Suricata Suricata - IDS on AsusWRT Merlin

[rgnldo]

Failure when trying to set feature via ioctl for 'eth0': Operation not supported (95)

There are two possibilities, either your WAN is configured incorrectly or your device does not support it.

 

[rgnldo]

For integration with Skynet

 ### IPS (suricata) chains ###
    iptables -N IPS_INPUT
    iptables -N IPS_FORWARD
    iptables -N IPS_OUTPUT
    iptables -A INPUT -j IPS_INPUT
    iptables -A FORWARD -j IPS_FORWARD
    iptables -A OUTPUT -j IPS_OUTPUT

See:
https://suricata.readthedocs.io/en/suricata-4.1.4/setting-up-ipsinline-for-linux.html

 

[Wisiwyg]

For integration with Skynet

 ### IPS (suricata) chains ###
    iptables -N IPS_INPUT
    iptables -N IPS_FORWARD
    iptables -N IPS_OUTPUT
    iptables -A INPUT -j IPS_INPUT
    iptables -A FORWARD -j IPS_FORWARD
    iptables -A OUTPUT -j IPS_OUTPUT

See:
https://suricata.readthedocs.io/en/suricata-4.1.4/setting-up-ipsinline-for-linux.html

Please elaborate.... issuing these commands tighten the integration with Skynet?

 

[Smokey613]

Does Suricata support IPv6 ?

 

[Marin]

Does Suricata support IPv6 ?

https://suricata.readthedocs.io/en/suricata-4.1.4/setting-up-ipsinline-for-linux.html?highlight=ipv6


https://suricata.readthedocs.io/en/suricata-4.1.4/rules/intro.html?highlight=ipv6

Sent from my iPhone using Tapatalk

 

[Smokey613]

https://suricata.readthedocs.io/en/suricata-4.1.4/setting-up-ipsinline-for-linux.html?highlight=ipv6


https://suricata.readthedocs.io/en/suricata-4.1.4/rules/intro.html?highlight=ipv6

Sent from my iPhone using Tapatalk

I just re-read post #11 and saw it stated support for IPv6.

 

[Wisiwyg]

Following the readthedocs link:

No NFQ in the Suricata linked..

Please elaborate... will this build work without NFQ to interact with Skynet if using the commands for IPTables alone?

TIA

 

[Smokey613]

Following the readthedocs link:
View attachment 24330

No NFQ in the Suricata linked..

View attachment 24331

Please elaborate... will this build work without NFQ to interact with Skynet if using the commands for IPTables alone?

TIA

I wondered the same thing.......

 

[skeal]

Hi! I'm late to the show. Are there any prefered settings that are not default that i should be looking at? I'm a weekend warrior and don't have time to read through the 300 posts. Thanks.

Secondly will this run alongside skynet and diversion?

 

[ugandy]

Hi! I'm late to the show. Are there any prefered settings that are not default that i should be looking at? I'm a weekend warrior and don't have time to read through the 300 posts. Thanks.

Secondly will this run alongside skynet and diversion?

i'm running it with skynet/diversion/unbound/cake
BTW, on my 600Mbps connection, suricata reduced my top speed by 50Gbps. impact will depend on your line (probably smaller impact at lower speeds)

for install i just followed post #1 and made sure i got latest versions from github project page.

unfortunately there;s no script for install/update
it's easy to install, but a proper script would be nice. specially for updates. right now updates work by visiting github and checking if the yaml file was updated recently by @rgnldo and manually applying diffs.
also note that a lot of threats are already filtered by skynet (meaning i don't get a lot of threats detected by suricata). suricata is good if you want absolute peace of mind and were using or thinking of using AIProtect to begin with. suricata will allow you to get rid of the trend micro spyware, and it's better.
another thing, as this still feels like a work in progress, there's no clear path at the moment on how to eventually go from suricata v4 (current) to suricata v5.

 

[rgnldo]

i'm running it with skynet/diversion/unbound/cake
BTW, on my 600Mbps connection, suricata reduced my top speed by 50Gbps. impact will depend on your line (probably smaller impact at lower speeds)

for install i just followed post #1 and made sure i got latest versions from github project page.

unfortunately there;s no script for install/update
it's easy to install, but a proper script would be nice. specially for updates. right now updates work by visiting github and checking if the yaml file was updated recently by @rgnldo and manually applying diffs.
also note that a lot of threats are already filtered by skynet (meaning i don't get a lot of threats detected by suricata). suricata is good if you want absolute peace of mind and were using or thinking of using AIProtect to begin with. suricata will allow you to get rid of the trend micro spyware, and it's better.
another thing, as this still feels like a work in progress, there's no clear path at the moment on how to eventually go from suricata v4 (current) to suricata v5.

I think there were changes, yes, in Suricata. v 4.1.6, v 4.1.7 and now v 4.1.8

There is no problem with Skynet or another application. It just isn't integrated.

 

[skeal]

I don't see a link to the github page in post #1 did I miss something?

 

[ugandy]

I don't see a link to the github page in post #1 did I miss something?

there is no link but you can google "rgnldo suricata github" and find:
https://github.com/rgnldo/knot-resolver-suricata


in any case, if you follow install instructions of post #1 you'll get latest version

 

[skeal]

there is no link but you can google "rgnldo suricata github" and find:
https://github.com/rgnldo/knot-resolver-suricata


in any case, if you follow install instructions of post #1 you'll get latest version

Up and running the only strangeness was that the /opt/var/lib/suricata/rules/ directory and contents wasn't created so I did it manually and it updates the rules now. Seems nice no messages in the log and it checks itself in the middle of the night. Sweet!

 

[Martineau]

unfortunately there;s no script for install/update

Actually, I was pinged to contribute....so created a very basic install/Update manager script.

see this post#

 

[ugandy]

Up and running the only strangeness was that the /opt/var/lib/suricata/rules/ directory and contents wasn't created so I did it manually and it updates the rules now. Seems nice no messages in the log and it checks itself in the middle of the night. Sweet!

you can check for threats detected in /opt/var/log/suricata/fast.log

also if you read through the thread there are instructions on out to get the logs going with syslog/logrotate so you can see it on the router's webgui

 

[ugandy]

Actually, I was pinged to contribute....so created a very basic install/Update manager script.

see this post#

could that post get its own [release] thread?
and it makes it easier for us to send you a barrage of requests and other user banter! ;-)
thank you

 

[ugandy]

Following the readthedocs link:
View attachment 24330

No NFQ in the Suricata linked..

View attachment 24331

Please elaborate... will this build work without NFQ to interact with Skynet if using the commands for IPTables alone?

TIA

does this mean that skynet integration is a no go?

 

[QuikSilver]

Thanks to @Martineau I tried to install Suricata, but it seems that since I use trendmicro and flexqos that its not possible. I know that Skynet is being discussed but what about those of us who don't use cakeqos.

 

[ugandy]

Thanks to @Martineau I tried to install Suricata, but it seems that since I use trendmicro and flexqos that its not possible. I know that Skynet is being discussed but what about those of us who don't use cakeqos.
View attachment 24348

suricata is not compatible with adaptiveqos/flexqos. it is compatible with cake/skynet.

i use: skynet/diversion/cake/unbound/suricata.
are you positively sure that you need flexqos and that cake is not enough?
i can stream 4k/webex/upload/download/zoom with cake without issues.
i do miss the visual reports on traffic distribution from flexqos, but flexqos wasn't able to control my latency during saturation of UL line, for my setup at least