Suricata Suricata - IDS on AsusWRT Merlin

[rgnldo]

...os lots more customizations under the hood like syslog/logrotate files that I posted here...

Cheers!

I need you to organize the steps. I post on the home page.

 

[rgnldo]

Same here, once I get the time assuming @Martineau is game on "where" we host it, I can get it going on Github. Seems like Cake-QOS is on it's own path now!

Feel free. Organize Suricata as you wish.

 

[ugandy]

for the folks running suricata, what entries have you found on fast.log, after running it for a while?
thanks

 

[ttgapers]

I need you to organize the steps. I post on the home page.

Posted prior - take what you need for the first page.

See here: https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/page-17#post-596011

Also added a snippet in there for @Adamm as well for possible integration, which I see might be moving

 

[jata]

for the folks running suricata, what entries have you found on fast.log, after running it for a while?
thanks

only the following entries after 3 days. I have skynet running at the same time so i think that has something to do with the small number of events.


06/29/2020-23:39:41.557270 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 45.148.121.84:42364 -> my.wan.ip:>
06/30/2020-08:53:09.174981 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 185.81.157.124:5238 -> my.wan.ip:>

 

[jata]

Good to see the steps to enable syslog and log rotate. I haven't managed to work out how to do this yet. I am using scribe so good if the instruction could include how to use with scribe.

 

[ttgapers]

Good to see the steps to enable syslog and log rotate. I haven't managed to work out how to do this yet. I am using scribe so good if the instruction could include how to use with scribe.

Check the link I provided, should be pretty straightforward.

 

[ugandy]

only the following entries after 3 days. I have skynet running at the same time so i think that has something to do with the small number of events.


06/29/2020-23:39:41.557270 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 45.148.121.84:42364 -> my.wan.ip:>
06/30/2020-08:53:09.174981 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 185.81.157.124:5238 -> my.wan.ip:>

same here after several weeks. curious if anyone got anything other than this NTP DDoS...

 

[jata]

Check the link I provided, should be pretty straightforward.

Thanks - i have tried to follow the post but I get stuck at the second step. However I have noticed that the fast.log entries do end up in the syslog so that is a good start!

Can you help a little more? - Sorry if i'm a pain. I'm keen to learn. Below is where I am stuck.

step 1 - update yaml file to turn off stats logging and turn on syslog [done]

step 2 - Where does this code go? also in the yaml file?

# Logging configuration.  This is not about logging IDS alerts, but
# IDS output about what its doing, errors, etc.
logging:

  # This value is overriden by the SC_LOG_LEVEL env var.
  default-log-level: info

  # Define your logging outputs.
  outputs:
  - console:
      enabled: no
  - file:
      enabled: no
      filename: /opt/var/log/suricata/suricata.log
  - syslog:
      enabled: yes
      facility: off

step 3 - do something with scribe setup but i don't know what/how.

 

[rgnldo]

Posted prior - take what you need for the first page.

See here: https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/page-17#post-596011

It is unclear where it will be added to the scribe.

as well for possible integration, which I see might be moving

There is no need for Skynet at this point. Suricata has a list of IPs that are blacklisted. Possible integration with Skynet is at the level of processes and priorities.

 

[heysoundude]

There is no need for Skynet at this point. Suricata has a list of IPs that are blacklisted.

This is quite a confident statement, and judging from what I know of the other work this forum member has done, it seems it’s time to wrap my head around Suricata for my home network.


Sent from my iPhone using Tapatalk

 

[ugandy]

This is quite a confident statement, and judging from what I know of the other work this forum member has done, it seems it’s time to wrap my head around Suricata for my home network.


Sent from my iPhone using Tapatalk

keep in mind that, unlike skynet, suricata has a throughput tax (because it is cpu bound). on my 550Mbps connection, on the ax88, it reduced download speed by 50Mbps, down to 500Mbps. not too bad, for what it gives you. i use it together with skynet (suricata also checks for other threats beyond blacklisted IPs).

 

[rgnldo]

This is quite a confident statement, and judging from what I know of the other work this forum member has done, it seems it’s time to wrap my head around Suricata for my home network.

example:

https://rules.emergingthreats.net/open/suricata/rules/dshield.rules

$Id: emerging-dshield.rules $
# Emerging Threats Dshield rules.
# Rules to block Dshield identified Top Attackers (www.dshield.org)

alert ip [185.156.73.0/24,37.49.224.0/24,176.126.175.0/24,195.54.160.0/24,83.97.20.0/24,80.82.77.0/24,37.49.230.0/24,88.214.26.0/24,51.91.212.0/24,185.216.140.0/24,185.175.93.0/24,192.241.219.0/24,146.88.240.0/24,192.241.220.0/24,192.241.228.0/24,192.241.226.0/24,89.248.168.0/24,185.110.95.0/24,192.241.227.0/24,192.241.221.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:5592; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2020_06_30;)

 

[rgnldo]

it reduced download speed by 50Mbps, down to 500Mbps.

It didn't change my speed.

 

[heysoundude]

keep in mind that, unlike skynet, suricata has a throughput tax (because it is cpu bound). on my 550Mbps connection, on the ax88, it reduced download speed by 50Mbps, down to 500Mbps. not too bad, for what it gives you. i use it together with skynet (suricata also checks for other threats beyond blacklisted IPs).

How busy is your CPU without it running?
(My DL is <1/10th of yours; a similar 10% reduction, while not insignificant, most likely won’t be as noticed on my network)
(I wonder if such an occurrence indicates that code can be streamlined or otherwise similarly improved...??)


Sent from my iPhone using Tapatalk

 

[ugandy]

It didn't change my speed.

i think the % reduction would depend on the top speed... that is, maybe a 200Mbps connection on a AX88 would be fine since cpu can handle it with room to spare(?)
the 550->500 impact on my ax88 is real as measured by spdmerlin on a quiet cpu/network.
i'll test again. maybe i missed something.
i wonder if anyone here tried suricata on a gigabit connection and can share their results.

How busy is your CPU without it running?
(My DL is <1/10th of yours; a similar 10% reduction, while not insignificant, most likely won’t be as noticed on my network)



Sent from my iPhone using Tapatalk

you have a 50Mbps connection and see a 5Mbps drop? which router? that's small enough that it can be just normal network variance. check spdmerlin results, over 24hr period (that's what i did)

 

[heysoundude]

[mention]rgnldo [/mention] suggested you may be misconfigured with a CPU hit that large in routers built to handle gigabit connections. Now that I think about it, I’d bet he’s right, otherwise why bother with this?


Sent from my iPhone using Tapatalk

 

[ugandy]

[mention]rgnldo [/mention] suggested you may be misconfigured with a CPU hit that large in routers built to handle gigabit connections. Now that I think about it, I’d bet he’s right, otherwise why bother with this?

for security
note that gigabit flows are only possible due to dedicated hardware acceleration. traffic on the stock configured ax88 (qosdisabled) does not use the main cpu, it uses fast dedicated hardware, to allow fast gigabit connections.
but if you install suricata, you will use the main cpus for some of the work checking that data around. so a reduction is not a crazy thing to imagine, i think.
i'd be curious to see other reports on this. maybe only significant above 500Mbps. or maybe my test was somehow flawed (i keep seeing a 50Mbps difference on speedtest.net on my connection).
the added security is worth it anyway

 

[ttgapers]

Thanks - i have tried to follow the post but I get stuck at the second step. However I have noticed that the fast.log entries do end up in the syslog so that is a good start!

Can you help a little more? - Sorry if i'm a pain. I'm keen to learn. Below is where I am stuck.

step 1 - update yaml file to turn off stats logging and turn on syslog [done]

step 2 - Where does this code go? also in the yaml file?

# Logging configuration.  This is not about logging IDS alerts, but
# IDS output about what its doing, errors, etc.
logging:

  # This value is overriden by the SC_LOG_LEVEL env var.
  default-log-level: info

  # Define your logging outputs.
  outputs:
  - console:
      enabled: no
  - file:
      enabled: no
      filename: /opt/var/log/suricata/suricata.log
  - syslog:
      enabled: yes
      facility: off

step 3 - do something with scribe setup but i don't know what/how.

Step 2 - inside your suricata yaml file (/opt/etc/suricata/suricata.yaml)
Step 3 - refer to syslog-ng instructions. copy the respective suricata files from *.share for both logrotate and suricata to their respective /opt/etc/logrotate.d and syslog-ng.d. Make sure the perms are root R/W (0600). Reload Scribe (syslog-ng (which restarts logrotate)).

 

[Milan]

i think the % reduction would depend on the top speed... that is, maybe a 200Mbps connection on a AX88 would be fine since cpu can handle it with room to spare(?)
the 550->500 impact on my ax88 is real as measured by spdmerlin on a quiet cpu/network.
i'll test again. maybe i missed something.
i wonder if anyone here tried suricata on a gigabit connection and can share their results.



you have a 50Mbps connection and see a 5Mbps drop? which router? that's small enough that it can be just normal network variance. check spdmerlin results, over 24hr period (that's what i did)

i am using suricata on gigabit - when running only suricata then speed is around 500-550 MBit. with Qos it is only 300 Mbit. upload is 100 Mbit