What's new

Suricata Suricata - IDS on AsusWRT Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hi,

Are this number of threads, with the default suricata.yaml, expected?

cromo@RT-AX88U-8158:/tmp/home/root# ps T|grep suri
19668 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19675 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19676 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19677 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19678 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19679 cromo 733m S {W#01} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19680 cromo 733m S {W#02} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19681 cromo 733m S {W#03} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19682 cromo 733m S {W#04} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19683 cromo 733m S {W#05} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19684 cromo 733m S {W#06} suricata -c /opt/etc/suricata/suricata.yaml --af-packet

Check my post #141
 
So you restart the script often? Thanks....I appreciate that this is less a Skynet kind of thing....:)

Yes, so as to catch the latest rule updates (Suricata folks seem to be aggressively keeping up with/correcting the changing landscape :) ). Rules are changing/improving every few days - it's rather like Kaspersky keeping up with 0-days.

Note that restarting will update rules and will clear out temporary work spaces, etc. - but unless you modify the script, it will not delete logs.
 
Last edited:
For logs limit, insert option limit:
Code:
  - unified2-alert:
      enabled: no
      filename: unified2.alert
      limit: 32mb
 
firewall

IDS/IPS

These are applications for different purposes.

As I understand it, Suricata does not block websites, but the action of the website, application or any attempted intrusion....

Agreed - IMHO that is how an IDS/IPS should work. But there are current/maintained Suricata rules (e.g. "drop.rules", "compromised.rules" ) that are simply website blocking lists. Perhaps they are intended as an option for users who do not have a Skynet type of address blocker (In that situation blocking an address outright would be good).

And they seem to use some of the same sources as Skynet - though not nearly as many - so I'm suggesting it is best to NOT use Suricata for simple address blocking; to use Skynet/ipset for that function; and to use Suricata for packet analysis.
 
That sounds reasonable. I remember back when I was running Untangle behind my Cisco router some relatives came over to spend the night and their laptop had malware on it spewing out stuff which Untangle caught. They complained their laptop was not working. I had to disinfect it for it to pass Untangle.

Heh....ROTFLMAO! You're a full-service hotel and host. :)
 
Once my workday is over, I will test installing to provide feedback; I do have Traditional QoS enabled, though looking through this thread, believe that the limitation is Adaptive QoS... only one way to find out for sure ;).

Will also need to determine recovery/uninstall method should things go awry. I've become good at undo/revert with multiple joyous occurrences of breaking things to make them better.
I was able to load, though needed to browse to the created directory and execute with the install configuration. So far, so good. Thanks and I'll continue testing over the next several days.
 
My af-packet config 1 WAN 1 TUN (vpn) interface (tun11=vpn1)
all 2 interface working on suricata
test who has a vpn connection and ask for feedback on how it works

af-packet:
- interface: eth0
threads: 1
defrag: no
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: tun11
buffer-size: 64535
use-mmap: yes
- interface: tun11
threads: 1
cluster-id: 97
defrag: no
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth0
buffer-size: 64535
use-mmap: yes
 
[✖] ***ERROR QoS ENABLED
is it a real problem to have it enabled together wit Suricata ? it is running on mine for 3 weeks together and no issues ...
suricata_manager is not continuing due this.
 
is it a real problem to have it enabled together wit Suricata ? it is running on mine for 3 weeks together and no issues ...
suricata_manager is not continuing due this.

should be fine - on my RT-Ac5300 i dont get any of those protocol errors that HND routers are getting and I have adaptive QOS running with FreshJr QOS script. I might add Im running 20 Suricata rules without any stability issues on the Router and I have memory to spare.
 
protocol errors that HND routers are getting and I have adaptive QOS running with FreshJr QOS scrip
Good to know. We need feedbacks like yours to work out a pre-reqs pattern.
 
I would be interested in how to monitor the 2 interfaces? Maybe I should run 2 Suricata/ 2 interface at a time?
What I set up works but uses a lot of CPU power, which slows down the net.
The ids test works for both the vpn client and the wan client, the log is displayed. It works nicely, but something isn't good.
I have currently disabled all Trend Micro stuff. There is no error in the log. Really the qos don't even need 200 Mbit net. I will replace the rest with other programs. Trend Micro communicates a lot outside, it might be better to disable it forever.
 
af-packet:
- interface: eth0
- interface: tun11
defrag: yes
use-mmap: yes

netmap:
- interface: br0

is this the single change needed to monitor the vpn traffic too? (adding the "-interface:tun11" line)
thx
 
Last edited:
My af-packet config 1 WAN 1 TUN (vpn) interface (tun11=vpn1)
all 2 interface working on suricata
test who has a vpn connection and ask for feedback on how it works

af-packet:
- interface: eth0
threads: 1
defrag: no
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: tun11
buffer-size: 64535
use-mmap: yes
- interface: tun11
threads: 1
cluster-id: 97
defrag: no
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth0
buffer-size: 64535
use-mmap: yes
Is there a benefit to supporting a VPN interface in this method compared to adding just -interface: tun11 following eth0? It appears that you are separately defining settings per interface in this manner, perhaps for more clear logging purposes or is this for other value?

How has your testing gone with these configurations? I only added tun11 this evening and will monitor logs and continue to monitor performance.

Thanks for all the support everyone!
 
So i added
- emerging-web_client.rules
- emerging-current_events.rules
to the rule-files

Is there some reason that those are not in the yaml file?
 
@Martineau; the install script is working great so far. I have found that when running with the log command, suricata stops once you break out of it; issuing with a start command does the trick and there aren't any logs showing why it stops, so thinking there would need to be a restart issued once breaking from logs.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top