What's new

Suricata Suricata - IDS on AsusWRT Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

suricata is not compatible with adaptiveqos/flexqos. it is compatible with cake/skynet.

i use: skynet/diversion/cake/unbound/suricata.
are you positively sure that you need flexqos and that cake is not enough?
i can stream 4k/webex/upload/download/zoom with cake without issues
I'm sure I could get by with cakeQOS but I feel like flexqos gives me more flexability and insight into my network.
 
There are two possibilities, either your WAN is configured incorrectly or your device does not support it.

Quite bizarre as I'm on a AC3100 which I would think is supported. And given that I am able to access the internet, I can only presume my WAN is configured just fine....I did enter eth0 in the .yaml file line as directed. That's too bad!
 
I have an unusual situation... I have a Raspberry Pi with an attached GPS board and I use this as a high precision (Stratum 1) NTP server. Being a good Open Source citizen, my Pi is part of the ntp.pool.org (I port forward UDP port 123).
As a result, my fast.log gets loaded with this message:

ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2]

This is a widely known issue - but harmless.

So my question is, is there a way to filter this message?
 
you can check for threats detected in /opt/var/log/suricata/fast.log

also if you read through the thread there are instructions on out to get the logs going with syslog/logrotate so you can see it on the router's webgui
Hi - I am trying to follow the post/info in there thread to get the logs integrated with syslog and scribe but I'm struggling. Can you repost instructions in a simplistic way please?
 
I have had Suricata running for 24hrs with cake, diversion and Skynet - everything seems to be working but I have no entries in fast.log.

The stats.log and http.log are both updating so I think it is all working but no threats detected as I think skynet is picking them up first. Is this a reasonable assumption?

I will temporarily disable Skynet to test my theory...
 
So my question is, is there a way to filter this message?
It is not being blocked. It is a suspected activity. It's like a flip. It is recommended to leave it. Suricata is doing its job.
You can configure Suricata for DROP fins only.
 
I have had Suricata running for 24hrs with cake, diversion and Skynet - everything seems to be working but I have no entries in fast.log.

The stats.log and http.log are both updating so I think it is all working but no threats detected as I think skynet is picking them up first. Is this a reasonable assumption?

I will temporarily disable Skynet to test my theory...
There is no need to do any procedure. There is no detection to display fast.log. Suricata is working well.
 
I ran FreshJR then FlexQoS, both do a good job. IMHO, if you can live without the colorful graphs, Cake is the way to go. I dumped all the TM stuff and now run the scripts listed in my signature. I could not be more satisfied with the results.
 
I have had Suricata running for 24hrs with cake, diversion and Skynet - everything seems to be working but I have no entries in fast.log.

The stats.log and http.log are both updating so I think it is all working but no threats detected as I think skynet is picking them up first. Is this a reasonable assumption?

I will temporarily disable Skynet to test my theory...

skynet/diversion catch a lot of stuff
 
skynet/diversion catch a lot of stuff
Thanks. looks like it is all working well so thanks everybody contributing - much appreciated.

My last setup/config task is to include suricata log entries in the webUI / scribe...
 
Code:
mkdir /jffs/addons 2>/dev/null;mkdir /jffs/addons/suricata 2>/dev/null; curl -kL https://pastebin.com/raw.php?i=XhNumLMU -o /jffs/addons/suricata/suricata_manager.sh  && chmod 755 "/jffs/addons/suricata/suricata_manager.sh" && dos2unix /jffs/addons/suricata/suricata_manager.sh;/jffs/addons/suricata/suricata_manager.sh

After install run this command to see your options.

suricata_manager -h
 
@Martineau already did a basic one. check the thread.
Code:
mkdir /jffs/addons 2>/dev/null;mkdir /jffs/addons/suricata 2>/dev/null; curl -kL https://pastebin.com/raw.php?i=XhNumLMU -o /jffs/addons/suricata/suricata_manager.sh  && chmod 755 "/jffs/addons/suricata/suricata_manager.sh" && dos2unix /jffs/addons/suricata/suricata_manager.sh;/jffs/addons/suricata/suricata_manager.sh

After install run this command to see your options.

suricata_manager -h

Catching up...still had my manual install instructions!
 
It is not being blocked. It is a suspected activity. It's like a flip. It is recommended to leave it. Suricata is doing its job.
You can configure Suricata for DROP fins only.
Thanks @rgnldo I will write a sed script to filter them periodically...
If only people would move to chrony ;-)
 
I have set my WAN to ppp0.( do I need to put in any numbers or just ppp0) Its still not able to start any ideas?

Code:
admin@RT-AX88U-E960:/tmp/home/root# suricata_manager check

v1.03 Suricata IDS/IPS Manager.....

30/6/2020 -- 10:54:22 - <Info> - Running suricata under test mode
30/6/2020 -- 10:54:22 - <Info> - Configuration node 'defrag' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
30/6/2020 -- 10:54:22 - <Notice> - This is Suricata version 4.1.8 RELEASE
30/6/2020 -- 10:54:22 - <Info> - CPUs/cores online: 4
30/6/2020 -- 10:54:22 - <Warning> - [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
30/6/2020 -- 10:54:22 - <Info> - fast output device (regular) initialized: fast.log
30/6/2020 -- 10:54:22 - <Info> - stats output device (regular) initialized: stats.log
30/6/2020 -- 10:54:22 - <Info> - Syslog output initialized
30/6/2020 -- 10:54:22 - <Info> - 17 rule files processed. 2329 rules successfully loaded, 0 rules failed
30/6/2020 -- 10:54:22 - <Info> - Threshold config parsed: 0 rule(s) found
30/6/2020 -- 10:54:22 - <Info> - 2329 signatures processed. 204 are IP-only rules, 443 are inspecting packet payload, 1761 inspect application layer, 0 are decoder event only
30/6/2020 -- 10:54:24 - <Notice> - Configuration provided was successfully loaded. Exiting.
30/6/2020 -- 10:54:24 - <Info> - cleaning up signature grouping structure... complete



admin@RT-AX88U-E960:/tmp/home/root# suricata_manager start

v1.03 Suricata IDS/IPS Manager.....

Starting suricata... already running.
 
Last edited:
Same here, once I get the time assuming @Martineau is game on "where" we host it, I can get it going on Github. Seems like Cake-QOS is on it's own path now!
i did a manual install, so i've not tested @Martineau script yet. does it handle setup of syslog/logrotate, etc?
 
i did a manual install, so i've not tested @Martineau script yet. does it handle setup of syslog/logrotate, etc?

Not sure. I also install manually as well for said reasons above, as i've been playing with Suricata since @rgnldo started posting about. So real early adopter here...so lots more customizations under the hood like syslog/logrotate files that I posted here...

Cheers!
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top