Suricata Suricata - IDS on AsusWRT Merlin

[SuperDuke]

Did you install Suricata as defined in the first post(s) or did you tweak? I've been intrigued to make to switch myself but hesitant as my skillset isn't exactly strong...

Finally decided to make the switch from TrendMirco's AiProtection to Suricata. Actually Cake prompted me to make the switch since I can turn off all TrendMicro stuff now that we have an excellent QoS and IDS/IPS solution available. Everything seems to work as expected and many thanks to @rgnldo for his hard work to make this happen. Looking forward to v5.03 of Suricata to make it to our routers.

 

[Mutzli]

Did you install Suricata as defined in the first post(s) or did you tweak? I've been intrigued to make to switch myself but hesitant as my skillset isn't exactly strong...

No special settings, all as per instructions on the first page. The only thing I noticed is a throughput reduction, see my earlier post. It doesn't affect anything, streaming and VoIP works still as expected.

 

[Stephen Harrington]

No special settings, all as per instructions on the first page. The only thing I noticed is a throughput reduction, see my earlier post. It doesn't affect anything, streaming and VoIP works still as expected.

I'd also like to give this a go, along with Cake, to replace my current use of the built-in Adaptive QoS + FreshJR/AIProtect ...

Do I gather from your Signature there is no need to uninstall SkyNet? I've seen some references/speculation earlier in the thread as to whether they are compatible?

Anyone that can clarify? Would appreciate it!

 

[ttgapers]

I'd also like to give this a go, along with Cake, to replace my current use of the built-in Adaptive QoS + FreshJR/AIProtect ...

Do I gather from your Signature there is no need to uninstall SkyNet? I've seen some references/speculation earlier in the thread as to whether they are compatible?

Anyone that can clarify? Would appreciate it!

Running Suricata with Cake, Skynet, Unbound, Diversion (Large list + YT) & Scribe as far as heavy workloads go along with other reporting addons (uiDivStats, connmon)

 

[Adamm]

Do I gather from your Signature there is no need to uninstall SkyNet? I've seen some references/speculation earlier in the thread as to whether they are compatible?

There is no reason why they would be incompatible. Suricata is an IPS/IDS engine whereas Skynet is a blacklist based solution.

 

[rgnldo]

There is no reason why they would be incompatible. Suricata is an IPS/IDS engine whereas Skynet is a blacklist based solution.

Is any integration possible?

 

[rgnldo]

i put the http.log and fast.log files in the syslog-ng conf file to check easily. For now, these two are in one but can be separated if needed. i configured the suricata config myself to delete the contents of http.log when it restarts because it already exists in another location. fast.log may remain as it has few events.

- http-log:
      enabled: yes
      filename: http.log
      custom: yes # enable the custom logging format (defined by custom format)
      customformat: "%{%Y-%m-%d-%H:%M:%S}t %h[**]%{X-Forwarded-For}i[**]%{User-agent}i[**]%H[**]%m[**]%u[**]%s[**]%B byte[**]%a:%p -> %A:%P"
      append: no
      extended: no
      filetype: regular

this changed the date format to suit me

syslog-ng.conf

source src {
    unix-dgram("/dev/log" so_rcvbuf(65536) flags(syslog-protocol));
    file("/proc/kmsg" program_override("kernel") flags(kernel));
    internal();file("/opt/var/log/suricata/http.log" follow-freq(60));
    file("/opt/var/log/suricata/fast.log" follow-freq(60));
};

syslog-ng.d

# put messages with 'Suricata IDS/IPS' into /opt/var/log/suricata.log

destination d_suricata {
    file("/opt/var/log/suricata.log");
};

filter f_suricata {
              message("->");
};

log {
    source(src);
    filter(f_suricata);
    destination(d_suricata);
    flags(final);
};

#eof

logrotate.d

/opt/var/log/suricata.log {
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

A good idea. Please, organize in files and installation steps.

 

[Adamm]

Is any integration possible?

What did you have in mind?

 

[rgnldo]

What did you have in mind?

Just something that the firewall recognizes the access ports and the process of running Suricata. Skynet recognizes the SURICATA service (PID) and applies service permission/priority. I did this on the OpenBSD firewall. Has been some time. I'm out of date.

 

[Mutzli]

I'd also like to give this a go, along with Cake, to replace my current use of the built-in Adaptive QoS + FreshJR/AIProtect ...

Do I gather from your Signature there is no need to uninstall SkyNet? I've seen some references/speculation earlier in the thread as to whether they are compatible?

Anyone that can clarify? Would appreciate it!

It works and you probably saw that Adamm and rgnldo are discussing a way to make it aware of each other.

 

[heysoundude]

It works and you probably saw that Adamm and rgnldo are discussing a way to make it aware of each other.

Or to merge them into one, making your LAN an impenetrable Fortress to unwelcome intrusions, possibly?


Sent from my iPhone using Tapatalk

 

[QuikSilver]

Or to merge them into one, making your LAN an impenetrable Fortress to unwelcome intrusions, possibly?


Sent from my iPhone using Tapatalk

 

[ttgapers]

What did you have in mind?

Perhaps custom/auto bans based on Suricata detection engine. E.g IP xxx.yyy.zzz.aaa was detected in a NTP DDOS attack, then place in an suricata autoban list, possibly similar functionality to AI Protection (that tbh I never used, as I had that service disabled).

If the integration develops, perhaps we can surface Suricata IPS/IDS status/logs in the same addon GUI page for example. Note I have no issue keeping them separate as well, with the integration at the functional level.

Awesome developments as we ween ourselves off of Trend bloatware.

 

[New2This]

Hello, thanks for this, On My AX88U, im trying to install this, but when trying to create the directory for rules, Im unable to do that, just says NO such file or directory, before that everything is fine, just that part

Anyone know?

 

[ugandy]

Hello, thanks for this, On My AX88U, im trying to install this, but when trying to create the directory for rules, Im unable to do that, just says NO such file or directory, before that everything is fine, just that part

Anyone know?

instead of:
mkdir /opt/var/lib/suricata/rules

do:
mkdir -p /opt/var/lib/suricata/rules

 

[New2This]

instead of:
mkdir /opt/var/lib/suricata/rules

do:
mkdir -p /opt/var/lib/suricata/rules

Thanks, Worked like a charm

 

[L&LD]

This needs an installer, a GUI, and inclusion with amtm.

 

[Mutzli]

One more thing, since I opted out of all TrendMicro stuff and switched to Cake and Suricata my routers free memory went from 320MB to 435MB. And that's with all scripts running as per my Signature:
View attachment 24211

A quick update on the memory usage. After 24h it dropped down to 324MB. It seems to be stable now at this level.

 

[Mutzli]

 

[rgnldo]

This needs an installer, a GUI, and inclusion with amtm.

It's a great idea. Many desire ease. The problem is to maintain. My suggestion is to integrate Skynet, as an addon or even a Skynet+Suricata merger, fully maintained by Adamm. I don't want to interfere with the script. I help where possible, testing and suggesting. I am an admirer of the works of @Adamm. My influence.