What's new

Suricata Suricata - IDS on AsusWRT Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Sounds interesting and like a severe security upgrade for the Asus routers. Speaking for myself: I think you need to communicate a little bit better, for the people to understand. Thanks for the work so far.
You're right. I don't usually post something that I can't support. There were requests to organize the posting. I count on the Linux knowledge of others.
 
I recommend installing on a HND router.

the rules that I have enabled are enough to obtain a good functioning.

Yes, tested..

(Apologize in advance, rgnldo - I'm a newbie) -

1. I'm guessing an HND router is "Home Network Defender" <http://store.trendmicro.com/store/trendoem/en_US/pd/ThemeID.1268200/productID.109041900> !?

If this is true, ISTM asuswrt-merlin routers can provide the other components of HND except for a sophisticated anti-virus? And if you got it working on an Asus, you got 99% of the battle :)

So does your HND recommendation remain compelling???

(IIRC, Snort has optional virus/trojan signatures (likely not as good as a dedicated Trend AV/AT), which makes me wonder if suricata has them as well? I'm guessing suricata uses Snort signatures!?)

2. For testing and contrasting suricata with AiProtect, I was hoping that you or Milan had activated suricata and deactivated AiProtect; gone to https://nmap.online/ and/or https://nikto.online/ and launched an attack against himself, noting the response from Suricata.

Then repeat those attacks but with AiProtect active and suricata deactivated, noting the AiProtect response and comparing it with suricata.

Perhaps you have done this type of test on an Asus router??

(I'm guessing that AiProtect is a networked Snort processor.

Again, TIA
 
Last edited:
Right now i have suricata and Skynet. Seems redundant, should i just turn skynet off? I think i will and see what happens.
 
Right now i have suricata and Skynet. Seems redundant, should i just turn skynet off? I think i will and see what happens.
I use only the drop snort and suricata rules
 
What are the drop snort rules? i followed your first post and set up all of suricata rules.
That's enough. But you can add snort rules. As you have an AX88U, it pays to add some of the snort. Get to know the Suricata first.
 
How about the router server with Slackware Linux in a mini box? My AC86U will only be wireless antennas.
hotspot-dns-filter.png
 
Last edited:
Right now i have suricata and Skynet. Seems redundant, should i just turn skynet off? I think i will and see what happens.

IIUC:

1. Skynet blocks access to known evil addresses, and uses standard, built-in iptables tests to block bad inbound packets.
2. Suricata analyzes the internal structure of packets to a greater degree; looks for packet timing tricks; suspicious packet signatures; and other things I've long forgotten. These are "flagged" unless you're using a "drop" feature which will additionally drop the connection and optionally block connection to that address for a configurable period of time.

So they are not mutually exclusive (though Suricata may optionally have a set of rules that lists known evil sites, but likely not to the degree of Skynet.)

But please do run the test and let us know :)
 
IIUC:

1. Skynet blocks access to known evil addresses, and uses standard, built-in iptables tests to block bad inbound packets.
2. Suricata analyzes the internal structure of packets to a greater degree; looks for packet timing tricks; suspicious packet signatures; and other things I've long forgotten. These are "flagged" unless you're using a "drop" feature which will additionally drop the connection and optionally block connection to that address for a configurable period of time.

So they are not mutually exclusive (though Suricata may optionally have a set of rules that lists known evil sites, but likely not to the degree of Skynet.)

But please do run the test and let us know :)

I ran that test but didn't see anything in any of the logs. i am happy to test out anything. Those tests really check for open ports. the only ports i really have open are ssh.
 
IIUC:

1. Skynet blocks access to known evil addresses, and uses standard, built-in iptables tests to block bad inbound packets.
2. Suricata analyzes the internal structure of packets to a greater degree; looks for packet timing tricks; suspicious packet signatures; and other things I've long forgotten. These are "flagged" unless you're using a "drop" feature which will additionally drop the connection and optionally block connection to that address for a configurable period of time.

So they are not mutually exclusive (though Suricata may optionally have a set of rules that lists known evil sites, but likely not to the degree of Skynet.)

But please do run the test and let us know :)

Has your throughput suffered?

I currently run Skynet and Diversion and really, I mean really like what they're providing. I was running a custom mini ITX i7m with Suricata with really good success, but the family always had some special website they wanted to go to and couldn't get there. So I was constantly white-listing. I found the Skynet/Diversion combination to be a really good solution. Now that Suricata looks like it can run on Asus hardware, I'm going to take another look at it.

Thank you for your efferts on this, @rgnldo.

edit, I should have said really appreciate your efforts. I don't think I got enough 'really's' in there!
 
.... I found the Skynet/Diversion combination to be a really good solution. Now that Suricata looks like it can run on Asus hardware, I'm going to take another look at it....

Ditto here; I really like the Skynet/Diversion combination.

But IF I were to connect to a hostile site Suricata might well intervene. And given the Suricata manual seems very-well written, it's worth experimenting with.
 
... the only ports i really have open are ssh...

Not my business, but IMHO open ports are an invitation for mischief. Consider "Port Knocking" to keep them stealth 'til you want access, or alternatively have them disappear for an hour after three unsuccessful log in attempts.

These defenses would be in addition to Skynet/Suricata.
 
my ssh port is normally open, but now after doing a port scan, i can't ssh into the network. (I know its an invitation, i am okay with that)

so the question is does suricata block ssh by default?
 
IIUC:

1. Skynet blocks access to known evil addresses, and uses standard, built-in iptables tests to block bad inbound packets.
2. Suricata analyzes the internal structure of packets to a greater degree; looks for packet timing tricks; suspicious packet signatures; and other things I've long forgotten. These are "flagged" unless you're using a "drop" feature which will additionally drop the connection and optionally block connection to that address for a configurable period of time.

So they are not mutually exclusive (though Suricata may optionally have a set of rules that lists known evil sites, but likely not to the degree of Skynet.)

But please do run the test and let us know :)
Excellent description. Very technical
 
Right now i have suricata and Skynet. Seems redundant, should i just turn skynet off? I think i will and see what happens.
Did you set up your wan?
on:
af-packet:
- interface: -> your interface wan
 
Did you set up your wan?
on:
af-packet:
- interface: -> your interface wan
I think i have it correct, here are some pieces of the yaml file


# Holds variables that would be used by the engine.
vars:

# Holds the address group vars that would be passed in a Signature.
address-groups:
HOME_NET: "[10.0.0.0/16]"
EXTERNAL_NET: "any"
DNS_SERVERS: "[10.0.0.1]"
SMTP_SERVERS: "$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
FTP_SERVERS: "$HOME_NET"
SSH_SERVERS: "[10.0.0.155]"

# Linux high speed capture support
af-packet:
- interface: eth0
defrag: yes
use-mmap: yes
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top