Suricata Suricata - IDS on AsusWRT Merlin

[mike37]

That brings up a good point. The dropping malicious communications part. Does suricata in it’s default asus configuration, do any dropping or does it simply alert?

.
I don't know its current status; I could never get the earlier version to actually drop test connections/content.

IMHO dropping mischief is essential - I don't want to look at a log the next morning and see that something untoward occured during the night.

 

[Mutzli]

I have a couple of quick question regarding the suricata.yaml configuration file. I saw that under port-groups: there is a SSH port defined; SSH_PORTS: "8222"
Should that port be configured to match my routers SSH port?

And in the section address-groups: DNS_SERVERS should that be configured to match my bcast IP in br0? So here is my ifconfig output for br0:

inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0

and this is my suricata.yaml configuration:

 # Holds the address group vars that would be passed in a Signature.
  address-groups:
    HOME_NET: "[192.168.1.1/16]" ## set your CID IP LAN
    EXTERNAL_NET: "any"
    DNS_SERVERS: "[192.168.1.255]"
    SMTP_SERVERS: "$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    FTP_SERVERS: "$HOME_NET"
    SSH_SERVERS: "$HOME_NET"
   
# Holds the port group vars that would be passed in a Signature.
  port-groups:
    FTP_PORTS: "21"
    HTTP_PORTS: "80"
    ORACLE_PORTS: "1521"
    SSH_PORTS: "8222"
    SHELLCODE_PORTS: "!80"
    DNP3_PORTS: "20000"
    FILE_DATA_PORTS: "$HTTP_PORTS,110,143"

I update the suricata.yaml file today and can't get it to start after updating the file. I'm getting only the following info:

Checking suricata...              dead.

I can't figure out what I did wrong?

 

[crkpot]

I believe your DNS_SERVERS setting is the same thing you would use on any clients in your network, usually the router itself 192.168.1.1.

 

[Mutzli]

Tried

I believe your DNS_SERVERS setting is the same thing you would use on any clients in your network, usually the router itself 192.168.1.1.

Tried everything to get the new suricata,yaml to work, but to no avail. It simply refuses to load on my router. Does anyone still have the last version available? I didn't make a backup before loading the new version.

 

[Torson]

Tried

Tried everything to get the new suricata,yaml to work, but to no avail. It simply refuses to load on my router. Does anyone still have the last version available? I didn't make a backup before loading the new version.

Check the first page of the thread - it shows what needs to be changed in the suricata.yaml configuration. What errors do you get when starting suricata?
Another option is to try @Martineau's suricata_manager.sh install script which configures all those settings and highlights possible conflicting scripts or hardware issues. - http://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/post-601945

 

[XIII]

Does anyone still have the last version available?

It's on GitHub, so you should be able to find all versions using this link:

Commits · rgnldo/knot-resolver-suricata

Contribute to rgnldo/knot-resolver-suricata development by creating an account on GitHub.

github.com

 

[Mutzli]

It's on GitHub, so you should be able to find all versions using this link:

Commits · rgnldo/knot-resolver-suricata

Contribute to rgnldo/knot-resolver-suricata development by creating an account on GitHub.

github.com

Tried that as well, still a no go

S82suricata start
 Starting suricata...              failed.

No other error message, log is empty.

 

[Torson]

Tried that as well, still a no go

S82suricata start
Starting suricata...              failed.

No other error message, log is empty.

Make sure that the rules are in place - check for the directory /opt/var/lib/suricata/rules and its contents. I had an instance where it was not created. Run

 suricata -T

and you'll see all the red error messages complaining about missing rules or other indication why it's failing.

 

[heysoundude]

When I run

suricata -T

I get
Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console"
Have I missed a config step? It still returns

Threshold config parsed: 0 rule(s) found 2333 signatures processed. 205 are IP-only rules, 443 are inspecting packet payload, 1764 inspect application layer, 0 are decoder event only

 

[Wisiwyg]

Edit on
address-groups:
HOME_NET:
and
DNS_SERVERS:

af-packet:
- interface: -> your interface wan

example:

  address-groups:
    HOME_NET: "[192.168.0.0/16]"
    EXTERNAL_NET: "any"
    DNS_SERVERS: "[192.168.1.1]"

    af-packet:
      - interface: eth0

From initial post... I didin't edit this and received a similar error message. Not sure if the output interface is identified as the af-packet interface, but you need to tell suricata where its coming from and where its going to.

 

[Torson]

When I run

suricata -T

I get
Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console"
Have I missed a config step? It still returns

Threshold config parsed: 0 rule(s) found 2333 signatures processed. 205 are IP-only rules, 443 are inspecting packet payload, 1764 inspect application layer, 0 are decoder event only

If that's the only one catching the eye, you're fine. If you don't want to see that, just edit the following line in suricata.yaml - change the 'no' to 'yes':

# Define your logging outputs.
  outputs:
  - console:
      enabled: no  -> yes (it defaults to it anyway)

and that warning is gone.

 

[Wisiwyg]

@rgnldo .....do you disable AiProtect as well with this setup?

Suricata reads like a very good solution....I would be interested in understanding what the thoughts are comparing it to say Skynet.

Also, is there any Unbound interfaces?

Yes, you *must* disable the AI protect stuff from TM for this to work. If you use the suricata_manager script it will check for the AI protect stuff and warn you. Its an either/or, not and.

 

[heysoundude]

If that's the only one catching the eye, you're fine. If you don't want to see that, just edit the following line in suricata.yaml - change the 'no' to 'yes':

# Define your logging outputs.
  outputs:
  - console:
      enabled: no  -> yes (it defaults to it anyway)

and that warning is gone.

It catches my eye because it IS the ONLY one. I'm all good then. Thanks!!

 

[Mutzli]

Make sure that the rules are in place - check for the directory /opt/var/lib/suricata/rules and its contents. I had an instance where it was not created. Run

 suricata -T

and you'll see all the red error messages complaining about missing rules or other indication why it's failing.

I had a little more time to check some things today, but I can't get it to work. It was running fine for the last 4 weeks, but once I updated to the latest suricata.yaml it stopped working. Even going back to the old suricata.yaml won't help. Something else must be screwed up. I should have some time later today to completely remove Suricata and do a fresh install.

 

[rgnldo]

but once I updated to the latest suricata.yaml

The problem is not with the suricata.yaml file.

 

[Smokey613]

Woohoo!! I finally got scribe and uiScribe working with suricata!

 

[Kingp1n]

Woohoo!! I finally got scribe and uiScribe working with suricata!View attachment 24941

Nice...care to share yiur steps or link on what you followed to setup? I still haven't installed suricata but its on my to do list. Thanks.

 

[Smokey613]

Nice...care to share yiur steps or link on what you followed to setup? I still haven't installed suricata but its on my to do list. Thanks.

I used these posts to set this up.

Scribe - scribe - syslog-ng and logrotate installer

I was only trying Suricata out because I was trying out Cake QOS. Turns out doesn't matter to me whether Trend Micro is running or Suricata. So I went with what I know. how you enabled suricata log on gui ?

www.snbforums.com

 

[Mutzli]

The problem is not with the suricata.yaml file.

I deleted Suricata completely to start over. But I can't install it anymore. Upon entering the opkg install comand I get the following error:

opkg install suricata
Collected errors:
* pkg_get_installed_files: Failed to open //opt/lib/opkg/info/suricata.list: No such file or directory.

Is there a problem now with the Entware repository?

 

[Mutzli]

I deleted Suricata completely to start over. But I can't install it anymore. Upon entering the opkg install comand I get the following error:

opkg install suricata
Collected errors:
* pkg_get_installed_files: Failed to open //opt/lib/opkg/info/suricata.list: No such file or directory.

Is there a problem now with the Entware repository?

I was finally able to fix the problem with a forced update. I used the following two commands:

opkg update --force-reinstall

opkg install suricata --force-reinstall