Suricata Suricata - IDS on AsusWRT Merlin

[XIII]

I did see a log that Suricata crashed (and restarted) around 3:00 though.

That was no crash; the rules update (and re-start Suricata) at 3:00...

 

[XIII]

As a further test I took an existing disabled rule, changed the destination IP address, and tested again (additionally I had to change the source from $HOME_NET to any to get a hit?):

drop ip any any -> [a.b.c.d] any (msg:"Test"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016993; rev:3; metadata:created_at 2013_06_10, updated_at 2013_06_10;)

I again get a log (with "Drop"):

Aug  9 13:40:58 ac86u suricata[4246]: [Drop] [1:2016993:3] Test [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} <my-ip>:<my-port> -> a.b.c.d:80

And with drop logging enabled also this in the drop.log file:

08/09/2020-14:31:41.651139: IN= OUT= SRC=<my-ip> DST=a.b.c.d LEN=60 TOS=0x00 TTL=64 ID=62963 PROTO=TCP SPT=46314 DPT=80 SEQ=1998555557 ACK=0 WINDOW=29200 SYN RES=0x00 URGP=0
08/09/2020-14:31:41.671299: IN= OUT= SRC=a.b.c.d DST=<my-ip> LEN=60 TOS=0x00 TTL=234 ID=0 PROTO=TCP SPT=80 DPT=46314 SEQ=2285492155 ACK=1998555558 WINDOW=26847 SYN ACK RES=0x00 URGP=0
08/09/2020-14:31:41.774798: IN= OUT= SRC=<my-ip> DST=a.b.c.d LEN=60 TOS=0x00 TTL=64 ID=46555 PROTO=TCP SPT=33613 DPT=443 SEQ=2219362744 ACK=0 WINDOW=29200 SYN RES=0x00 URGP=0
08/09/2020-14:31:41.793659: IN= OUT= SRC=a.b.c.d DST=<my-ip> LEN=60 TOS=0x00 TTL=237 ID=0 PROTO=TCP SPT=443 DPT=33613 SEQ=1989515720 ACK=2219362745 WINDOW=26847 SYN ACK RES=0x00 URGP=0

But curl a.b.c.d and wget a.b.c.d still show the contents of that website, so nothing gets dropped?

Also, no matter how many times I executes these commands, there will always be only a single log line.

 

[XIII]

additionally I had to change the source from $HOME_NET to any to get a hit?

Oh, looking better at the (redacted) IP address in the log: the rule is triggered on my external IP; not on anything in the 192.168.0.0/16 range!

Do you need to add your external IP to HOME_NET?

(So HOME_NET: "[192.168.0.0/16, <external-IP]"?

 

[mike37]

Suricata is a very good IPS/IDS but I do not think it is a good fit for our Asus routers. I have finally realized that I have spent way too much time on it, so I have removed it from my router. I wish the best for further endeavors on this project.

.
....SIGH.... Understandable; No time = No time.

But I hope you continue to monitor this thread anyway.

There are some smart participants here who are making good progress; perhaps someone will soon come up with an IPS configuration that "simply works", and the user need only tweak internal addresses and "adjust the rules" (i.e. "train the IPS") to quietly monitor his particular system configuration, and to block abnormalities.

Maybe someone will then recompile the merlin source code and suricata executable so as to allow proper inline mode!? ***

'Til then you'll likely use aiprotect which does have IPS functionality, but doubtless provides sigificantly less protection than what a well-tuned suricata would provide.

Paraphrasing rgnldo and The Terminator, "you'll be back"

*** IIUC, this new script allows a VM creation on a big honking desktop for the purpose of compiling Merlin stuff. I'd guess a tweaked compilation could be done without the VM on a small (old?) computer using an Ubuntu OS or possibly an Ubuntu live disc. https://www.snbforums.com/threads/release-amcfwm-asuswrt-merlin-custom-firmware-manager.63227/unread

,

 

[Smokey613]

I actually plan to do,what @rgnldo is doing. I want to eventually setup a dedicated IPS system for my network.

 

[heysoundude]

Little easier to read:
View attachment 25280

uhhh, may I have some of this ^ please?

 

[XIII]

I’m starting to doubt that IPS is possible with the executable we have...

Most articles I find on Suricata in IPS mode mention NFQueue support is required, but:

> suricata --build-info
...
NFQueue support:                         no

Additionally I saw a forum post by a Suricata team member that mentions you can’t combine AF_PACKET and NFQueue. He suggests to run two separate instances.

So we’ll only have IDS on our routers?

PS: They recently release 6.0 Beta 1 (we have 4.1.8)

 

[rgnldo]

I actually plan to do,what @rgnldo is doing. I want to eventually setup a dedicated IPS system for my network.

I don't have a dedicated IPS, I have a router system with more possibilities of resources. But FW Merlin has many good features.

You were conquered by the Suricata and returned

 

[ugandy]

Post #1 mentions that Suricata is not compatible with AiProtection
But the github site for the suricata script install, says that suricata is not compatible with Aiprotection AND also not compatible with Adaptive QOS.
is it really fact that Suricata does not work if Adaptive QoS is enabled?
I thought that Suricata could work with either Cake or AdaptiveQoS...
thanks

 

[rgnldo]

Post #1 mentions that Suricata is not compatible with AiProtection
But the github site for the suricata script install, says that suricata is not compatible with Aiprotection AND also not compatible with Adaptive QOS.
is it really fact that Suricata does not work if Adaptive QoS is enabled?
I thought that Suricata could work with either Cake or AdaptiveQoS...
thanks

A technical assessment is required.

 

[rgnldo]

Little easier to read:
View attachment 25280

2#issue

 

[mike37]

I actually plan to do,what @rgnldo is doing. I want to eventually setup a dedicated IPS system for my network.

.
Oh My! Exciting! Fun (..and a lot of work and time), though I confess that I don't know what an IPS appliance replacing suricata would entail. At the least:

1. Snort or Suricata to do packet and stream inspection/blocking?

2. VPN servers and clients to "decloak" encrypted streams/packets for inspection prior to handoff to/from AM (AsusMerlin)?

3. Multiple LAN access points to serve LAN and addressable AM subnets, allowing custom constraints for individual IOTs/guests?

4. Multiple servers and proxies to allow decryption and inspection of the connection protocols between the WAN and LAN (e.g. "unbound" on the appliance) ?

5. Building a "hardened" box to provide contact with and protection from the WAN ***

Very Interesting!

Except for the hardening, the above and more is potentially handled on an AM router by suricata alone.

Offloading this stuff and suricata to another box should certainly reduce the load on the AM router. (And likely there's a lot more stuff that could go)!

PLEASE keep us posted on your progress here, or perhaps on another Topic thread

*** https://wiki.gentoo.org/wiki/Hardened_Gentoo (IMHO, a very GOOD candidate for building your appliance. Haven't used OBSD, but OBSD would also be excellent for standing up to nasty WANs).

.

 

[Smokey613]

Just to give more info, I am the guy who used to run online gaming servers for Tribes, RTCW and CounterStrike on a FreeBSD server.

 

[mike37]

Just to give more info, I am the guy who used to run online gaming servers for Tribes, RTCW and CounterStrike on a FreeBSD server.

.
HEH ...OH MY .... 'BSD it is!!

Please do keep us updated on your progress and what you end up with - hardware and software wise; what you put on the IPS box, and what (if anything) you keep on the AM!

 

[juched]

uhhh, may I have some of this ^ please?

i am away for a week and didn’t have time to post more.

can try by grabbing three files from here:
Github

you want to place the files suricata_log.sh, suricata_stats.sh and suricatastats_www.asp in a folder /jffs/addons/suricata.

then chmod +x the two scripts and run

/jffs/addons/suricata/suricata_stats.sh install

when I have time I was thinking of adding this to the suricata_manager.sh script.

 

[juched]

2#issue

Good suggestions. I removed the skynet check already.

 

[heysoundude]

i am away for a week and didn’t have time to post more.

can try by grabbing three files from here:
Github

you want to place the files suricata_log.sh, suricata_stats.sh and suricatastats_www.asp in a folder /jffs/addons/suricata.

then chmod +x the two scripts and run

/jffs/addons/suricata/suricata_stats.sh install

when I have time I was thinking of adding this to the suricata_manager.sh script.

I can wait. enjoy your vacation!

 

[Milan]

i am away for a week and didn’t have time to post more.

can try by grabbing three files from here:
Github

you want to place the files suricata_log.sh, suricata_stats.sh and suricatastats_www.asp in a folder /jffs/addons/suricata.

then chmod +x the two scripts and run

/jffs/addons/suricata/suricata_stats.sh install

when I have time I was thinking of adding this to the suricata_manager.sh script.

done, looks good. thanks for your hard work.

 

[faux123]

I finally got Suricata to operate in IDS/IPS on af-packet mode (which is the ONLY mode available for our Entware build, I was trying to get a PF_RING build but was having some issues with libraries and other Entware dependencies). Below is the relevant yaml code from my own config. mmap (memory mapped ring buffers) must be enabled for IPS to work, without it, it's only running in IDS mode. I'm running this on my AC86U (with suricata, I kinda wish I have the newer AX88U not for its wifi but for its quad core CPU and 1 GB of real RAM). The configuration is a good compromise for my own build, the average load on my router is around 3.50 so your router will be hotter with it. Download speed is close to my native ISP speed (which is around 200 Mbps), upload speed is somewhat limited around 160 Mbps which is far below my normal ISP speed of 225 Mbps (this is due to AC86U's CPU capability). I'm running CakeQoS as well (I don't like the proprietary closed sourced solutions from TrendMicro as it causes some random kernel panics on my own fork with their modules which I can't fix, I much prefer the GPL alternative which is Suricata+CakeQoS). You will experience around 2.1% packet drops (again this is due to dual core and limited real RAM of AC86U). I can live with this small amount of packet drops as I didn't experience any real usage issues with such packet loss.

Thanks to all those who contributed so far, it took me a while to read through tons of source code from Suricata and their piss poor documentations/examples to finally crack this.

# Linux high speed capture support
af-packet:
- interface: eth0 ## set your wan interface
   copy-mode: ips
   copy-iface: br0
   buffer-size: 3072
   cluster-id: 99
   cluster-type: cluster_flow
   use-mmap: yes
#   mmap-locked: yes
   tpacket-v3: yes
   ring-size: 3072
- interface: br0
   copy-mode: ips
   copy-iface: eth0
   buffer-size: 3072
   cluster-id: 98
   cluster-type: cluster_flow
   use-mmap: yes
#   mmap-locked: yes
   tpacket-v3: yes
   ring-size: 3072

EDIT: changed tpacket-v3 to tpacket-v2 for better latency

2nd EDIT: tpacket-v3 is much more stable than v2. Switching my recommendation back to v3 as default. I have issues with V2 but you are open to experiment.

 

[rgnldo]

I finally got Suricata to operate in IDS/IPS on af-packet mode (which is the ONLY mode available for our Entware build, I was trying to get a PF_RING build but was having some issues with libraries and other Entware dependencies). Below is the relevant yaml code from my own config. mmap (memory mapped ring buffers) must be enabled for IPS to work, without it, it's only running in IDS mode. I'm running this on my AC86U (with suricata, I kinda wish I have the newer AX88U not for its wifi but for its quad core CPU and 1 GB of real RAM). The configuration is a good compromise for my own build, the average load on my router is around 3.50 so your router will be hotter with it. Download speed is close to my native ISP speed (which is around 200 Mbps), upload speed is somewhat limited around 160 Mbps which is far below my normal ISP speed of 225 Mbps (this is due to AC86U's CPU capability). I'm running CakeQoS as well (I don't like the proprietary closed sourced solutions from TrendMicro as it causes some random kernel panics on my own fork with their modules which I can't fix, I much prefer the GPL alternative which is Suricata+CakeQoS). You will experience around 2.1% packet drops (again this is due to dual core and limited real RAM of AC86U). I can live with this small amount of packet drops as I didn't experience any real usage issues with such packet loss.

Thanks to all those who contributed so far, it took me a while to read through tons of source code from Suricata and their piss poor documentations/examples to finally crack this.

# Linux high speed capture support
af-packet:
- interface: eth0 ## set your wan interface
   copy-mode: ips
   copy-iface: br0
   buffer-size: 3072
   cluster-id: 99
   cluster-type: cluster_flow
   use-mmap: yes
#   mmap-locked: yes
   tpacket-v3: yes
   ring-size: 3072
- interface: br0
   copy-mode: ips
   copy-iface: eth0
   buffer-size: 3072
   cluster-id: 98
   cluster-type: cluster_flow
   use-mmap: yes
#   mmap-locked: yes
   tpacket-v3: yes
   ring-size: 3072

Excellent technical explanation. Liked it. Finally, we have a contribution based on knowledge about FW AsusWRT. This has always been my aim, open source solutions. Good to know of availability. With the knowledge of @faux123 and @juched we will have promising advances with Suricata.
See Github and contribute as possible.
I notice in your commits that your boldness has reached Wireguard and native Cake-QOS support. Nice!

Is it possible to try your fork?

Faux123 Kernel I know your works from the times of cyanogemmod.