'm at a loss as to why it is NOT consistently reproducible. There's a running thread on Suricata's own issue tracker and that issue has been opened for more than 1 year and people are still reporting inconsistencies.
So for those of you experienced "drops", it's not a real "drop" based on rules, but it's a "failure to establish TCP connection" with the remote hosts. Based on my debugging with wireshark, it's NOT due to DNS failures of any sort (in fact you will see the DNS request made and the right responses come back). The issue is TCP Syn requests are NOT being established with remote hosts, then followed by bunch of TCP SYN resets (this tells the remote hosts to close the previous attempts and restart over), but those TCP Syn resets had no effect and therefore you experienced "drops". There's something NOT quite right with our setup at this moment, I'm looking deeper into the kernel sources to see if I can see something there. There's 1 unfortunate part is the ethernet driver from Broadcom is "closed" source.. so if the problem exists at that driver, then we are hosed.
I think the AX88U should have enough memory to handle Suricata as an IPS solution. With IPS on, my router shows 206MB free with Suricata using 521MB and unbound 106MB the rest is all small. A configuration script should probably recognize what router is being configured and set it to IDS or IPS depending on how much memory is available.That's what you mention, the lack of memory on the ARM routers makes any solution action along the lines of INLINE IPS unviable or in dual layer IPS mode
As I understand it, the HND router's a reserved memory cache. In IDS mode, just adding all the rules, we will have memory problems. Try to add all the rules in IDS mode.
It is probably a dedicated feature or module for VPN or Trend Micro.
It tends to add all the rules.
@KW. How is the memory consumption on NETGEAR devices? Observe enabling all rules.
Mem: 886300K used, 144288K free, 0K shrd, 4924K buff, 26132K cached
Load average: 2.29 1.54 1.17
PID USER STATUS NI RSS PPID %CPU %MEM COMMAND
18267 root S 0 80664 1 1.1 7.8 Suricata-Main
1430 root S 0 84308 1 1.0 8.1 Suricata-Main
22539 root S 0 65720 1 1.0 6.3 Suricata-Main
14895 root S 0 58856 1 1.0 5.7 Suricata-Main
17732 root S 0 84272 1 0.9 8.1 Suricata-Main
4882 root S 0 5340 28744 0.2 0.5 Plex DLNA Serve
Your Suricata has four PID?Is it this you are interested in?
Look again - there are 5, totalling about 35% of memory! Something is definitely not right there...Your Suricata has four PID?
The problem is lack of enough real RAM on AC86U. Whenever you swap, even with SSD, it's NOT fast enough to do "inline" IPS where the packet is intercepted as it come in and inspected against various rule then "copy" back out. If the system needs to rely on "swapping", the effects of this slowness will manifest as packet loss or "lag" in the connection. You want to do all these copy in ->inspect->copy out all in RAM where it's faster than you can notice and not drop packets.
So with 512MB on AC86U (and more than 1/2 of that is reserved for other critical system services), the constant swapping in/out to disk (SSD or HDD) will lead to packet loss and lag. So virtual memory via SWAP isn't ideal or option for Suricata (fun fact, if you disabled swap, Suricata won't even start and will tell you that you lack memory run it).
Mem: 837644K used, 192944K free, 0K shrd, 4224K buff, 28280K cached
Load average: 0.49 0.71 0.82
PID USER STATUS NI RSS PPID %CPU %MEM COMMAND
22539 root S 0 47412 1 0.5 4.5 Suricata-Main
14895 root S 0 34140 1 0.5 3.3 Suricata-Main
29001 root S 0 34080 1 0.5 3.3 Suricata-Main
17732 root S 0 33724 1 0.5 3.2 Suricata-Main
18267 root S 0 34044 1 0.5 3.2 Suricata-Main
1430 root S 0 33704 1 0.5 3.2 Suricata-Main
/opt/bin/suricata -T
24/8/2020 -- 08:44:56 - <Info> - Running suricata under test mode
24/8/2020 -- 08:44:56 - <Info> - Configuration node 'legacy' redefined.
Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console"
24/8/2020 -- 08:44:56 - <Notice> - This is Suricata version 4.1.8 RELEASE
24/8/2020 -- 08:44:56 - <Info> - CPUs/cores online: 4
24/8/2020 -- 08:44:57 - <Info> - fast output device (regular) initialized: fast.log
24/8/2020 -- 08:44:57 - <Info> - stats output device (regular) initialized: stats.log
24/8/2020 -- 08:44:57 - <Info> - 20 rule files processed. 3117 rules successfully loaded, 0 rules failed
24/8/2020 -- 08:44:57 - <Info> - Threshold config parsed: 0 rule(s) found
24/8/2020 -- 08:44:57 - <Info> - 3117 signatures processed. 214 are IP-only rules, 567 are inspecting packet payload, 2475 inspect application layer, 0 are decoder event only
24/8/2020 -- 08:44:58 - <Notice> - Configuration provided was successfully loaded. Exiting.
24/8/2020 -- 08:44:58 - <Info> - cleaning up signature grouping structure... complete
Your Suricata has four PID?
PID means process ID. as you have possibly set a ratio threads per cpu to 1.5 in YAML config it means it will execute 1.5x CPU_COUNT processes + some administrative processes.I am sorry but I don't have the knowledge to know what is "normal" about PID:s. I had to google it to even know what it means.
MY theory before was that the many PIDs was because suricata uses four cores. (But now I also notice it is five PIDS) But maybe I have installed many suricatas and need to clean the system? As I said I am using your Yaml, and I am happy how it works. I see it as a IDS and I like it very much. Thanks for the Yaml and instructions how to install that you shared!
EDIT: This morning I have six Suricata PIDS:
Code:Mem: 837644K used, 192944K free, 0K shrd, 4224K buff, 28280K cached Load average: 0.49 0.71 0.82 PID USER STATUS NI RSS PPID %CPU %MEM COMMAND 22539 root S 0 47412 1 0.5 4.5 Suricata-Main 14895 root S 0 34140 1 0.5 3.3 Suricata-Main 29001 root S 0 34080 1 0.5 3.3 Suricata-Main 17732 root S 0 33724 1 0.5 3.2 Suricata-Main 18267 root S 0 34044 1 0.5 3.2 Suricata-Main 1430 root S 0 33704 1 0.5 3.2 Suricata-Main
Code:/opt/bin/suricata -T 24/8/2020 -- 08:44:56 - <Info> - Running suricata under test mode 24/8/2020 -- 08:44:56 - <Info> - Configuration node 'legacy' redefined. Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console" 24/8/2020 -- 08:44:56 - <Notice> - This is Suricata version 4.1.8 RELEASE 24/8/2020 -- 08:44:56 - <Info> - CPUs/cores online: 4 24/8/2020 -- 08:44:57 - <Info> - fast output device (regular) initialized: fast.log 24/8/2020 -- 08:44:57 - <Info> - stats output device (regular) initialized: stats.log 24/8/2020 -- 08:44:57 - <Info> - 20 rule files processed. 3117 rules successfully loaded, 0 rules failed 24/8/2020 -- 08:44:57 - <Info> - Threshold config parsed: 0 rule(s) found 24/8/2020 -- 08:44:57 - <Info> - 3117 signatures processed. 214 are IP-only rules, 567 are inspecting packet payload, 2475 inspect application layer, 0 are decoder event only 24/8/2020 -- 08:44:58 - <Notice> - Configuration provided was successfully loaded. Exiting. 24/8/2020 -- 08:44:58 - <Info> - cleaning up signature grouping structure... complete
I believe that IPS mode via af_packet on FW is not possible.
via pcap, yes. No errors.
I think it has to do with the NIC driver´s compatibility
Viable and lightweight IPS mode is via NFQ netfilter, with iptables, in linux.
I removed rules that will give problems for less experienced users.
for tests:
run and verify. After return, ctrl +C.
Bash:suricata -c /opt/etc/suricata/suricata.yaml --af-packet --simulate-ips
YAML:%YAML 1.1 --- # Holds variables that would be used by the engine. vars: # Holds the address group vars that would be passed in a Signature. address-groups: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" EXTERNAL_NET: "any" SMTP_SERVERS: "$HOME_NET" HTTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" FTP_SERVERS: "$HOME_NET" SSH_SERVERS: "$HOME_NET" # Holds the port group vars that would be passed in a Signature. port-groups: FTP_PORTS: "21" HTTP_PORTS: "80" ORACLE_PORTS: "1521" SSH_PORTS: "29100" SHELLCODE_PORTS: "!80" DNP3_PORTS: "20000" FILE_DATA_PORTS: "$HTTP_PORTS,110,143" # Runmode the engine should use. runmode: workers # If set to auto, the variable is internally switched to 'router' in IPS # mode and 'sniffer-only' in IDS mode. host-mode: auto # Linux high speed capture support af-packet: - interface: -> WAN # threads: auto # defrag: no # cluster-type: cluster_flow # cluster-id: 98 # copy-mode: ips # copy-iface: br0 # tpacket-v3: no # ring-size: 2048 # use-mmap: yes - interface: br0 # threads: auto # defrag: no # cluster-type: cluster_flow # cluster-id: 97 # copy-mode: ips # copy-iface: ppp0 # tpacket-v3: no # ring-size: 2048 # use-mmap: yes # - interface: wl0.2 # IPS Mode Configuration # PCAP pcap: - interface: auto checksum-checks: auto promisc: yes copy-mode: ips copy-iface: br0 - interface: br0 checksum-checks: auto promisc: yes copy-mode: ips copy-iface: ppp0 # - interface: wl0.2 # checksum-checks: auto # promisc: yes pid-file: /opt/var/run/suricata.pid #legacy: # uricontent: enabled # default-packet-size: 1480 # max-pending-packets: 1024 # The default logging directory. default-log-dir: /opt/var/log/suricata stats: enabled: no # The interval field (in seconds) controls at what interval # the loggers are invoked. interval: 8 decoder-events-prefix: "decoder.event" # Configure the type of alert (and other) logging. outputs: # a line based alerts log similar to Snort's fast.log - fast: enabled: yes filename: fast.log append: yes filetype: regular # alert output for use with Barnyard2 - unified2-alert: enabled: no filename: unified2.alert limit: 32mb sensor-id: 0 xff: enabled: no - http-log: enabled: yes filename: http.log append: yes extended: yes filetype: regular - pcap-log: enabled: no filename: log.pcap limit: 32mb max-files: 1000 mode: normal - tls-log: enabled: no filename: tls.log extended: yes - tls-store: enabled: no certs-log-dir: certs - stats: enabled: yes filename: stats.log interval: 10 append: no - syslog: enabled: no identity: suricata facility: local1 level: notice - drop: enabled: yes filename: drop.log append: yes filetype: regular - file-store: enabled: no log-dir: files force-magic: no - file-log: enabled: no filename: files-json.log append: yes filetype: regular force-magic: no #force-hash: [md5] - dns-log: enabled: no filename: dns.log append: yes filetype: regular - eve-log: enabled: no filetype: regular filename: eve-%Y-%m-%d-%H:%M.json types: - alert: tagged-packets: yes app-layer: true flow: true rule: true metadata: true raw: false - drop: alerts: yes flows: all # - http # - dns # - tls # Magic file. The extension .mgc is added to the value here. magic-file: /opt/share/misc/magic detect-engine: - profile: medium - custom-values: toclient-src-groups: 2 toclient-dst-groups: 2 toclient-sp-groups: 2 toclient-dp-groups: 3 toserver-src-groups: 2 toserver-dst-groups: 4 toserver-sp-groups: 2 toserver-dp-groups: 25 - sgh-mpm-context: auto - inspection-recursion-limit: 3000 # Suricata is multi-threaded. Here the threading can be influenced. threading: set-cpu-affinity: no detect-thread-ratio: 1.0 # Defrag settings: defrag: memcap: 32mb hash-size: 65536 trackers: 65535 max-frags: 65535 prealloc: yes timeout: 60 # Flow settings: flow: memcap: 32mb hash-size: 65536 prealloc: 10000 emergency-recovery: 30 prune-flows: 5 # This option controls the use of vlan ids in the flow (and defrag) # hashing. vlan: use-for-tracking: true # Specific timeouts for flows. flow-timeouts: default: new: 30 established: 300 closed: 0 emergency-new: 10 emergency-established: 100 emergency-closed: 0 tcp: new: 60 established: 3600 closed: 120 emergency-new: 10 emergency-established: 300 emergency-closed: 20 udp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 icmp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 stream: memcap: 32mb checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically reassembly: memcap: 64mb depth: 1mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes #randomize-chunk-range: 10 #raw: yes #segment-prealloc: 2048 #check-overlap-different-data: true # Host table is used by tagging and per host thresholding subsystems. host: hash-size: 4096 prealloc: 1000 memcap: 16554432 # Host specific policies for defragmentation and TCP stream reassembly. host-os-policy: # Make the default policy windows. windows: [0.0.0.0/0] bsd: [] bsd-right: [] old-linux: [] linux: [] old-solaris: [] solaris: [] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: [] # Logging configuration. This is not about logging IDS alerts, but # IDS output about what its doing, errors, etc. logging: # This value is overriden by the SC_LOG_LEVEL env var. default-log-level: info # Define your logging outputs. outputs: - console: enabled: no - file: enabled: no filename: /opt/var/log/suricata/suricata.log - syslog: enabled: no facility: off default-rule-path: /opt/var/lib/suricata/rules rule-files: - botcc.rules - botcc.portgrouped.rules - compromised.rules - drop.rules - dshield.rules - emerging-malware.rules - emerging-mobile_malware.rules - emerging-worm.rules - ciarmy.rules - emerging-attack_response.rules classification-file: /opt/etc/suricata/classification.config reference-config-file: /opt/etc/suricata/reference.config threshold-file: /opt/etc/suricata/threshold.config # action-order: # - pass # - drop # - reject # - alert # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 engine-analysis: rules-fast-pattern: yes rules: yes #recursion and match limits for PCRE where supported pcre: match-limit: 3500 match-limit-recursion: 1500 # Holds details on the app-layer. The protocols section details each protocol. app-layer: protocols: krb5: enabled: no # Requires rust ikev2: enabled: yes tls: enabled: yes detection-ports: dp: "[443,444,465,853,993,995]" dcerpc: enabled: yes ftp: enabled: no ssh: enabled: yes smtp: enabled: yes imap: enabled: detection-only msn: enabled: detection-only smb: enabled: yes detection-ports: dp: 139, 445 dns: global-memcap: 16777216 state-memcap: 524288 request-flood: 500 tcp: enabled: yes detection-ports: dp: 53 udp: enabled: yes detection-ports: dp: 53 http: enabled: yes memcap: 16108864 ########################################################################### # Configure libhtp. libhtp: default-config: personality: IDS request-body-limit: 2mb response-body-limit: 2mb request-body-minimal-inspect-size: 32kb request-body-inspect-window: 4kb response-body-minimal-inspect-size: 32kb response-body-inspect-window: 4kb http-body-inline: auto double-decode-path: no double-decode-query: no ntp: enabled: yes dhcp: enabled: yes sip: enabled: yes coredump: max-dump: unlimited # Suricata user pass through configuration
for testing. Use the script installation.Do i need a different version of suricata? i have 4.1.8, is there a newer version available?
Thank you @rgnldo for this configuration with IPS through pcap. This configuration is running now on my router that had problems with af-packet and IPS. It's running in pcap/IPS mode since Monday without any issues. I did make a couple of changes to get it to work. First one I had to add back the DNS_SERVERS: "[192.168.1.1]" under address-groups. It didn't load without that definition and second, under pcap: - interface and copy-iface should match your WAN interface. So here is the important first 1/3 of my suricata.yaml if anyone else want to try it out:I believe that IPS mode via af_packet on FW is not possible.
via pcap, yes. No errors.
I think it has to do with the NIC driver´s compatibility
Viable and lightweight IPS mode is via NFQ netfilter, with iptables, in linux.
I removed rules that will give problems for less experienced users.
%YAML 1.1
---
# Holds variables that would be used by the engine.
vars:
# Holds the address group vars that would be passed in a Signature.
address-groups:
HOME_NET: "[192.168.1.0/24]"
EXTERNAL_NET: "any"
DNS_SERVERS: "[192.168.1.1]"
SMTP_SERVERS: "$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
FTP_SERVERS: "$HOME_NET"
SSH_SERVERS: "$HOME_NET"
# Holds the port group vars that would be passed in a Signature.
port-groups:
FTP_PORTS: "21"
HTTP_PORTS: "80"
ORACLE_PORTS: "1521"
SSH_PORTS: "22" # your SSH port
SHELLCODE_PORTS: "!80"
DNP3_PORTS: "20000"
FILE_DATA_PORTS: "$HTTP_PORTS,110,143"
# Runmode the engine should use.
runmode: workers
# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto
# Linux high speed capture support
af-packet:
- interface: eth0 # your ->WAN
# threads: 2
# defrag: no
# cluster-type: cluster_flow
# cluster-id: 99
# copy-mode: ips
# copy-iface: br0
# buffer-size: 3072
# use-mmap: yes
# tpacket-v3: yes
# ring-size: 3072
- interface: br0
# threads: 2
# cluster-id: 98
# defrag: no
# cluster-type: cluster_flow
# copy-mode: ips
# copy-iface: eth0
# buffer-size: 3072
# use-mmap: yes
# tpacket-v3: yes
# ring-size: 3072
# - interface: wl0.2
# IPS Mode Configuration
# PCAP
pcap:
- interface: eth0 # your ->WAN
checksum-checks: auto
promisc: yes
copy-mode: ips
copy-iface: br0
- interface: br0
checksum-checks: auto
promisc: yes
copy-mode: ips
copy-iface: eth0 # your ->WAN
pid-file: /opt/var/run/suricata.pid
#legacy:
# uricontent: enabled
# max-pending-packets: 1024
1. Did you use the install script from page one?Hello, trying to get suricata working on my AX88U.
1- at router reboot, suricata is not launched. How to make it auto-start ?
2- Am I wrong if I say, with default conf Suricata is not blocking suspicious traffic, it only logs things ?
I am reading the doc, but this is huge. Do you know where I could find a suricata for dummies to learn things smoothly ?
26/8/2020 -- 18:17:51 - <Info> - Running suricata under test mode
Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console"
26/8/2020 -- 18:17:51 - <Notice> - This is Suricata version 4.1.8 RELEASE
26/8/2020 -- 18:17:51 - <Info> - CPUs/cores online: 4
26/8/2020 -- 18:17:51 - <Info> - fast output device (regular) initialized: fast.log
26/8/2020 -- 18:17:57 - <Info> - stats output device (regular) initialized: stats.log
26/8/2020 -- 18:17:57 - <Info> - 20 rule files processed. 3119 rules successfully loaded, 0 rules failed
26/8/2020 -- 18:17:57 - <Info> - Threshold config parsed: 0 rule(s) found
26/8/2020 -- 18:17:57 - <Info> - 3119 signatures processed. 216 are IP-only rules, 567 are inspecting packet payload, 2475 inspect application layer, 0 are decoder event only
26/8/2020 -- 18:18:01 - <Notice> - Configuration provided was successfully loaded. Exiting.
26/8/2020 -- 18:18:01 - <Info> - cleaning up signature grouping structure... complete
Starting suricata... failed.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!