What's new

Suricata Suricata - IDS on AsusWRT Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Also, can you confirm we can continue to use QoS as long as we disable the AiProtection?
 
I found my answer from a previous post:
I use FreshJR QoS due to my limited bandwidth so hopefully someone will find a solution. I promise not to clutter up this thread anymore, but I will continue to follow it.


ugandy said:
due to the nature of these features, and we must chose to use one or the other?
rgnldo said:
For now, it seems to be incompatible. You need to know the firmware environment well. Maybe someone here on the forum with FW Merlin knowledge and using Suricata will help. It's waiting.
 
Last edited:
AiProtection
AiProtection is an IDS / IPS solution. You must choose.

If you use optical fiber, QoS only gets in the way. Honestly, they also observed that FW Merlin does a good and native package handling. For you to understand, I use torrent, streaming simultaneously and check for congestion.

Do we just need to use this setting for IPS?
It is already standard in the suricata.yaml file

I use the FW Merlin in a simple way, with almost no resources.
Maybe it's not interesting for you. I only use FW Merlin with only Samba enabled. Optionally, AMTM has only entware and disk check. I only use unbound, Suricata and Clamav.
 
For my network, due to limited bandwidth ( 50/5 ) I need QoS. We use FuboTV for our tv viewing and I use voip settings on our cell phones due to very weak cell service at our home. So running the FreshJR QoS is essential for us. I had thought about setting up a separate IDS/IPS server but I need to keep the network as simple as possible. Thanks again for the work on adapting Suricata to Merlin!
 
A small manageable switch resolves more efficiently.

Experiment with the quest network feature with reserved bandwidth allocation. Add VOIP to one SSID quest and FUBOTV to another SSID quest.

Observe if it improves.
 
A small manageable switch resolves more efficiently.

Experiment with the quest network feature with reserved bandwidth allocation. Add VOIP to one SSID quest and FUBOTV to another SSID quest.

Observe if it improves.

I had thought about doing the guest thing with BW limits but was trying to keep it very simple on the client side. I may look into it further at some point. Thanks for your suggestions!
 
Nope got to disable QoS as well.

I'm trying to get CAKE going to see if that works with suricata....

I can confirm on supported CAKE routers that Suricata as built here runs error free assuming you do not use any QoS, AIProtection and other features that require Trend. On both my routers in question I have gone to Administration->Privacy->Withdraw to ensure there isn't any remnants.

@rgnldo hope that helps get this awesome addon some more love :) I am regularly seeing the NTP DDOS attacks for example!
 
Would like to try this combo after WWDC.

I have been following this thread for a few weeks, but found it hard to truly understand how to set up Suricata.

What would be the best way to start when I give this a try?
 
addon some more love :) I am regularly seeing the NTP DDOS attacks for example!

In this post, they report that they are blocking NTP DDOS. Suricata is a dog guard. Working well. See the new github archive.
 
Finally decided to make the switch from TrendMirco's AiProtection to Suricata. Actually Cake prompted me to make the switch since I can turn off all TrendMicro stuff now that we have an excellent QoS and IDS/IPS solution available. Everything seems to work as expected and many thanks to @rgnldo for his hard work to make this happen. Looking forward to v5.03 of Suricata to make it to our routers.
 
One more thing, since I opted out of all TrendMicro stuff and switched to Cake and Suricata my routers free memory went from 320MB to 435MB. And that's with all scripts running as per my Signature:
upload_2020-6-21_10-55-15.png
 
One more thing, since I opted out of all TrendMicro stuff and switched to Cake and Suricata my routers free memory went from 320MB to 435MB. And that's with all scripts running as per my Signature:
View attachment 24211

I've noticed and reported the same...CPU usage is also between 8-10% lower on avge as well.
 
One more thing, since I opted out of all TrendMicro stuff and switched to Cake and Suricata my routers free memory went from 320MB to 435MB. And that's with all scripts running as per my Signature:
View attachment 24211
I've noticed and reported the same...CPU usage is also between 8-10% lower on avge as well.

what about CPU temps, do (have) they drop similarly?

(I wonder where else in our lives getting rid of "the man" will result in improvements between 8 and 20-something percent?)
 
what about CPU temps, do (have) they drop similarly?

(I wonder where else in our lives getting rid of "the man" will result in improvements between 8 and 20-something percent?)

upload_2020-6-21_12-55-26.png
 
After installing Suricata I noticed that my connection dropped from about 235Mbps average to about 185Mbps? Not sure yet if this is a coincidence with a slowdown on my Comcast service or if it's related to Suricata. I do suspect that this is related since I installed Suricata around 9am this morning.
upload_2020-6-21_13-16-11.png


Does anyone else see the same effect?
 
After installing Suricata I noticed that my connection dropped from about 235Mbps average to about 185Mbps? Not sure yet if this is a coincidence with a slowdown on my Comcast service or if it's related to Suricata. I do suspect that this is related since I installed Suricata around 9am this morning.
View attachment 24214

Does anyone else see the same effect?
it has only been ~40 mins for me, but yes, measured instantaneous speeds with the same tool show slower results/lower numbers for the DL. UL is unchanged.
I'm reserving judgement until later, when everyone is glued to their various screens streaming things - my supposition is that if there are no complaints, the number is irrelevant: it's the end-user experience that matters, after all. To that: check your ping, jitter and connection results in connmon if you're running that -my ping has gotten less extreme, my jitter has settled similarly, and so far I have shown no dropped packets in the quality chart. You might be able to go fast, but if it's not smooth, your passengers aren't happy, right?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top