Suricata Suricata - IDS on AsusWRT Merlin

[rgnldo]

dependent on Rust and will not be considered for future updates.

The current version of Suricata will still be very useful. By then, entware packages will have evolved. Still the possibility of the Docker container and the Git installation.

 

[Mutzli]

How often do you guys update the rules?

 

[New2This]

Wondering if someone could take a look at this, Test Mode??

ASUSWRT-Merlin RT-AX88U 384.18_beta1 Fri Jun 19 16:39:24 UTC 2020
admin@RT-AX88U-E960:/tmp/home/root# suricata -c /opt/etc/suricata/suricata.yaml
-T
23/6/2020 -- 10:28:50 - <Info> - Running suricata under test mode
23/6/2020 -- 10:28:50 - <Info> - Configuration node 'defrag' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
23/6/2020 -- 10:28:50 - <Notice> - This is Suricata version 4.1.8 RELEASE
23/6/2020 -- 10:28:50 - <Info> - CPUs/cores online: 4
23/6/2020 -- 10:28:50 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
23/6/2020 -- 10:28:50 - <Info> - fast output device (regular) initialized: fast.log
23/6/2020 -- 10:28:50 - <Info> - stats output device (regular) initialized: stats.log
23/6/2020 -- 10:28:50 - <Info> - 17 rule files processed. 2326 rules successfully loaded, 0 rules failed
23/6/2020 -- 10:28:50 - <Info> - Threshold config parsed: 0 rule(s) found
23/6/2020 -- 10:28:50 - <Info> - 2326 signatures processed. 207 are IP-only rules, 440 are inspecting packet payload, 1755 inspect application layer, 0 are decoder event only
23/6/2020 -- 10:28:52 - <Notice> - Configuration provided was successfully loaded. Exiting.
23/6/2020 -- 10:28:52 - <Info> - cleaning up signature grouping structure... complete
admin@RT-AX88U-E960:/tmp/home/root#

 

[Mutzli]

Here is my result:

23/6/2020 -- 10:35:35 - <Info> - Running suricata under test mode
23/6/2020 -- 10:35:35 - <Info> - Configuration node 'defrag' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
23/6/2020 -- 10:35:35 - <Notice> - This is Suricata version 4.1.8 RELEASE
23/6/2020 -- 10:35:35 - <Info> - CPUs/cores online: 4
23/6/2020 -- 10:35:35 - <Info> - fast output device (regular) initialized: fast.log
23/6/2020 -- 10:35:35 - <Info> - stats output device (regular) initialized: stats.log
23/6/2020 -- 10:35:35 - <Info> - Syslog output initialized
23/6/2020 -- 10:35:36 - <Info> - 17 rule files processed. 2326 rules successfully loaded, 0 rules failed
23/6/2020 -- 10:35:36 - <Info> - Threshold config parsed: 0 rule(s) found
23/6/2020 -- 10:35:36 - <Info> - 2326 signatures processed. 207 are IP-only rules, 440 are inspecting packet payload, 1755 inspect application layer, 0 are decoder event only
23/6/2020 -- 10:35:38 - <Notice> - Configuration provided was successfully loaded. Exiting.
23/6/2020 -- 10:35:38 - <Info> - cleaning up signature grouping structure... complete

I turned off stats.log in suricata.yaml
stats:
enabled: no
# The interval field (in seconds) controls at what interval
# the loggers are invoked.
interval: 8

I'm sending it to syslog as per this post

 

[rgnldo]

Test Mode??

Run

suricata -c /opt/etc/suricata/suricata.yaml - -af-packet

 

[rgnldo]

How often do you guys update the rules?

.Can be daily or twice a week

 

[Mutzli]

Run

suricata -c /opt/etc/suricata/suricata.yaml —af-packet

Long dash doesn't work in my console, I have to use double dash --

suricata -c /opt/etc/suricata/suricata.yaml --af-packet

 

[rgnldo]

Long dash doesn't work in my console, I have to use double dash --

suricata -c /opt/etc/suricata/suricata.yaml --af-packet

I'm trying to port the Oinkmaster, that this update management. See if they find a shape similar to the oinkmaster

 

[Mutzli]

I'm trying to port the Oinkmaster, that this update management. See if they find a shape similar to the oinkmaster

So if I understand that correctly Oinkmaster would keep the Snort rules current by running it on a scheduler? Would that be running on the router or a separate browser based script?

 

[rgnldo]

So if I understand that correctly Oinkmaster would keep the Snort rules current by running it on a scheduler? Would that be running on the router or a separate browser based script?

Schedule and compare if the update is needed.

 

[New2This]

Run

suricata -c /opt/etc/suricata/suricata.yaml - -af-packet

same here had to run the double line - Whats with that warning Im getting in that line??

admin@RT-AX88U-E960:/tmp/home/root# suricata -c /opt/etc/suricata/suricata.yaml
--af-packet
23/6/2020 -- 11:58:04 - <Info> - Configuration node 'defrag' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
23/6/2020 -- 11:58:04 - <Notice> - This is Suricata version 4.1.8 RELEASE
23/6/2020 -- 11:58:04 - <Info> - CPUs/cores online: 4
23/6/2020 -- 11:58:04 - <Info> - Found an MTU of 1492 for 'ppp0'
23/6/2020 -- 11:58:04 - <Info> - Found an MTU of 1492 for 'ppp0'
23/6/2020 -- 11:58:04 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
23/6/2020 -- 11:58:04 - <Info> - fast output device (regular) initialized: fast.log
23/6/2020 -- 11:58:04 - <Info> - stats output device (regular) initialized: stats.log
23/6/2020 -- 11:58:04 - <Info> - 17 rule files processed. 2326 rules successfully loaded, 0 rules failed
23/6/2020 -- 11:58:04 - <Info> - Threshold config parsed: 0 rule(s) found
23/6/2020 -- 11:58:04 - <Info> - 2326 signatures processed. 207 are IP-only rules, 440 are inspecting packet payload, 1755 inspect application layer, 0 are decoder event only
23/6/2020 -- 11:58:06 - <Info> - Going to use 1 thread(s)
23/6/2020 -- 11:58:06 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
23/6/2020 -- 11:58:06 - <Info> - All AFP capture threads are running.

 

[rgnldo]

same here had to run the double line - Whats with that warning Im getting in that line??

admin@RT-AX88U-E960:/tmp/home/root# suricata -c /opt/etc/suricata/suricata.yaml
--af-packet
23/6/2020 -- 11:58:04 - <Info> - Configuration node 'defrag' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
23/6/2020 -- 11:58:04 - <Notice> - This is Suricata version 4.1.8 RELEASE
23/6/2020 -- 11:58:04 - <Info> - CPUs/cores online: 4
23/6/2020 -- 11:58:04 - <Info> - Found an MTU of 1492 for 'ppp0'
23/6/2020 -- 11:58:04 - <Info> - Found an MTU of 1492 for 'ppp0'
23/6/2020 -- 11:58:04 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
23/6/2020 -- 11:58:04 - <Info> - fast output device (regular) initialized: fast.log
23/6/2020 -- 11:58:04 - <Info> - stats output device (regular) initialized: stats.log
23/6/2020 -- 11:58:04 - <Info> - 17 rule files processed. 2326 rules successfully loaded, 0 rules failed
23/6/2020 -- 11:58:04 - <Info> - Threshold config parsed: 0 rule(s) found
23/6/2020 -- 11:58:04 - <Info> - 2326 signatures processed. 207 are IP-only rules, 440 are inspecting packet payload, 1755 inspect application layer, 0 are decoder event only
23/6/2020 -- 11:58:06 - <Info> - Going to use 1 thread(s)
23/6/2020 -- 11:58:06 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
23/6/2020 -- 11:58:06 - <Info> - All AFP capture threads are running.

Set your wan interface

 

[Mutzli]

Check your WAN with

ifconfig

to make sure it is on eth0 and enter it in suricata.yaml.
Look for the port that shows your WAN IP under inet addr:

 

[ugandy]

The current version of Suricata will still be very useful. By then, entware packages will have evolved. Still the possibility of the Docker container and the Git installation.

i read this as meaning that it will be a while before we can use v5 on asus?

 

[rgnldo]

i read this as meaning that it will be a while before we can use v5 on asus?

Version 4 is being maintained and will still be very useful for some time.
The problem is that ARM routers have limited architecture. See CakeQOS, limited to some modern routers with a current kernel. Little can be done.
I'm almost done with my mini ITX server. I will soon use the AC86U in bridge.

 

[ugandy]

Version 4 is being maintained and will still be very useful for some time.
The problem is that ARM routers have limited architecture. See CakeQOS, limited to some modern routers with a current kernel. Little can be done.
I'm almost done with my mini ITX server. I will soon use the AC86U in bridge.

what does v5 bring to the table that is new compared to v4?
thanks

 

[rgnldo]

what does v5 bring to the table that is new compared to v4?
thanks

New rules and renewed engine.
See
https://suricata-ids.org/2019/10/15/announcing-suricata-5-0-0/

 

[ugandy]

New rules and renewed engine.
See
https://suricata-ids.org/2019/10/15/announcing-suricata-5-0-0/

thanks! sounds like an important upgrade

 

[rgnldo]

thanks! sounds like an important upgrade

V4 will be useful for a long time. Anyway it is possible to install via git, if someone keeps it.

 

[SuperDuke]

Hi all...took the plunge and have the following output when checked....I have disabled logging so that error I'm not concerned with, but the other one I am....any suggestions? I did indeed change my af-packet to eth0 (or my WAN).

27/6/2020 -- 17:26:23 - <Notice> - This is Suricata version 4.1.8 RELEASE
27/6/2020 -- 17:26:23 - <Info> - CPUs/cores online: 2
27/6/2020 -- 17:26:23 - <Info> - Found an MTU of 1500 for 'eth0'
27/6/2020 -- 17:26:23 - <Info> - Found an MTU of 1500 for 'eth0'
27/6/2020 -- 17:26:24 - <Info> - Syslog output initialized
27/6/2020 -- 17:26:24 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
27/6/2020 -- 17:26:24 - <Info> - 17 rule files processed. 2329 rules successfully loaded, 0 rules failed
27/6/2020 -- 17:26:24 - <Info> - Threshold config parsed: 0 rule(s) found
27/6/2020 -- 17:26:24 - <Info> - 2329 signatures processed. 205 are IP-only rules, 442 are inspecting packet payload, 1760 inspect application layer, 0 are decoder event only
27/6/2020 -- 17:26:31 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'eth0': Operation not supported (95)
27/6/2020 -- 17:26:31 - <Info> - Going to use 1 thread(s)
27/6/2020 -- 17:26:31 - <Notice> - all 1 packet processing threads, 2 management threads initialized, engine started.
27/6/2020 -- 17:26:32 - <Info> - All AFP capture threads are running.
^X
^C27/6/2020 -- 17:27:52 - <Notice> - Signal Received.  Stopping engine.
27/6/2020 -- 17:27:52 - <Info> - time elapsed 80.818s
27/6/2020 -- 17:27:53 - <Info> - Alerts: 0
27/6/2020 -- 17:27:53 - <Info> - cleaning up signature grouping structure... complete
27/6/2020 -- 17:27:53 - <Notice> - Stats for 'eth0':  pkts: 53655, drop: 0 (0.00%), invalid chksum: 0
27/6/2020 -- 17:27:53 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'eth0': Operation not supported (95)