What's new

Suricata Suricata - IDS on AsusWRT Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

i also get:
May 7 09:24:28 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 7 09:23:27 RT-AX88U-8158 kernel: htb: htb qdisc 13: is non-work-conserving?
May 7 09:23:27 RT-AX88U-8158 kernel: htb: too many events!
same error message in eth0
 
I was getting this too. if you google for "kernel: htb: too many events!" you find a workaround.
 
I was getting this too. if you google for "kernel: htb: too many events!" you find a workaround.
found the thread but couldn't figure out the workaround (something about kernel version? jumbo frames?), can you share what is the workaround?
 
found the thread but couldn't figure out the workaround (something about kernel version? jumbo frames?), can you share what is the workaround?
I can't find it now, but you basically have to echo a variable into /proc/* device to increase the event limit size.
 
what is name of the infected Mac app? That’s a big deal because most Mac users don’t use anti-virus or analyze their network activity. Hopefully Apple is aware of it.
A fork of the chromium browser, those projects that remove the codec, sync etc. In fact, he behaved like a trojan. But I believe it must be a compilation thing. As this was strange behavior, I uninstalled it.
I don't use antivirus either.
 
Hello!

I want to try Suricata!
What are the basic settings recommendations?
I have an AC86 router, openvpn client, skynet, unbound.
Should skynet and AI protection be disabled?
There are clients who connect to the internet through the wan interface and there are those who connect to the internet through the vpn interface.
Does suricata work in this form as well?
AI protection must is disabled
Install and check.
 
i've installed Suricata, per instructions in post #1.
other than the "kernel: protocol 0800 is buggy" syslog msg i don't see any errors.
having used the install instructions/config in post #1, if Suricata detects something bad, what happens? are packets/connection dropped automatically, or simply reported in fast.log?
 
Last edited:
i've installed Suricata, per instructions in post #1.
other than the "kernel: protocol 0800 is buggy" syslog msg i don't see any errors.
having used the install instructions/config in post #1, if Suricata detects something bad, what happens? are packets/connection dropped automatically, or simply reported in fast.log?
same error message in AC86U Merlin 384.17
 
identified the wan interface?
What services are installed on your router?
ntpmerlin
unbound
skynet (disabled, same error message)
2x openvpn client
it may work, the size of the swap file used will increase and the processor will work better. because I enabled the http log and when I looked at an http page in the log I saw the request. However, if the openvpn client looked at the http page it did not show in the log. Does the openvpn TUN interface bypass suricata ?! I read that multiple interfaces can handle it but how?
 
try to comment on this option. Just to check
Code:
# host-mode: auto
 
I set up a VPN. Works well.
Code:
May  8 08:44:43 dnsmasq-dhcp[20054]: DHCP, IP range 10.0.30.10 -- 10.0.30.50, lease time 1d
May  8 08:44:43 dnsmasq-dhcp[20054]: DHCPv6 stateless on br0
May  8 08:44:43 dnsmasq-dhcp[20054]: router advertisement on br0
May  8 08:44:43 dnsmasq-dhcp[20054]: DHCPv6 stateless on 2804:4474:201:bf::, constructed for br0
May  8 08:44:43 dnsmasq-dhcp[20054]: router advertisement on 2804:4474:201:bf::, constructed for br0
May  8 08:44:43 dnsmasq-dhcp[20054]: IPv6 router advertisement enabled
May  8 08:44:45 ovpn-client2[19753]: /sbin/route add -net 91.132.136.5 netmask 255.255.255.255 gw 45.71.172.2
May  8 08:44:45 ovpn-client2[19753]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.1.1
May  8 08:44:45 ovpn-client2[19753]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.1.1
May  8 08:44:45 ovpn-client2[19753]: Initialization Sequence Completed
May  8 08:45:19 wlceventd: WLCEVENTD wlceventd_proc_event(386): eth6: Deauth_ind 3C:BD:3E:57:D5:50, status: 0, reason: Disassociated due to inactivity (4)
May  8 08:45:19 wlceventd: WLCEVENTD wlceventd_proc_event(401): eth6: Disassoc 3C:BD:3E:57:D5:50, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
May  8 08:45:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:72: SRC=0.0.0.0 DST=255.255.255.255 LEN=199 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=179 MARK=0x8000000
May  8 08:45:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:73: SRC=0.0.0.0 DST=255.255.255.255 LEN=199 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=179 MARK=0x8000000
May  8 08:45:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:79: SRC=0.0.0.0 DST=255.255.255.255 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=181 MARK=0x8000000
May  8 08:45:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:72:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=190 MARK=0x8000000
May  8 08:45:51 S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
May  8 08:45:52 kernel: device ppp0 entered promiscuous mode
May  8 08:45:52 rgnldo: Started suricata from .
May  8 08:46:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:72:SRC=0.0.0.0 DST=255.255.255.255 LEN=199 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=179 MARK=0x8000000
May  8 08:46:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:73: SRC=0.0.0.0 DST=255.255.255.255 LEN=199 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=179 MARK=0x8000000
May  8 08:46:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:79: SRC=0.0.0.0 DST=255.255.255.255 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=181 MARK=0x8000000
May  8 08:46:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:72: SRC=0.0.0.0 DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=190 MARK=0x8000000
 
Last edited:
try to configure in this mode.
Code:
# Runmode the engine should use.
runmode: autofp
autofp-scheduler: active-packets

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
 - interface: br0
defrag: yes
# use-mmap: yes

# netmap:
# - interface: br0

'protocol is buggy' message still appears.
by the way, is af-packet:interface supposed to be eth0 or br0 ?
 
Last edited:
af-packet:interface supposed to be eth0 or br0
You must identify the listening interface for the Suricata.
'protocol is buggy'
as I checked, this error is generated by malformed packages.
As my access is through ppp0, it is the interface used in Suricata.
 
You must identify the listening interface for the Suricata.

as I checked, this error is generated by malformed packages.
As my access is through ppp0, it is the interface used in Suricata.
adaptive qos off and error message off! Trend micro problem!
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top