Suricata Suricata - IDS on AsusWRT Merlin

[rgnldo]

This was my primary concern, it would be asking too much of a small processor to provide real time reactionary data to a complex Aanval type interface.

For professional and infrastructure monitoring, it is essential. There are already cloud services.

When I was a child in the 60s and 70s, I judged how cool a car was not by the body or engine, but by the dash and how much data it reported to the driver. Some things never change

Liked it

 

[joe scian]

For professional and infrastructure monitoring, it is essential. There are already cloud services.

Liked it

I have seen 6 of these in last week targeting Port 123 NTP Server. I have the emerging-dos.rules files enabled. Has anyone else seen these in fast.log? Perhaps we could all share examples of hits with the various rules files you have enabled. It would make for an interesting list of what these rules files are good at capturing.

01/01/1970-11:00:00.761397  [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 51.254.124.181:50723 -> 000.000.00.000:123

 

[rgnldo]

I have seen 6 of these in last week targeting Port 123 NTP Server. I have the emerging-dos.rules files enabled

Great. I found an attempted trojan in an application installed here on my Mac. I identified and uninstalled it. Note, adding rules increases memory consumption. The emerging-dos.rules rule does not consume as much memory.

 

[mike37]

..... Perhaps we could all share examples of hits with the various rules files you have enabled....

YES...good idea! (I expect to get going with suricata this weekend and will be doing some comparisons with AiProtections).

It would make for an interesting list of what these rules files are good at capturing.

01/01/1970-11:00:00.761397  [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 51.254.124.181:50723 -> 000.000.00.000:123

My guess is that an old Trojan is again active. It's UDP so the probe can't really be blocked. It would become concerning if your box actually started responding to this probe - an event that is likely detected by another rule (which I don't have time to look for now).

https://isc.sans.edu/diary/NTP+reflection+attack/17300

https://securityaffairs.co/wordpres...ime-protocol-ntp-reflection-ddos-attacks.html

 

[vdemarco]

I tried to turn on emerging-dos.rules rules and suricata crashed right away. I am pretty sure its running out of memory.

So i have time machine running and i have a 2GB swap file configured.

Should i increase the swap to 4GB?? not really sure.

 

[rgnldo]

I tried to turn on emerging-dos.rules rules and suricata crashed right away

Is it organized in order? If it is not in order, it will give error.

rule-files:
   - botcc.rules
   - botcc.portgrouped.rules
   - emerging-worm.rules
   - compromised.rules
   - drop.rules
   - dshield.rules
   - emerging-malware.rules
   - emerging-misc.rules
   - emerging-dos.rules
   - emerging-dns.rules

I updated suricata.yaml

 

[mike37]

I tried to turn on emerging-dos.rules rules and suricata crashed right away. I am pretty sure its running out of memory.

So i have time machine running and i have a 2GB swap file configured.

Should i increase the swap to 4GB?? not really sure.

Understanding that I am a newbie around here and just beginning to exercise suricata:

1. The log directory accumulates a lot of stuff fast (especially suricata.log and eve.json) and appears to keep them 'til you purge. So I regularly/frequently remove all files in /tmp/mnt/sda1/entware/var/log/suricata - keeping the 2 directories in there.

(FWIW, I'm guessing that I'll eventually lose all of those files and use a log reader to display new additions to a warning/alert log - once I figure out which rules to use and log(s) to monitor)

2. swap file!? Don't recall setting it for suricata. Don't know where that is; please advise.
If that is some unbounded file on the USB, FWIW I'm using the fastest 32G USB I could find a year+ ago. Today they're bigger, cheaper, and faster.

 

[mike37]

Great. I found an attempted trojan in an application installed here on my Mac. I identified and uninstalled it. .....

How did you identify the Mac application?

1. e.g. did securicata start popping up warnings immediately after you installed it? Or perhaps whenever you used it? Perhaps a signature update to an AV/AT?

2. Which suricata rule file and rule found it?

TIA

 

[vdemarco]

Understanding that I am a newbie around here and just beginning to exercise suricata:

1. The log directory accumulates a lot of stuff fast (especially suricata.log and eve.json) and appears to keep them 'til you purge. So I regularly/frequently remove all files in /tmp/mnt/sda1/entware/var/log/suricata - keeping the 2 directories in there.

(FWIW, I'm guessing that I'll eventually lose all of those files and use a log reader to display new additions to a warning/alert log - once I figure out which rules to use and log(s) to monitor)

2. swap file!? Don't recall setting it for suricata. Don't know where that is; please advise.
If that is some unbounded file on the USB, FWIW I'm using the fastest 32G USB I could find a year+ ago. Today they're bigger, cheaper, and faster.

I set it up when i was using skynet, i set up a 2GB swapfile with amtm (installed on the firmware)

 

[vdemarco]

Is it organized in order? If it is not in order, it will give error.

rule-files:
   - botcc.rules
   - botcc.portgrouped.rules
   - emerging-worm.rules
   - compromised.rules
   - drop.rules
   - dshield.rules
   - emerging-malware.rules
   - emerging-misc.rules
   - emerging-dos.rules
   - emerging-dns.rules

I updated suricata.yaml

THanks that fixed it.

Vince

 

[rgnldo]

Which suricata rule file and rule found it?

04/26/2020-10:48:59.208024  [**] [1:2404303:5712] ET CNC Feodo Tracker Reported CnC Server group 4 [**] [Classification: A Network Trojan was Detected] [Prior>
04/26/2020-18:50:29.049005  [**] [1:2404303:5712] ET CNC Feodo Tracker Reported CnC Server group 4 [**] [Classification: A Network Trojan was Detected] [Prior>

At the end of the lines is my Mac IP.

suricata.log do not find it useful.
http.log is a little useful to check the operation.
In particular, I recommend fast.log and stats.log enabled.

 

[rgnldo]

It promises much the next versions of Suricata. Version 5 already has different rules. I believe that the much dreamed of adblock solution by the Suricata engine is coming.

I've been experimenting with version 5 of Suricata in another environment.

 

[joe scian]

04/26/2020-10:48:59.208024  [**] [1:2404303:5712] ET CNC Feodo Tracker Reported CnC Server group 4 [**] [Classification: A Network Trojan was Detected] [Prior>
04/26/2020-18:50:29.049005  [**] [1:2404303:5712] ET CNC Feodo Tracker Reported CnC Server group 4 [**] [Classification: A Network Trojan was Detected] [Prior>

At the end of the lines is my Mac IP.

suricata.log do not find it useful.
http.log is a little useful to check the operation.
In particular, I recommend fast.log and stats.log enabled.

Rgnldo - you have still not mentioned the rules file - Can we assume it was "emerging-trojan.rules"? Also you need to update your 1st post

from step 1
nano /opt/var/lib/suricata/rules/upd_rules_suricata.sh

to
step 1
nano /opt/var/lib/suricata/rules/updates_rules_suricata.sh

 

[joe scian]

When choosing certain rules - eg emerging-trojan.rules and emerging-attack_response.rules I get the following warning messages
Is this anything to be concerned over?

7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 6 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2013036 and 2 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017181 and 15 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2018103 and 6 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.smb.binary' is checked but not set. Checked in 2027402 and 4 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Socks5.OnionReq' is checked but not set. Checked in 2027704 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017772 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. Checked in 2017670 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2018428 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.eduphish' is checked but not set. Checked in 2025114 and 0 other sigs

 

[rgnldo]

"emerging-trojan.rules"

emerging-trojan.rules consumes a lot of memory. emerging-malware.rules does the necessary service.
The rules that listed by default are enough for home router use.
See: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules

I get the following warning messages

See: https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html

nano /opt/var/lib/suricata/rules/updates_rules_suricata.sh

Fixed.

I appreciate the cooperation.

 

[glehel]

Hello!

I want to try Suricata!
What are the basic settings recommendations?
I have an AC86 router, openvpn client, skynet, unbound.
Should skynet and AI protection be disabled?
There are clients who connect to the internet through the wan interface and there are those who connect to the internet through the vpn interface.
Does suricata work in this form as well?

 

[Zonkd]

How did you identify the Mac application?

1. e.g. did securicata start popping up warnings immediately after you installed it? Or perhaps whenever you used it? Perhaps a signature update to an AV/AT?

2. Which suricata rule file and rule found it?
TIA

@mike37 that was going to be my question

@rgnldo what is name of the infected Mac app? That’s a big deal because most Mac users don’t use anti-virus or analyze their network activity. Hopefully Apple is aware of it.

 

[XIII]

What is name of the infected Mac app? That’s a big deal because most Mac users don’t use anti-virus or analyze their network activity. Hopefully Apple is aware of it.

Wouldn't the OS built-in GateKeeper block it if they already knew?

https://support.apple.com/en-us/HT202491

 

[ugandy]

i also get:
May 7 09:24:28 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 7 09:23:27 RT-AX88U-8158 kernel: htb: htb qdisc 13: is non-work-conserving?
May 7 09:23:27 RT-AX88U-8158 kernel: htb: too many events!

 

[glehel]

ifconfig gives:
what could this be bcmsw? if i set this it doesn't give an error but i can't work it?

bcmsw Link encap:Ethernet HWaddr 0x:xx:9x:xx:6x:x0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:285610 errors:0 dropped:0 overruns:0 frame:0
TX packets:142268 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:115225126 (109.8 MiB) TX bytes:481394973 (459.0 MiB)
Base address:0xffff

br0 Link encap:Ethernet HWaddr 0x:xx:9x:xx:6x:x0
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:49201 errors:0 dropped:34 overruns:0 frame:0
TX packets:87882 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6274447 (5.9 MiB) TX bytes:360403519 (343.7 MiB)

eth0 Link encap:Ethernet HWaddr 0x:xx:9x:xx:6x:x0
inet addr:8x.2xx.x8.1xx Bcast:8x.xx2.xx.2x5 Mask:255.255.254.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:184285 errors:0 dropped:0 overruns:0 frame:0
TX packets:24116 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:100230287 (95.5 MiB) TX bytes:4552371 (4.3 MiB)