Suricata Suricata - IDS on AsusWRT Merlin

[Milan]

Update, don't do it, it slows the router down to a halt. Had to remove Suricata on the RT-AC68U this morning

Gunning and running on the RT-AC86Us though! Perhaps time to upgrade the AC68U now.....get rid of any Trend Micro for GOOD!

here on ax88u it is working fine, but your logging i was not able to enable...

 

[Mutzli]

Update, don't do it, it slows the router down to a halt. Had to remove Suricata on the RT-AC68U this morning

Gunning and running on the RT-AC86Us though! Perhaps time to upgrade the AC68U now.....get rid of any Trend Micro for GOOD!

No issues here, I tried it for a couple of hours now and the CPU on any of the four cores (AX88U) never goes over 10%.

 

[rgnldo]

It would be real nice if there was an easy way to create an allow list. I have a chatty IoT device and it is not a security threat but it fills the logs with:

Include HOME_NET declaration from external IP.

address-list: 
include: /opt/etc/suricata/suricata-homenet.yaml
include: /opt/etc/suricata/suricata-dns-servers.yaml

HTTP_PORTS declaration from external file.

port-groups:
include: /opt/etc/suricata/suricata-http-ports.yaml

 

[vdemarco]

a question about the default config of suricita. So if it logs something in the fast.log say this one here

07/08/2020-08:17:31.145651 [**] [1:2010645:9] ET POLICY User-Agent (Launcher) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.0.213:53225 -> 142.44.226.189:80

So that means it blocked the outgoing packet.
that hits this rule

emerging-policy.rules:alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User-Agent (Launcher)"; flow: to_server,established; content:"Launcher"; http_user_agent; nocase; content:!"EpicGamesLauncher"; http_user_agent; depth:17; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010645; classtypeolicy-violation; sid:2010645; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_04

then.
classification.config:config classification: policy-violation,Potential Corporate Privacy Violation,1

Has this packet been dropped or is it just logged?

 

[Kingp1n]

Well having been pinged.....

Use at your own risk...very basic

mkdir /jffs/addons 2>/dev/null;mkdir /jffs/addons/suricata 2>/dev/null; curl -kL https://pastebin.com/raw.php?i=XhNumLMU -o /jffs/addons/suricata/suricata_manager.sh  && chmod 755 "/jffs/addons/suricata/suricata_manager.sh" && dos2unix /jffs/addons/suricata/suricata_manager.sh;/jffs/addons/suricata/suricata_manager.sh

How to use

suricata_manager -h

#======================================================================================================= © 2020 Martineau, v1.01
#  Install 'suricata - Real-time Intrusion Detection System (IDS), Intrusion Prevention System (IPS) package from Entware on Asuswrt-Merlin firmware.
#
#  Pre-reqs:   4.x kernel e.g. HND-models RT-AC86U,RT-AX88U or RT-AX56U,RT-AX58U
#              QoS and AiProtection Trend Micro DISABLED
#              Skynet DISABLED
#
# Usage:    suricata_manager    ['help'|'-h'] | [ 'debug' ]
#                               [ 'install' | 'uninstall' | 'check' | 'stop' | 'start' | 'logs' | 'config[x]' | 'test' ]
#
#           suricata_manager    config
#                               View the suricata.yml file
#           suricata_manager    configx
#                               Edit the suricata.yml file
#           suricata_manager    check
#                               Syntax check the suricata.yml file
#           suricata_manager    test
#                               Generate a spoof HTTPS attack (To see it you will need to enable the http.log)
#
#                                       uid=0(root) gid=0(root) groups=0(root)
#           suricata_manager    logs
#                               View the default three logs for activity
#
#                                       ==> /opt/var/log/suricata/fast.log <==
#
#                                       ==> /opt/var/log/suricata/stats.log <==
#
#                                       ==> /opt/var/log/suricata/eve-2020-05-09-15:38.json <==

I'm new as well and would like to try suricata. Is the post by @Martineau still active / working for installing Suricata or alot has changed since?

 

[rgnldo]

a question about the default config of suricita. So if it logs something in the fast.log say this one here

All signatures have different properties. One of those is the Action property. This one determines what will happen when a signature matches.
There are four types of Action. A summary of what will happen when a signature matches and contains one of those Actions:

1) Pass
If a signature matches and contains pass, Suricata stops scanning the packet and skips to the end of all rules (only for the current packet).

2) Drop
This only concerns the IPS/inline mode.
If the program finds a signature that matches, containing drop, it stops immediately. The packet will not be sent any further.
Drawback: The receiver does not receive a message of what is going on, resulting in a time-out (certainly with TCP). Suricata generates an alert for this packet.

3) Reject
This is an active rejection of the packet. Both receiver and sender receive a reject packet. There are two types of reject packets that will be automatically selected. If the offending packet concerns TCP, it will be a Reset-packet. For all other protocols it will be an ICMP-error packet. Suricata also generates an alert. When in Inline/IPS mode, the offending packet will also be dropped like with the 'drop' action.

4) Alert
If a signature matches and contains alert, the packet will be treated like any other non-threatening packet, except for this one an alert will be generated by Suricata. Only the system administrator can notice this alert.

Rules will be loaded in the order of which they appear in files. But they will be processed in a different order. Signatures have different priorities. The most important signatures will be scanned first. There is a possibility to change the order of priority. The default order is: pass, drop, reject, alert.

action-order:
 - pass
 - drop
 - reject
 - alert

This means a pass rule is considered before a drop rule, a drop rule before a reject rule and so on.

 

[Smokey613]

One question..... if the version of Suricata that we installed on our routers does not have NFQ support compiled into it, does that mean no real IPS functions are available? In short, it can NEVER actually block malicious traffic?

 

[rgnldo]

One question..... if the version of Suricata that we installed on our routers does have NFQ support compiled into it, does that mean no real IPS functions are available? In short, it can NEVER actually block malicious traffic?

There is almost no NFQ support. Suricata is widely used in BSD environments, in conjunction with PF. On my OpenBSD, I use Suricata 5. IDS/IPS support on Suricata/Merlin is active. Only INLINE mode is not active due to compatibility with network NIC drivers. But legacy mode is the default. Functional Suricata and working at Merlin. ​

 

[Smokey613]

There is almost no NFQ support. Suricata is widely used in BSD environments, in conjunction with PF. On my OpenBSD, I use Suricata 5. IDS/IPS support on Suricata/Merlin is active. Only INLINE mode is not active due to compatibility with network NIC drivers. But legacy mode is the default. Functional Suricata and working at Merlin. ​

So IPS is active and it will block malicious traffic? I am just trying to get some clarification on the IPS function. I am getting alerts, just not sure it is blocking anything.

 

[vdemarco]

So IPS is active and it will block malicious traffic? I am just trying to get some clarification on the IPS function. I am getting alerts, just not sure it is blocking anything.

I am trying to figure out the same thing. all of the rules that triggered for me are marked as "alerts" as far as i can tell.

 

[Smokey613]

I am trying to figure out the same thing. all of the rules that triggered for me are marked as "alerts" as far as i can tell.

If it has no functional IPS then it is of no value to me on my network. I really like the idea of not having to use AiProtection.

 

[Milan]

i know that it is sometimes hard to understand what @rgnldo is writing, but he clearly wrote that IPS is working in legacy mode.
if you are getting alerts only, then there was no incident that needs to be blocked probably ...

if you feel that some of incidents needs to be blocked, then u need to modify rules for it.

 

[rgnldo]

No difficulties. read the post above.
Would it be easier to use AiProtection? A real Pandora's box EULA.

for me are marked as "alerts"

For the reason that it is not so serious. Suricata is asking for analysis and process. Simple.

 

[Smokey613]

i know that it is sometimes hard to understand what @rgnldo is writing, but he clearly wrote that IPS is working in legacy mode.
if you are getting alerts only, then there was no incident that needs to be blocked probably ...

if you feel that some of incidents needs to be blocked, then u need to modify rules for it.

Can you decipher what these log entries are reporting? I am sure I am not fully understanding the information reported.

 

[Smokey613]

Just so I am clear, I really like Suricata, I am just trying to better understand how it operates. I really appreciate all the hard work of the contributors to this project. Many thanks to @rgnldo for his diligence and patience.

 

[rgnldo]

Just so I am clear, I really like Suricata, I am just trying to better understand how it operates. I really appreciate all the hard work of the contributors to this project. Many thanks to @rgnldo for his diligence and patience.

Let the Suricata do the job. Do not worry. If you have any connectivity problems with any service, check the Suricata logs and add the trusted IP.

 

[juched]

From my understand Suricata supports inline drivers to scan and drop packets as they are processed on the NIC. But since Asus drivers are not supported (likely since closed source) it is using legacy mode on these routers.

What this means as I have read is that a copy of the packet (via pcap ) is sent to Suricata for processing while the original packet moves along though the normal network path in the router (aka, firewall rules etc). If Suricata decides after it sees the copy of the packet that is it bad traffic (or in some cases it needs to see multiple packets before deciding) then it uses iptables (firewall rule) to block the offending site or device.


So this means that it is a Hybrid IPS, it sees and quickly blocks sites but some packets may get through before it does.

 

[JGrana]

Issue with legacy mode and/or FlexQoS?

I had been running Suricata and Cake-QoS for a few days (along with Unbound) on an AX88U running 384.19 Alpha 2. All ran well together.

This morning, I decided to give the latest FlexQoS a spin. I uninstalled Cake-QoS and installed FlexQoS 0.9.2.
I had to re-enable Adaptive QoS and for now have left the FlexQoS configuration as default.

In looking at syslog, I am getting thousands of these messages:

Jul 10 06:41:16 kernel: net_ratelimit: 1260 callbacks suppressed
Jul 10 06:41:16 kernel: protocol 0800 is buggy, dev br0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0800 is buggy, dev br0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0

Here is part of my suricata.yaml file:
# Runmode the engine should use.
runmode: workers

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
- interface: eth0
- interface: br0

pcap:
- interface: auto
checksum-checks: auto
promisc: yes

legacy:
uricontent: enabled

# copy-mode: ips
# copy-iface: br0
# defrag: yes
# use-mmap: yes

# netmap:
# - interface: br0

max-pending-packets: 1024

If I turn Suricata off, the messages go away. Is my configuration correct?

 

[ttgapers]

Issue with legacy mode and/or FlexQoS?

I had been running Suricata and Cake-QoS for a few days (along with Unbound) on an AX88U running 384.19 Alpha 2. All ran well together.

This morning, I decided to give the latest FlexQoS a spin. I uninstalled Cake-QoS and installed FlexQoS 0.9.2.
I had to re-enable Adaptive QoS and for now have left the FlexQoS configuration as default.

In looking at syslog, I am getting thousands of these messages:

Jul 10 06:41:16 kernel: net_ratelimit: 1260 callbacks suppressed
Jul 10 06:41:16 kernel: protocol 0800 is buggy, dev br0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0
Jul 10 06:41:16 kernel: protocol 0800 is buggy, dev br0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0

Here is part of my suricata.yaml file:
# Runmode the engine should use.
runmode: workers

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
- interface: eth0
- interface: br0

pcap:
- interface: auto
checksum-checks: auto
promisc: yes

legacy:
uricontent: enabled

# copy-mode: ips
# copy-iface: br0
# defrag: yes
# use-mmap: yes

# netmap:
# - interface: br0

max-pending-packets: 1024

If I turn Suricata off, the messages go away. Is my configuration correct?

Jul 10 06:41:16 kernel: protocol 0800 is buggy, dev br0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0

Known issue with Adaptive QoS and Suricata - especially if you use the Asus/Trend Micro setup - AI protection, Adaptive QoS and the like.

On my AC68U I run just FlexQoS ONLY (disabled/removed Suricata) - slowed my router to a halt. However I wasn't seeing your error. I only saw those using the old FreshQoS scripts...

 

[JaimeZX]

There have been about 22 new pages since the last time I read this thread. Wow!

My new implementation idea is to put Suricata on my surplus AC3100 and put it between the Internets and my regular router like:

       INTARWEBS
          | |
    AC3100 + Suricata
          | |
  AC3200 + Diversion/Skynet
       (routing)
         / ' \
          LAN

Would that be the best configuration? Or does it make more sense to block some traffic before Suricata? Like this:

        INTARWEBS
           | |
  AC3200 + Diversion/Skynet
           | |
    AC3100 + Suricata
       (routing)
         / ' \
          LAN

Or is there a third configuration that would make more sense?
Where would you run an OpenVPN server?
Where would you run DNSCrypt?
How would you configure the two devices from a NAT perspective, and how would you access the "outer" one?

Thanks in advance for your thoughts!