rgnldo
Very Senior Member
To avoid waste, I would do this:
Code:
INTARWEBS
| |
AC3200 + Diversion + Skynet + Suricata
| |
Aimesh
| |
AC3100Suricata Suricata - IDS on AsusWRT Merlin
- Thread starter rgnldo
- Start date
-
- Tags
- asuswrt merlin entware ids suricata
rgnldo
Very Senior Member
I have no idea. With Cake-QOS it works.
In the logs, the message is this:
Code:
Jul 6 19:29:04 kernel: device ppp0 entered promiscuous mode
Jul 6 19:29:05 kernel: device br0 entered promiscuous modeNetwork devices must be in promiscuous mode.
JGrana
Very Senior Member
Thanks, I was afraid of that....
I like Suricata so I will likely go back to Cake.
Thanks!
Two follow-ups:
1) I thought Suricata and Skynet were incompatible? Or was that worked out in the previous 20 pages somewhere?
2) What is the purpose of the 3100 if everything is running on the 3200? (Actually, I think it'd make more sense to run everything on the 3100, it has more power...) I was figuring Suricata has a lot of processing overhead, so it'd make more sense to run it separately.
So now I'm thinking:
Code:
INTARWEBS
| |
AC3200 + Diversion + Skynet
| |
AC3100+Suricata
(routing)
/ ' \
LANPutting Skynet outside Suricata will filter a lot of crap and give it less to process. Hopefully Suricata+routing isn't too much overhead...
Thanks again!
Some suggestions for installing suricata:
This does not work. I manually added this path with winscp.
I suggest this file instead:
nano /jffs/scripts/services-start
Edit:
How/Where can I see if suricata is working?
In syslog I saw it started, but what now?
In htop I don't see any suricata process: https://imgur.com/H94QIwr
Edit2:
When I restart my router, is suricata also automatically restarting?
Edit3:
Suricata stops after a few seconds.
Because, after a fews second, when I run "/opt/etc/init.d/S82suricata start", it says starting done, instead of "already running"...
Code:
mkdir /opt/var/lib/suricata/rulesI suggest this file instead:
nano /jffs/scripts/services-start
Edit:
How/Where can I see if suricata is working?
In syslog I saw it started, but what now?
In htop I don't see any suricata process: https://imgur.com/H94QIwr
Edit2:
When I restart my router, is suricata also automatically restarting?
Edit3:
Suricata stops after a few seconds.
Because, after a fews second, when I run "/opt/etc/init.d/S82suricata start", it says starting done, instead of "already running"...
Last edited:
Ok folks, long from an official release, I've ported over @Martineau rough script over to Github for more collaborative development for those interested. I had a look at it, and @rgnldo has added an issue, as I have also.
Suricata install is more complex than the Cake scripts, and I would need time to sort through it and more importantly support it. Therefore I am encouraging community development if want to see the pace pickup on this becoming a mainstream addon.
Personally, I'd like to see the script get to @Adamm standards/menu etc. which is what the alpha branch is being used for. In the short term, any testers and developers (can't stress the importance of devs) to tweak the existing @Martineau variant as it's ported over -- please come forward and link up on Github.
Repo: https://github.com/ttgapers/suricata-merlin
Note: This is not prime time ready IMO so please backup your existing configs etc prior to testing!
Thanks and feedback appreciated. I wanted to give this update as people have been asking.....
Cheers
Suricata install is more complex than the Cake scripts, and I would need time to sort through it and more importantly support it. Therefore I am encouraging community development if want to see the pace pickup on this becoming a mainstream addon.
Personally, I'd like to see the script get to @Adamm standards/menu etc. which is what the alpha branch is being used for. In the short term, any testers and developers (can't stress the importance of devs) to tweak the existing @Martineau variant as it's ported over -- please come forward and link up on Github.
Repo: https://github.com/ttgapers/suricata-merlin
Note: This is not prime time ready IMO so please backup your existing configs etc prior to testing!
Thanks and feedback appreciated. I wanted to give this update as people have been asking.....
Cheers
Last edited:
I appreciate this and hope to see it evolve. I did try using the basic script from Martineau but it would not allow me to install due to having Skynet installed. I didn't try the instructions from post 1 but I may try again later. I would rather use Suricata vs AIProtect. I had AIProtect enabled in the past and it seems the numbers always remain the same and nothing is being tracked.
I can look at disabling that, but the script as I went through should allow it as Skynet install is a "warning".
Confirmed:
Code:
# Check Skynet
[ -f /jffs/scripts/firewall ] && echo -e $cBRED"\a\t[✖] ***Warning Skynet installed"So seems it should - so I'll have to test as well. Did you try disabling Skynet completing the install and re-enabling? I know I do have Skynet running with Suricata and Cake with no issue, so it's one of the items I want to see if it's certain routers the combination poses issues.
I tried disabling Skynet and still gave me the error message!
The script version I used was v1.03 (https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/page-10#post-582858)
but I gave up after that. I'm sure I can follow the instructions from post 1 and it should work without issues.
Jack Yaz
Part of the Furniture
The code is testing for the existence of the skynet script on the router. Disabling it won't be enough with the code in its current state.
Yup caught that when investigating.
Updated the issue: https://github.com/ttgapers/suricata-merlin/issues/2
Note, I am not supporting the version 1.03 on pastebin, but the ported over version which is essentially the same (1.04).
Anyone wanna help out please do. Issue from @rgnldo updated to reflect the items before we can consider this stable.
Other item around shellcheck: https://github.com/ttgapers/suricata-merlin/issues/1
Thanks @Jack Yaz
Last edited:
rgnldo
Very Senior Member
I'm using version 5 of Suricata on my OpenBSD.
I made some adjustments for those who use the FW Merlin.
Deactivate the blocking lists for malware in your adblock. Suricata will do this job. I changed suricata.yaml on github.
With the attack_response rules, see on http://testmyids.com
This site should not load then, and the IPS should log GPL ATTACK_RESPONSE id. check returned root
I made some adjustments for those who use the FW Merlin.
Deactivate the blocking lists for malware in your adblock. Suricata will do this job. I changed suricata.yaml on github.
With the attack_response rules, see on http://testmyids.com
This site should not load then, and the IPS should log GPL ATTACK_RESPONSE id. check returned root
Code:
uid=0(root) gid=0(root) groups=0(root)
Last edited:
Smokey613
Very Senior Member
My errors in the log
Jul 23 05:49:26 RT-AC86U suricata: 23/7/2020 -- 05:49:26 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Meth/"; fast_pattern; http_header; metadata: former_category SCAN; classtype:attempted-admin; sid:2030375; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_06_22, updated_at 2020_06_22
"
Jul 23 05:49:26 RT-AC86U suricata: 23/7/2020 -- 05:49:26 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Meth/"; fast_pattern; http_header; metadata: former_category SCAN; classtype:attempted-admin; sid:2030375; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_06_22, updated_at 2020_06_22" from file /opt/var/lib/suricata/rules/emerging-scan.rules at line 703
Jul 23 05:49:26 RT-AC86U suricata: 23/7/2020 -- 05:49:26 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Masayki"; fast_pattern; http_header; classtype:attempted-admin; sid:2030470; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_07_06, updated_at 2020_07_06"
Jul 23 05:49:26 RT-AC86U suricata: 23/7/2020 -- 05:49:26 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Masayki"; fast_pattern; http_header; classtype:attempted-admin; sid:2030470; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_07_06, updated_at 2020_07_06" from file /opt/var/lib/suricata/rules/emerging-scan.rules at line 705
"Jul 23 05:49:26 RT-AC86U suricata: 23/7/2020 -- 05:49:26 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Meth/"; fast_pattern; http_header; metadata: former_category SCAN; classtype:attempted-admin; sid:2030375; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_06_22, updated_at 2020_06_22
" from file /opt/var/lib/suricata/rules/emerging-scan.rules at line 703Jul 23 05:49:26 RT-AC86U suricata: 23/7/2020 -- 05:49:26 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Masayki"; fast_pattern; http_header; classtype:attempted-admin; sid:2030470; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_07_06, updated_at 2020_07_06
"Jul 23 05:49:26 RT-AC86U suricata: 23/7/2020 -- 05:49:26 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Masayki"; fast_pattern; http_header; classtype:attempted-admin; sid:2030470; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_07_06, updated_at 2020_07_06
" from file /opt/var/lib/suricata/rules/emerging-scan.rules at line 705
heysoundude
Part of the Furniture
Suricata was doing its job with that response, if I read the instructions correctly. That would mean it's working correctly I think.Updated the config file.
I now have many error codes in my log about invalid and duplicate signatures
Additionally that site does load, with exactly the code you showed:
Code:uid=0(root) gid=0(root) groups=0(root)
Reverted for now. Hope someone can help clarify.
heysoundude
Part of the Furniture
looking at your sig, are Skynet and Suricata playing nicely together?
rgnldo
Very Senior Member
rgnldo
Very Senior Member
Similar threads
- Locked
Similar threads
Similar threads
-
amtm amtm 4.9.2 - the Asuswrt-Merlin Terminal Menu, October 20, 2024- Started by thelonelycoder
- Replies: 54
-
Entware Possible to install jdownloader on asuswrt-merlin router with entware??
- Started by JeyJ
- Replies: 9
-
Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14
- Started by WRobertE
- Replies: 10
-
scMerlin scMerlin 2.5.8 - Service and script control menu for Asuswrt-Merlin, October 20, 2024
- Started by thelonelycoder
- Replies: 85
-
uKasa uKasa - A utility script that manages Kasa smart outlets and switches with Asuswrt-Merlin routers- Started by JGrana
- Replies: 29
-
Updated Hue Utility - huetil Control and manage your Hue system from Asuswrt-Merlin or Raspbian
- Started by JGrana
- Replies: 1
-
DNScrypt Dnscrypt Proxy Installer For Asuswrt-Merlin late 2023 Releases- Started by SomeWhereOverTheRainBow
- Replies: 8