Suricata Suricata - IDS on AsusWRT Merlin

[New2This]

Wondering how don’t check the status ,see if it’s running ?

 

[Mutzli]

It's a great idea. Many desire ease. The problem is to maintain. My suggestion is to integrate Skynet, as an addon or even a Skynet+Suricata merger, fully maintained by Adamm. I don't want to interfere with the script. I help where possible, testing and suggesting. I am an admirer of the works of @Adamm. My influence.

Agreed, an integration with Skynet would be awesome. I have a question in regards to maintaining Suricata and keeping up with their latest release. Did you do any testing with version 5.03?

 

[Mutzli]

Wondering how don’t check the status ,see if it’s running ?

Check the stats.log file, it's updated every 8sec. \var\log\suricata\stats.log
If the values increase it is working. Here is a link to the users guide:

 

[vdemarco]

Check the stats.log file, it's updated every 8sec. \var\log\suricata\stats.log
If the values increase it is working. Here is a link to the users guide:

also just do a

ps w
should see this somewhere

16315 admin 784m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet

 

[ttgapers]

@rgnldo is there proper rotation of the stats.log file?

 

[Mutzli]

@rgnldo is there proper rotation of the stats.log file?

I was wondering the same thing. The manual says to create a rotation file with these parameters:

/var/log/suricata/stats.log /var/log/suricata/statslog.json
{
    rotate 3
    missingok
    nocompress
    create
    sharedscripts
    postrotate
            /bin/kill -HUP `cat /var/run/suricata.pid 2>/dev/null` 2>/dev/null || true
    endscript
}

 

[ttgapers]

I was wondering the same thing. The manual says to create a rotation file with these parameters:

/var/log/suricata/stats.log /var/log/suricata/statslog.json
{
    rotate 3
    missingok
    nocompress
    create
    sharedscripts
    postrotate
            /bin/kill -HUP `cat /var/run/suricata.pid 2>/dev/null` 2>/dev/null || true
    endscript
}

Nice to be done after work!

 

[rgnldo]

Did you do any testing with version 5.03?

Yes. Excellent. New rules. Liked it.

 

[ttgapers]

Yes. Excellent. New rules. Liked it.

Got me a tad bit excited now.

 

[Mutzli]

Yes. Excellent. New rules. Liked it.

Did you decide on how to run future updates and who will maintain them? Will you keep updating this, @ttgapers or someone else?

 

[ttgapers]

Did you decide on how to run future updates and who will maintain them? Will you keep updating this, @ttgapers or someone else?

I like where the convo is going with @rgnldo and @Adamm thus far. Willing to help in any event, I am loving Suricata!!

 

[Mutzli]

I like where the convo is going with @rgnldo and @Adamm thus far. Willing to help in any event, I am loving Suricata!!

I thought you have your hands (and mouth) full with Cake

 

[rgnldo]

We depend on entware packages. Is safer. The rest is easy. Any of you can help.

 

[ttgapers]

For the logging/loggers out there, here's what I have in my yaml file.

  - stats:
      enabled: no
      filename: stats.log
      interval: 10
      append: no

  - syslog:
      enabled: yes
      identity: suricata
      facility: local1
      level: notice

I want to know about errors and what it's doing and care less about stats every x mins, so I changed this to send to syslog instead.

# Logging configuration.  This is not about logging IDS alerts, but
# IDS output about what its doing, errors, etc.
logging:

  # This value is overriden by the SC_LOG_LEVEL env var.
  default-log-level: info

  # Define your logging outputs.
  outputs:
  - console:
      enabled: no
  - file:
      enabled: no
      filename: /opt/var/log/suricata/suricata.log
  - syslog:
      enabled: yes
      facility: off

For those using scribe/logrotate, I've added the two files to @cmkelley gamma master branch and therefore available if you are running the latest versions in your respective *.share folder.

• https://raw.githubusercontent.com/cynicastic/scribe/master/syslog-ng.share/suricata
• https://raw.githubusercontent.com/cynicastic/scribe/master/logrotate.share/suricata

It gives me a nice pipe and shows....

Jun 19 08:38:12 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 20 14:05:56 myrouter suricata[2780]: [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 193.29.15.169:47346 -> aaa.zzz.yyy.xxx:123
Jun 22 12:35:07 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 17:57:59 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 17:58:12 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 18:03:52 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 18:12:22 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 18:12:34 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 18:12:36 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Notice> - This is Suricata version 4.1.8 RELEASE
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Info> - CPUs/cores online: 2
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Info> - Found an MTU of 1500 for 'eth0'
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Info> - Found an MTU of 1500 for 'eth0'
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Info> - fast output device (regular) initialized: fast.log
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Info> - stats output device (regular) initialized: stats.log
Jun 22 18:12:38 myrouter suricata[8631]: 22/6/2020 -- 18:12:38 - <Info> - Syslog output initialized
Jun 22 18:12:38 myrouter suricata[8631]: 22/6/2020 -- 18:12:38 - <Info> - 17 rule files processed. 2323 rules successfully loaded, 0 rules failed
Jun 22 18:12:38 myrouter suricata[8631]: 22/6/2020 -- 18:12:38 - <Info> - Threshold config parsed: 0 rule(s) found
Jun 22 18:12:38 myrouter suricata[8631]: 22/6/2020 -- 18:12:38 - <Info> - 2323 signatures processed. 208 are IP-only rules, 440 are inspecting packet payload, 1751 inspect application layer, 0 are decoder event only
Jun 22 18:12:41 myrouter suricata[8631]: 22/6/2020 -- 18:12:41 - <Info> - Going to use 2 thread(s)
Jun 22 18:12:41 myrouter suricata[8631]: 22/6/2020 -- 18:12:41 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
Jun 22 18:12:42 myrouter suricata[8631]: 22/6/2020 -- 18:12:42 - <Info> - All AFP capture threads are running.
Jun 22 18:15:02 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 18:15:02 myrouter suricata[8631]: 22/6/2020 -- 18:15:02 - <Notice> - Signal Received.  Stopping engine.
Jun 22 18:15:02 myrouter suricata[8631]: 22/6/2020 -- 18:15:02 - <Info> - time elapsed 140.501s
Jun 22 18:15:04 myrouter suricata[8631]: 22/6/2020 -- 18:15:04 - <Info> - Alerts: 0
Jun 22 18:15:04 myrouter suricata[8631]: 22/6/2020 -- 18:15:04 - <Info> - cleaning up signature grouping structure... complete
Jun 22 18:15:04 myrouter suricata[8631]: 22/6/2020 -- 18:15:04 - <Notice> - Stats for 'eth0':  pkts: 41926, drop: 0 (0.00%), invalid chksum: 0

@rgnldo - so with that I get alerts (from fast.log) as well core system suricata info to syslog. Hope others find it helpful. This also will address the log rotation questions....

Also @Adamm here is a sample Suricata detection that I was thinking can be "read/parsed" and block the offending IP if only temporarily until next router reboot (for example).

Jun 20 14:05:56 myrouter suricata[2780]: [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 193.29.15.169:47346 -> aaa.zzz.yyy.xxx:123

 

[rgnldo]

well core system suricata info to syslog. Hope others find it helpful. This also will address the log rotation questions.

Very good
Behaves like a good sys-admin contributor

 

[cmkelley]

Yeah, I need to push out 2.4.3 There's enough little stuff now. Nothing big though.

 

[ttgapers]

Yeah, I need to push out 2.4.3 There's enough little stuff now. Nothing big though.

No super rush on my end, since my commits were for netdata and suricata...perhaps Cake QOS is next....

 

[joe scian]

For the logging/loggers out there, here's what I have in my yaml file.

  - stats:
      enabled: no
      filename: stats.log
      interval: 10
      append: no

  - syslog:
      enabled: yes
      identity: suricata
      facility: local1
      level: notice

I want to know about errors and what it's doing and care less about stats every x mins, so I changed this to send to syslog instead.

# Logging configuration.  This is not about logging IDS alerts, but
# IDS output about what its doing, errors, etc.
logging:

  # This value is overriden by the SC_LOG_LEVEL env var.
  default-log-level: info

  # Define your logging outputs.
  outputs:
  - console:
      enabled: no
  - file:
      enabled: no
      filename: /opt/var/log/suricata/suricata.log
  - syslog:
      enabled: yes
      facility: off

For those using scribe/logrotate, I've added the two files to @cmkelley gamma branch:

• https://raw.githubusercontent.com/cynicastic/scribe/gamma/syslog-ng.share/suricata
• https://raw.githubusercontent.com/cynicastic/scribe/gamma/logrotate.share/suricata

It gives me a nice pipe and shows....

Jun 19 08:38:12 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 20 14:05:56 myrouter suricata[2780]: [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 193.29.15.169:47346 -> aaa.zzz.yyy.xxx:123
Jun 22 12:35:07 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 17:57:59 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 17:58:12 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 18:03:52 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 18:12:22 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 18:12:34 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 18:12:36 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Notice> - This is Suricata version 4.1.8 RELEASE
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Info> - CPUs/cores online: 2
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Info> - Found an MTU of 1500 for 'eth0'
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Info> - Found an MTU of 1500 for 'eth0'
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Info> - fast output device (regular) initialized: fast.log
Jun 22 18:12:38 myrouter suricata: 22/6/2020 -- 18:12:38 - <Info> - stats output device (regular) initialized: stats.log
Jun 22 18:12:38 myrouter suricata[8631]: 22/6/2020 -- 18:12:38 - <Info> - Syslog output initialized
Jun 22 18:12:38 myrouter suricata[8631]: 22/6/2020 -- 18:12:38 - <Info> - 17 rule files processed. 2323 rules successfully loaded, 0 rules failed
Jun 22 18:12:38 myrouter suricata[8631]: 22/6/2020 -- 18:12:38 - <Info> - Threshold config parsed: 0 rule(s) found
Jun 22 18:12:38 myrouter suricata[8631]: 22/6/2020 -- 18:12:38 - <Info> - 2323 signatures processed. 208 are IP-only rules, 440 are inspecting packet payload, 1751 inspect application layer, 0 are decoder event only
Jun 22 18:12:41 myrouter suricata[8631]: 22/6/2020 -- 18:12:41 - <Info> - Going to use 2 thread(s)
Jun 22 18:12:41 myrouter suricata[8631]: 22/6/2020 -- 18:12:41 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
Jun 22 18:12:42 myrouter suricata[8631]: 22/6/2020 -- 18:12:42 - <Info> - All AFP capture threads are running.
Jun 22 18:15:02 myrouter S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jun 22 18:15:02 myrouter suricata[8631]: 22/6/2020 -- 18:15:02 - <Notice> - Signal Received.  Stopping engine.
Jun 22 18:15:02 myrouter suricata[8631]: 22/6/2020 -- 18:15:02 - <Info> - time elapsed 140.501s
Jun 22 18:15:04 myrouter suricata[8631]: 22/6/2020 -- 18:15:04 - <Info> - Alerts: 0
Jun 22 18:15:04 myrouter suricata[8631]: 22/6/2020 -- 18:15:04 - <Info> - cleaning up signature grouping structure... complete
Jun 22 18:15:04 myrouter suricata[8631]: 22/6/2020 -- 18:15:04 - <Notice> - Stats for 'eth0':  pkts: 41926, drop: 0 (0.00%), invalid chksum: 0

@rgnldo - so with that I get alerts (from fast.log) as well core system suricata info to syslog. Hope others find it helpful. This also will address the log rotation questions....

Also @Adamm here is a sample Suricata detection that I was thinking can be "read/parsed" and block the offending IP if only temporarily until next router reboot (for example).

Jun 20 14:05:56 myrouter suricata[2780]: [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 193.29.15.169:47346 -> aaa.zzz.yyy.xxx:123

I have found that 99% of the DDoS attempted denial of service IP Addresses detected by Suricata have already been blocked by Skynet. A good percentage of these are RIPE Database service addresses.

 

[SuperDuke]

We depend on entware packages. Is safer. The rest is easy. Any of you can help.

FWIW, I put in an enhancement request to the Entware Git and was told V5.0 Suricata is dependent on Rust and will not be considered for future updates.

Seems like we're out of luck on the entware front that way.....

 

[New2This]

also just do a

ps w
should see this somewhere

16315 admin 784m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet

Yes I see that line also....Means its running

9246 admin 562m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet