Suricata Suricata - IDS on AsusWRT Merlin

[ttgapers]

is there a recommended viewer type for this json log, other than regular text editor?

For now using text editor...

Got one hit:

05/09/2020-16:42:00.633825  [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 213.202.208.198:39459 -> xxx.xxx.xxx.xxx:123

 

[joe scian]

I have 10 of those DDOS NTP Port 123 attacks in last 2 weeks. All but 1 of those IP Addresses were already blocked by SKYNET. I banned that 1 remaining IP using SKYNET Ban IP.

 

[rgnldo]

The Suricata is doing its job. There is no need for other procedures. It will be dropped by Suricata. Engine is powerful and smart.

 

[mike37]

For now using text editor...

Got one hit:

05/09/2020-16:42:00.633825  [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 213.202.208.198:39459 -> xxx.xxx.xxx.xxx:123

Which log and/or json did you find this in?

 

[mike37]

I have 10 of those DDOS NTP Port 123 attacks in last 2 weeks. All but 1 of those IP Addresses were already blocked by SKYNET. I banned that 1 remaining IP using SKYNET Ban IP.

Joe, Which log and/or json did you find this in?

 

[ttgapers]

Which log and/or json did you find this in?

fast and eve...

 

[mike37]

The Suricata is doing its job. There is no need for other procedures. It will be dropped by Suricata. Engine is powerful and smart.

rgnldo, does this mean that the originating address is now on some sort of "blacklist"? If so, where is the blacklist and for how long is it on it?

 

[joe scian]

Which log and/or json did you find this in?

Joe, Which log and/or json did you find this in?

fast.log

 

[vdemarco]

Hey i got the same thing

05/09/2020-10:49:27.386401 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 193.228.91.107:37993 -> XX.XX.XX.XX:123

Sweet its all working now.

 

[rgnldo]

some sort of "blacklist"?

Detection rules and engines. Suricata is working IPV4/IPV6. There is no need for another procedure.

 

[Ozymandias]

What is the best way to whitelist sites?

 

[rgnldo]

What is the best way to whitelist sites?

The rules of Suricata are signed. There are some rules with compiling domains that are proven to be suspicious. Most of the rules correspond to the analysis of behaviors that characterize intrusion.

 

[Ozymandias]

Yes, but how do I override Suricata to enable access to a site even if deemed suspicious by Suricata?

 

[rgnldo]

Yes, but how do I override Suricata to enable access to a site even if deemed suspicious by Suricata?

I believe you did not understand the logic of Suricata. The actions are to prevent intrusion, some dangerous action to the network's customers.

 

[netware5]

I believe you did not understand the logic of Suricata. The actions are to prevent intrusion, some dangerous action to the network's customers.

In any case a good IDS/IPS shall have an option to whitelist.

 

[mike37]

Hey i got the same thing

05/09/2020-10:49:27.386401 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 193.228.91.107:37993 -> XX.XX.XX.XX:123

Sweet its all working now.

Ditto; I got one (.json and fast.log) last night:

{"timestamp":"1969-12-31T19:00:00.002026-0500","flow_id":1630532794320874,"in_iface":"eth0","event_type":"alert","src_ip":"193.228.91.106","src_port":42708,"dest_ip":"xx.xxx.xx.xx","dest_port":123,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2017919,"rev":2,"signature":"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03","category":"Attempted Denial of Service","severity":2,"metadata":{"updated_at":["2014_01_02"],"created_at":["2014_01_02"]}},"app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":234,"bytes_toclient":0,"start":"1969-12-31T19:00:00.002026-0500"}}

The recent, multiple sources of this thing seem consistent with earlier speculation about an old Trojan: https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/page-5#post-580324

IIUC, this probe was NOT blocked
("action":"allowed") https://suricata.readthedocs.io/en/latest/output/eve/eve-json-format.html

To block it would require the rule to use "drop" action and Suricata to be configured in the IPS mode.

Nifty Stuff!

 

[coxhaus]

I am impressed. This is the first thing that would make me recommend an ASUS router to a friend.

 

[mike37]

I am impressed. This is the first thing that would make me recommend an ASUS router to a friend.

Heh....ISTM Rgnldo is the impressive component with suricata (and he has other routers under "development").

But it is the whole Merlin-ASUS infrastructure/contributions from others here that is most profoundly impressive and makes supported ASUS modems the first choice IMHO

 

[rgnldo]

ISTM

IMHO

Sorry, I don't know those words.

 

[rgnldo]

In any case a good IDS/IPS shall have an option to whitelist.

It took some work to adapt for FW Merlin. I have been using Suricata for some time. I trust so much that I don’t even look at the logs.