Menu
What's new
By:
Filters Better Search

Suricata Suricata - IDS on AsusWRT Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ugandy said:
Hi,

Are this number of threads, with the default suricata.yaml, expected?

cromo@RT-AX88U-8158:/tmp/home/root# ps T|grep suri
19668 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19675 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19676 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19677 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19678 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19679 cromo 733m S {W#01} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19680 cromo 733m S {W#02} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19681 cromo 733m S {W#03} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19682 cromo 733m S {W#04} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19683 cromo 733m S {W#05} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19684 cromo 733m S {W#06} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
Click to expand...

Check my post #141
 
SuperDuke said:
So you restart the script often? Thanks....I appreciate that this is less a Skynet kind of thing....:)
Click to expand...

Yes, so as to catch the latest rule updates (Suricata folks seem to be aggressively keeping up with/correcting the changing landscape :) ). Rules are changing/improving every few days - it's rather like Kaspersky keeping up with 0-days.

Note that restarting will update rules and will clear out temporary work spaces, etc. - but unless you modify the script, it will not delete logs.
 
Last edited:
For logs limit, insert option limit:
Code: 
  - unified2-alert:
      enabled: no
      filename: unified2.alert
      limit: 32mb
 
rgnldo said:
firewall

IDS/IPS

These are applications for different purposes.

As I understand it, Suricata does not block websites, but the action of the website, application or any attempted intrusion....
Click to expand...

Agreed - IMHO that is how an IDS/IPS should work. But there are current/maintained Suricata rules (e.g. "drop.rules", "compromised.rules" ) that are simply website blocking lists. Perhaps they are intended as an option for users who do not have a Skynet type of address blocker (In that situation blocking an address outright would be good).

And they seem to use some of the same sources as Skynet - though not nearly as many - so I'm suggesting it is best to NOT use Suricata for simple address blocking; to use Skynet/ipset for that function; and to use Suricata for packet analysis.
 
coxhaus said:
That sounds reasonable. I remember back when I was running Untangle behind my Cisco router some relatives came over to spend the night and their laptop had malware on it spewing out stuff which Untangle caught. They complained their laptop was not working. I had to disinfect it for it to pass Untangle.
Click to expand...

Heh....ROTFLMAO! You're a full-service hotel and host. :)
 
penguin22 said:
Once my workday is over, I will test installing to provide feedback; I do have Traditional QoS enabled, though looking through this thread, believe that the limitation is Adaptive QoS... only one way to find out for sure ;).

Will also need to determine recovery/uninstall method should things go awry. I've become good at undo/revert with multiple joyous occurrences of breaking things to make them better.
Click to expand...
I was able to load, though needed to browse to the created directory and execute with the install configuration. So far, so good. Thanks and I'll continue testing over the next several days.
 
My af-packet config 1 WAN 1 TUN (vpn) interface (tun11=vpn1)
all 2 interface working on suricata
test who has a vpn connection and ask for feedback on how it works

af-packet:
- interface: eth0
threads: 1
defrag: no
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: tun11
buffer-size: 64535
use-mmap: yes
- interface: tun11
threads: 1
cluster-id: 97
defrag: no
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth0
buffer-size: 64535
use-mmap: yes
 
[✖] ***ERROR QoS ENABLED
Click to expand...
is it a real problem to have it enabled together wit Suricata ? it is running on mine for 3 weeks together and no issues ...
suricata_manager is not continuing due this.
 
Milan said:
is it a real problem to have it enabled together wit Suricata ? it is running on mine for 3 weeks together and no issues ...
suricata_manager is not continuing due this.
Click to expand...

should be fine - on my RT-Ac5300 i dont get any of those protocol errors that HND routers are getting and I have adaptive QOS running with FreshJr QOS script. I might add Im running 20 Suricata rules without any stability issues on the Router and I have memory to spare.
 
joe scian said:
protocol errors that HND routers are getting and I have adaptive QOS running with FreshJr QOS scrip
Click to expand...
Good to know. We need feedbacks like yours to work out a pre-reqs pattern.
 
I would be interested in how to monitor the 2 interfaces? Maybe I should run 2 Suricata/ 2 interface at a time?
What I set up works but uses a lot of CPU power, which slows down the net.
The ids test works for both the vpn client and the wan client, the log is displayed. It works nicely, but something isn't good.
I have currently disabled all Trend Micro stuff. There is no error in the log. Really the qos don't even need 200 Mbit net. I will replace the rest with other programs. Trend Micro communicates a lot outside, it might be better to disable it forever.
 
glehel said:
af-packet:
- interface: eth0
- interface: tun11
defrag: yes
use-mmap: yes

netmap:
- interface: br0
Click to expand...

is this the single change needed to monitor the vpn traffic too? (adding the "-interface:tun11" line)
thx
 
Last edited:
glehel said:
My af-packet config 1 WAN 1 TUN (vpn) interface (tun11=vpn1)
all 2 interface working on suricata
test who has a vpn connection and ask for feedback on how it works

af-packet:
- interface: eth0
threads: 1
defrag: no
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: tun11
buffer-size: 64535
use-mmap: yes
- interface: tun11
threads: 1
cluster-id: 97
defrag: no
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth0
buffer-size: 64535
use-mmap: yes
Click to expand...
Is there a benefit to supporting a VPN interface in this method compared to adding just -interface: tun11 following eth0? It appears that you are separately defining settings per interface in this manner, perhaps for more clear logging purposes or is this for other value?

How has your testing gone with these configurations? I only added tun11 this evening and will monitor logs and continue to monitor performance.

Thanks for all the support everyone!
 
So i added
- emerging-web_client.rules
- emerging-current_events.rules
to the rule-files

Is there some reason that those are not in the yaml file?
 
@Martineau; the install script is working great so far. I have found that when running with the log command, suricata stops once you break out of it; issuing with a start command does the trick and there aren't any logs showing why it stops, so thinking there would need to be a restart issued once breaking from logs.
 
You must log in or register to reply here.

Similar threads

RMerlin
  • Locked
Beta Asuswrt-Merlin 3006.102.1 Beta is now available for WIfi 7 devices
3 4 5
Replies
97
Views
14K
RMerlin
RMerlin
HELLO_wORLD
One mirroring solution for IDS (my approach and solution)
Replies
5
Views
1K
HELLO_wORLD
HELLO_wORLD
garycnew
Entware [SOLUTION] Cross-Compile xxHash Entware Package via Debian Live DVD
Replies
0
Views
2K
garycnew
garycnew
garycnew
Entware [SOLUTION] Cross-Compile ProxyChains-NG Entware Package via Debian Live DVD
2
Replies
22
Views
3K
sfx2000
sfx2000
garycnew
Entware [SOLUTION] Cross-Compile Nyx (Tor Command-Line Monitor) Entware Package via Debian Live DVD
Replies
0
Views
2K
garycnew
garycnew
Similar threads
Thread starter Title Forum Replies Date
thelonelycoder amtm amtm 5.0 - the Asuswrt-Merlin Terminal Menu, November 17, 2024 Asuswrt-Merlin AddOns 61
J Entware Possible to install jdownloader on asuswrt-merlin router with entware?? Asuswrt-Merlin AddOns 9
W Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14 Asuswrt-Merlin AddOns 10
thelonelycoder scMerlin scMerlin 2.5.8 - Service and script control menu for Asuswrt-Merlin, October 20, 2024 Asuswrt-Merlin AddOns 85
JGrana uKasa uKasa - A utility script that manages Kasa smart outlets and switches with Asuswrt-Merlin routers Asuswrt-Merlin AddOns 29
JGrana Updated Hue Utility - huetil Control and manage your Hue system from Asuswrt-Merlin or Raspbian Asuswrt-Merlin AddOns 1
8 ASUS RT-AX58U (F/W Ver.:V3.0.0.4.384.8601) with Asuswrt-Merlin 3004.388.5 - Transmission: "Could not connect to the server. You may need to reload" Asuswrt-Merlin AddOns 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 923 (members: 29, guests: 894)
Top