Suricata Suricata - IDS on AsusWRT Merlin

[faux123]

On my AX88U the CPU isnt heavily loaded. Even during Speedtest which gives full speed the CPU is pretty low. With 4 threads per copy interface so 8 in total.

The main network connection works fine with no real latency. Just the guest wifi which doesn’t work properly. Believe this is because all the packets from eth0 are being copied to br0.

Wow, with your statements, I wish I have an AX88U now , good to know that quadcore CPU can handle Suricata well... things to look forward to!

Sorry, this is a bit out of my bounds in terms of routing policies, hopefully other network experts here with good routing knowledge can help.

 

[XIII]

It can run in IDS mode okay with some tweaks.

What tweaks (or rather full config) would that be?

 

[rgnldo]

Sorry, this is a bit out of my bounds in terms of routing policies, hopefully other network experts here with good routing knowledge can help.

Suricata is scalable. Operates in small environments and large infrastructures. On my OpenBSD, Suricata 5.0.3, it runs smoothly. The squid consumes a little more resources.

eth0 are being copied to br0.

it may be an unnecessary burden.

When I adapted Suricata for the AC86U I found problems with low memory. But this problem is also recurrent with Diversion, Skyne, Entware running on connected USB devices.

In another moment I installed Suricata on FreshTomato. To my surprise, it runs smooth and consumes few resources.

I can is wrong, but the fw with less proprietary codes Asuswrt-Merlin 374.43 LTS or FreshTomato behave better. The problem is the supported models.

 

[mike37]

Suricata is scalable.

How much of that scalability would you guess is effected (and affected) through runtime parameters, and how much at compile time?

When I adapted Suricata for the AC86U I found problems with low memory. But this problem is also recurrent with Diversion, Skyne, Entware running on connected USB devices.

So, under some loads and configurations investing in a big, VERY FAST usb device may help address a bottle neck on a little box?

In another moment I installed Suricata on FreshTomato. To my surprise, it runs smooth and consumes few resources.

I can is wrong, but the fw with less proprietary codes Asuswrt-Merlin 374.43 LTS or FreshTomato behave better. The problem is the supported models.

So perhaps users need to prioritize what kind of and how much "stuff" they add to their little routers - perhaps based upon overall use?

(FWIW, as I am now adding typically vulnerable IOT devices to my little AC-68 the need for an IPS increases greatly - immediately after Diversion and Skynet - and more important than, e.g., hosting VPN servers, QOS, etc. Based on recent posts here, if I "really need" more stuff I'll look into a bigger router (sigh.....or a dedicated IPS front-end box - which I really want to avoid!))

 

[faux123]

I haven't fully given up yet. I just bought a USB fan to help cool my AC86U, now it's running around 65 degrees C fully loaded. @juched stated that his AX88U is running smoothly with IPS mode, I will investigate more on the kernel side as AX88U has more recent patches than the AC86U and see if any of the later patches make any difference in the overall experience. I have 40+ devices running at home all the time, so having a full time IPS is useful at the gateway.

the IPS mode needs the "copy" because that's how Suricata is designed. It copies and inspects the packet, if good, the copy is let through, if bad, then it gets "dropped" and logged as such to prevent the malformed packet from going any further.

 

[rgnldo]

the IPS mode needs the "copy"

I just installed your FW FORK. Great. As for Suricata, I adapted a settings here.

I like challenges. I disabled my OpenBSD appliance to test your FW Fork.

# Runmode the engine should use.
runmode: workers

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
  - interface: eth0
    threads: auto
    defrag: no
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: br0
    buffer-size: 64535
    use-mmap: yes
    tpacket-v2: yes
  - interface: br0
    threads: auto
    cluster-id: 97
    defrag: no
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: eth0
    buffer-size: 64535
    use-mmap: yes
    tpacket-v2: yes

 

[Wisiwyg]

I just installed your FW FORK. Great. As for Suricata, I adapted a settings here.

I like challenges. I disabled my OpenBSD appliance to test your FW Fork

Interested to hear results on your test. Following this thread since day 1, want to put it to use, but not Linux savvy enough to test, troubleshoot and tweak as you guys are.

 

[juched]

I forked and updated the suricata_manager.sh script. I added to it my default config, the log processing and stats generate, and some other items to clean up.

You can try it if you dare the command is:

mkdir /jffs/addons 2>/dev/null;mkdir /jffs/addons/suricata 2>/dev/null; curl --retry 3 "https://raw.githubusercontent.com/juched78/suricata-merlin/master/suricata_manager.sh" -o "/jffs/addons/suricata/suricata_manager.sh" && chmod 755 "/jffs/addons/suricata/suricata_manager.sh" && /jffs/addons/suricata/suricata_manager.sh install

can use:

/jffs/addons/suricata/suricata_manager.sh uninstall

to completely remove it. You man need to end the /opt/etc/suricata/suricata.yaml file to specify different eth0 and br0 interfaces if your router is different. Running on my RT-AX88U.

Running in IDS mode with minimal logging to disk. Fast.log will be purged on the hour, so using the stats UI page is the place to see it. Pretty risk free actually. Uninstall command cleans everything up.

 

[ugandy]

I forked and updated the suricata_manager.sh script. I added to it my default config, the log processing and stats generate, and some other items to clean up.

You can try it if you dare the command is:

mkdir /jffs/addons 2>/dev/null;mkdir /jffs/addons/suricata 2>/dev/null; curl --retry 3 "https://raw.githubusercontent.com/juched78/suricata-merlin/master/suricata_manager.sh" -o "/jffs/addons/suricata/suricata_manager.sh" && chmod 755 "/jffs/addons/suricata/suricata_manager.sh" && /jffs/addons/suricata/suricata_manager.sh install

can use:

/jffs/addons/suricata/suricata_manager.sh uninstall

to completely remove it. You man need to end the /opt/etc/suricata/suricata.yaml file to specify different eth0 and br0 interfaces if your router is different. Running on my RT-AX88U.

Running in IDS mode with minimal logging to disk. Fast.log will be purged on the hour, so using the stats UI page is the place to see it. Pretty risk free actually. Uninstall command cleans everything up.

thanks! saw the message about AdaptiveQoR during install. Is it then confirmed that while suricata works with cake, adaptive qos is a no go?
thx

 

[rgnldo]

I forked and updated the suricata_manager.sh script. I added to it my default config, the log processing and stats generate, and some other items to clean up.

You can try it if you dare the command is:

mkdir /jffs/addons 2>/dev/null;mkdir /jffs/addons/suricata 2>/dev/null; curl --retry 3 "https://raw.githubusercontent.com/juched78/suricata-merlin/master/suricata_manager.sh" -o "/jffs/addons/suricata/suricata_manager.sh" && chmod 755 "/jffs/addons/suricata/suricata_manager.sh" && /jffs/addons/suricata/suricata_manager.sh install

can use:

/jffs/addons/suricata/suricata_manager.sh uninstall

to completely remove it. You man need to end the /opt/etc/suricata/suricata.yaml file to specify different eth0 and br0 interfaces if your router is different. Running on my RT-AX88U.

Running in IDS mode with minimal logging to disk. Fast.log will be purged on the hour, so using the stats UI page is the place to see it. Pretty risk free actually. Uninstall command cleans everything up.

Nice! I will update the thread.

@faux123 please update your fork to release 384.19

 

[faux123]

Nice! I will update the thread.

@faux123 please update your fork to release 384.19

https://github.com/faux123/asuswrt-merlin.ng/releases have fun. Please continue to investigate, hopefully we can find a good compromise with our devices while having an awesome IPS system.

 

[crkpot]

I forked and updated the suricata_manager.sh script. I added to it my default config, the log processing and stats generate, and some other items to clean up.

You can try it if you dare the command is:

mkdir /jffs/addons 2>/dev/null;mkdir /jffs/addons/suricata 2>/dev/null; curl --retry 3 "https://raw.githubusercontent.com/juched78/suricata-merlin/master/suricata_manager.sh" -o "/jffs/addons/suricata/suricata_manager.sh" && chmod 755 "/jffs/addons/suricata/suricata_manager.sh" && /jffs/addons/suricata/suricata_manager.sh install

I just ran this install fresh and getting errors below on RT-AX58U.

tar: can't change directory to '/opt/var/lib/suricata/': No such file or directory
                                                                                                                                   0.6%curl: (23) Failed writing body (0 != 16384)

################################################################################################################################ 100.0%
################################################################################################################################ 100.0%
################################################################################################################################ 100.0%
################################################################################################################################ 100.0%

##
##Suricata Stats
## by @juched - Generate Stats for GUI tab - v1.0
## with credit to @JackYaz for his shared scripts

Mounting Suricata_Stats.sh WebUI page as user5.asp
Saving MD5 of installed file /jffs/addons/suricata/suricatastats_www.asp to /jffs/addons/suricata/www-installed.md5
/jffs/addons/suricata/suricata_log.sh: line 1: 404:: not found
Calculating Threats data...
Error: unable to open database "/opt/var/lib/suricata/suricata_log.db": unable to open database file
Outputting Threats ...
Error: unable to open database "/opt/var/lib/suricata/suricata_log.db": unable to open database file
16/8/2020 -- 14:14:30 - <Info> - Running suricata under test mode
16/8/2020 -- 14:14:30 - <Info> - Configuration node 'legacy' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
16/8/2020 -- 14:14:30 - <Notice> - This is Suricata version 4.1.8 RELEASE
16/8/2020 -- 14:14:30 - <Info> - CPUs/cores online: 3
16/8/2020 -- 14:14:30 - <Info> - fast output device (regular) initialized: fast.log
16/8/2020 -- 14:14:30 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
16/8/2020 -- 14:14:30 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/var/lib/suricata/rules/botcc.rules
Starting suricata...              failed.

 

[rgnldo]

Please continue to investigate, hopefully we can find a good compromise with our devices while having an awesome IPS system.

Done. Update thread with credits.
Just as you contributed, others will contribute. Patience.
Just like unbound, you can't imagine the work that went into adapting the installation. Choose rules, slim down the configuration file on FW Merlin.
I currently use an appliance because I need more resources

 

[MoonPie2000]

I am also getting the same errors as crkpot when I try to load the script.

 

[rgnldo]

I would like to inform you that all members who help in this thread are volunteers. Therefore, some problems may take a day or more to be answered. Wait patiently.

 

[juched]

I just ran this install fresh and getting errors below on RT-AX58U.

tar: can't change directory to '/opt/var/lib/suricata/': No such file or directory
                                                                                                                                   0.6%curl: (23) Failed writing body (0 != 16384)

################################################################################################################################ 100.0%
################################################################################################################################ 100.0%
################################################################################################################################ 100.0%
################################################################################################################################ 100.0%

##
##Suricata Stats
## by @juched - Generate Stats for GUI tab - v1.0
## with credit to @JackYaz for his shared scripts

Mounting Suricata_Stats.sh WebUI page as user5.asp
Saving MD5 of installed file /jffs/addons/suricata/suricatastats_www.asp to /jffs/addons/suricata/www-installed.md5
/jffs/addons/suricata/suricata_log.sh: line 1: 404:: not found
Calculating Threats data...
Error: unable to open database "/opt/var/lib/suricata/suricata_log.db": unable to open database file
Outputting Threats ...
Error: unable to open database "/opt/var/lib/suricata/suricata_log.db": unable to open database file
16/8/2020 -- 14:14:30 - <Info> - Running suricata under test mode
16/8/2020 -- 14:14:30 - <Info> - Configuration node 'legacy' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
16/8/2020 -- 14:14:30 - <Notice> - This is Suricata version 4.1.8 RELEASE
16/8/2020 -- 14:14:30 - <Info> - CPUs/cores online: 3
16/8/2020 -- 14:14:30 - <Info> - fast output device (regular) initialized: fast.log
16/8/2020 -- 14:14:30 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
16/8/2020 -- 14:14:30 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/var/lib/suricata/rules/botcc.rules
Starting suricata...              failed.

Pushed a change. I think my /opt/var/lib directory existed because I run unbound already. I added a command to make the folder. Hope that fixes it for you.

 

[joe scian]

17/8/2020 -- 10:34:53 - <Notice> - This is Suricata version 4.1.8 RELEASE
17/8/2020 -- 10:34:53 - <Info> - CPUs/cores online: 2
17/8/2020 -- 10:34:53 - <Info> - Found an MTU of 1464 for 'ppp0'
17/8/2020 -- 10:34:53 - <Info> - Found an MTU of 1464 for 'ppp0'
17/8/2020 -- 10:34:53 - <Info> - Found an MTU of 1500 for 'br0'
17/8/2020 -- 10:34:53 - <Info> - Found an MTU of 1500 for 'br0'
17/8/2020 -- 10:34:53 - <Info> - AF_PACKET: Setting IPS mode
17/8/2020 -- 10:34:53 - <Info> - fast output device (regular) initialized: fast.log
17/8/2020 -- 10:34:53 - <Info> - stats output device (regular) initialized: stats.log
17/8/2020 -- 10:34:53 - <Info> - Syslog output initialized
17/8/2020 -- 10:34:53 - <Info> - drop output device (regular) initialized: drop.log
17/8/2020 -- 10:34:54 - <Info> - 18 rule files processed. 3108 rules successfully loaded, 0 rules failed
17/8/2020 -- 10:34:54 - <Info> - Threshold config parsed: 0 rule(s) found
17/8/2020 -- 10:34:54 - <Info> - 3108 signatures processed. 225 are IP-only rules, 553 are inspecting packet payload, 2469 inspect application layer, 0 are decoder event only
17/8/2020 -- 10:34:57 - <Info> - AF_PACKET IPS mode activated ppp0->br0
17/8/2020 -- 10:34:57 - <Info> - Going to use 1 thread(s)
17/8/2020 -- 10:34:57 - <Info> - AF_PACKET IPS mode activated br0->ppp0
17/8/2020 -- 10:34:57 - <Info> - Going to use 1 thread(s)
17/8/2020 -- 10:34:57 - <Info> - Found an MTU of 1500 for 'br0'
17/8/2020 -- 10:34:57 - <Info> - Found an MTU of 1464 for 'ppp0'
17/8/2020 -- 10:34:57 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - MTU on br0 (1500) and ppp0 (1464) are not equal, transmission of packets bigger than 1464 will fail.
17/8/2020 -- 10:34:57 - <Notice> - all 2 packet processing threads, 2 management threads initialized, engine started.
17/8/2020 -- 10:34:57 - <Info> - All AFP capture threads are running.
17/8/2020 -- 10:34:57 - <Warning> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Should have an Ethernet header
17/8/2020 -- 10:34:57 - <Warning> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Should have an Ethernet header

 

[joe scian]

Any Idea how to change MTU of br0 to 1464?

 

[crkpot]

Pushed a change. I think my /opt/var/lib directory existed because I run unbound already. I added a command to make the folder. Hope that fixes it for you.

It went better this time, but a new error. suricata_log.sh didn't load properly. just has "404:: not found" on line 1. Thanks for your help!

##
##
##Suricata Stats
## by @juched - Generate Stats for GUI tab - v1.0
## with credit to @JackYaz for his shared scripts

Mounting Suricata_Stats.sh WebUI page as user5.asp
Saving MD5 of installed file /jffs/addons/suricata/suricatastats_www.asp to /jffs/addons/suricata/www-installed.md5
/jffs/addons/suricata/suricata_log.sh: line 1: 404:: not found
Calculating Threats data...
Error: near line 3: no such table: threat_log
Outputting Threats ...
Error: near line 3: no such table: threat_log
16/8/2020 -- 17:42:08 - <Info> - Running suricata under test mode
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
16/8/2020 -- 17:42:08 - <Notice> - This is Suricata version 4.1.8 RELEASE
16/8/2020 -- 17:42:08 - <Info> - CPUs/cores online: 3
16/8/2020 -- 17:42:08 - <Info> - fast output device (regular) initialized: fast.log
16/8/2020 -- 17:42:08 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
16/8/2020 -- 17:42:09 - <Info> - 20 rule files processed. 3122 rules successfully loaded, 0 rules failed
16/8/2020 -- 17:42:09 - <Info> - Threshold config parsed: 0 rule(s) found
16/8/2020 -- 17:42:09 - <Info> - 3122 signatures processed. 225 are IP-only rules, 567 are inspecting packet payload, 2469 inspect application layer, 0 are decoder event only
16/8/2020 -- 17:42:13 - <Notice> - Configuration provided was successfully loaded. Exiting.
16/8/2020 -- 17:42:13 - <Info> - cleaning up signature grouping structure... complete
 Starting suricata...              failed.
-sh: getcwd: No such file or directory

 

[juched]

It went better this time, but a new error. suricata_log.sh didn't load properly. just has "404:: not found" on line 1. Thanks for your help!

##
##
##Suricata Stats
## by @juched - Generate Stats for GUI tab - v1.0
## with credit to @JackYaz for his shared scripts

Mounting Suricata_Stats.sh WebUI page as user5.asp
Saving MD5 of installed file /jffs/addons/suricata/suricatastats_www.asp to /jffs/addons/suricata/www-installed.md5
/jffs/addons/suricata/suricata_log.sh: line 1: 404:: not found
Calculating Threats data...
Error: near line 3: no such table: threat_log
Outputting Threats ...
Error: near line 3: no such table: threat_log
16/8/2020 -- 17:42:08 - <Info> - Running suricata under test mode
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
16/8/2020 -- 17:42:08 - <Notice> - This is Suricata version 4.1.8 RELEASE
16/8/2020 -- 17:42:08 - <Info> - CPUs/cores online: 3
16/8/2020 -- 17:42:08 - <Info> - fast output device (regular) initialized: fast.log
16/8/2020 -- 17:42:08 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
16/8/2020 -- 17:42:09 - <Info> - 20 rule files processed. 3122 rules successfully loaded, 0 rules failed
16/8/2020 -- 17:42:09 - <Info> - Threshold config parsed: 0 rule(s) found
16/8/2020 -- 17:42:09 - <Info> - 3122 signatures processed. 225 are IP-only rules, 567 are inspecting packet payload, 2469 inspect application layer, 0 are decoder event only
16/8/2020 -- 17:42:13 - <Notice> - Configuration provided was successfully loaded. Exiting.
16/8/2020 -- 17:42:13 - <Info> - cleaning up signature grouping structure... complete
Starting suricata...              failed.
-sh: getcwd: No such file or directory

Found it, missing a character. Please try again.