Suricata Suricata - IDS on AsusWRT Merlin

[rgnldo]

INHO, Suricata is configured as a good, efficient IDS. Together with Skynet, they form great tools for an ARM router.
Open source always.

 

[faux123]

Leave TSO enabled for Linux AF_PACKET runmode

suricata -c /opt/etc/suricata/suricata.yaml -i eth0 --set capture.disable-offloading=false

Could you update the release version with your changes?

Another update to my forked firmware:

Release 384.19 release 2 (GPL only) · faux123/asuswrt-merlin.ng

Added enhancements to Linux memory management and zswap subsystems to minimize kernel memory fragmentation for embedded systems (systems with low memory)

github.com

BTW, snort3 is working well as IPS, should I release it? Do people want another IPS tool (it will have high load so a fan or an ice box is required and will slow down internet speed by a bit)?

 

[rgnldo]

Another update to my forked firmware:

Release 384.19 release 2 (GPL only) · faux123/asuswrt-merlin.ng

Added enhancements to Linux memory management and zswap subsystems to minimize kernel memory fragmentation for embedded systems (systems with low memory)

github.com

BTW, snort3 is working well as IPS, should I release it? Do people want another IPS tool (it will have high load so a fan or an ice box is required and will slow down internet speed by a bit)?

Yes I agree. But I believe that it is necessary to open another topic. In this topic it is already certain that the IDS for Suricata is adequate and stable. It will leave the condition of experimental.

With snort you can reduce the rules and some adjustments.

 

[steelskinz]

Another update to my forked firmware:

Release 384.19 release 2 (GPL only) · faux123/asuswrt-merlin.ng

Added enhancements to Linux memory management and zswap subsystems to minimize kernel memory fragmentation for embedded systems (systems with low memory)

github.com

BTW, snort3 is working well as IPS, should I release it? Do people want another IPS tool (it will have high load so a fan or an ice box is required and will slow down internet speed by a bit)?

Everybody don't have the chance to cap the hardware limit of the router as we don't all have fiber at home. I'm still on adsl with 16Mbps and prefer local security over bandwidth. We need profil like yours to give enhancements to the community. I want to thanks also rgnldo for his contributions to the subject. It is great to see such buddies in our community.. Thanks guys !

(sorry for all i forgot to mention !)

 

[Mutzli]

BTW, snort3 is working well as IPS, should I release it? Do people want another IPS tool (it will have high load so a fan or an ice box is required and will slow down internet speed by a bit)?

I'm very interested to see of it works on my AX88U, yes please.

 

[heysoundude]

@faux123 what was the consensus here about using suricata as IPS only? too much for ac86?
can also confirm IDS doesn't work with IPv6...does that change for IPS/Native IPv6? anyone???

 

[faux123]

@faux123 what was the consensus here about using suricata as IPS only? too much for ac86?
can also confirm IDS doesn't work with IPv6...does that change for IPS/Native IPv6? anyone???

The issues I had with IPV6 was related to the af_packet implementation of Suricata in IPS mode, I didn't look any further once I realized the bug in IPS mode. So I believe IDS mode is working fine esp with in pcap mode (which is the default if you followed the guided instructions).

 

[heysoundude]

The issues I had with IPV6 was related to the af_packet implementation of Suricata in IPS mode, I didn't look any further once I realized the bug in IPS mode. So I believe IDS mode is working fine esp with in pcap mode (which is the default if you followed the guided instructions).

I did, but I'm not seeing any "action" on the graph/chart in the GUI.
I changed my WAN setup slightly, however; perhaps I just need to re-run the install.

 

[heysoundude]

um, how does one make suricata_manager executable? I've issued it and all I get is
-sh: suricata_manager: not found
even though I've checked that it IS in the /jffs/addons/suricata folder

(could this be why my GUI graph isn't populating?)

 

[JJohnson1988]

um, how does one make suricata_manager executable? I've issued it and all I get is
-sh: suricata_manager: not found
even though I've checked that it IS in the /jffs/addons/suricata folder

(could this be why my GUI graph isn't populating?)

Yeah you currently have to run it directly from /jffs/addons/suricata.

Just do "sh suricata_manager.sh <argument>" from the above directory.

 

[abracadabra11]

Has something changed? Is Suricata IDS suitable for an RT-AC68U? I thought I recall an earlier version of thread indicated only 86U and above.

 

[rgnldo]

suitable for an RT-AC68U

It works. In IDS mode it is smooth and stable. Skynet + Suricata IDS, a good partnership.

 

[heysoundude]

Yeah you currently have to run it directly from /jffs/addons/suricata.

Just do "sh suricata_manager.sh <argument>" from the above directory.

I had to uninstall and reinstall, and it's all working again, even the chart in the GUI. so disregard my earlier support of the claim that suricata doesn't work under native IPv6

 

[archiel]

@faux123 @rgnldo As I understand it, with an AX88U I have the choice of running suricata or snort as IDS/IPS, I am already running skynet. What I do not understand is which combination is 'better' - what are the advantages / disadvantages of each.

 

[rgnldo]

@faux123 @rgnldo As I understand it, with an AX88U I have the choice of running suricata or snort as IDS/IPS, I am already running skynet. What I do not understand is which combination is 'better' - what are the advantages / disadvantages of each.

Suricata by Entware, only IDS.
Snort3 work IDS/IPS on AX88U and AC86U

 

[abracadabra11]

It works. In IDS mode it is smooth and stable. Skynet + Suricata IDS, a good partnership.

Thanks!

Is it possible to run QoS with Suricata active? I saw that Adaptive Qos is not compatible (and currently using FlexQoS), but is it possible to use traditional QoS? Perhaps I should also ask if there's any advantage to running traditional QoS?

There are certain applications where QoS is very useful for my network, so trying to balance possibly using Suricata with some form of QoS.

As noted above, using RT-AC68U so CakeQoS is not an option.

 

[juched]

After running Suricata for a while now, I have today decided to disable some of the "noise" false positives. I disabled:

# - emerging-dns.rules
# - emerging-icmp_info.rules
# - emerging-user_agents.rules
# - emerging-policy.rules
# - emerging-games.rules

Policy items, tracking pings on the network, DNS lookups to more rarely used top level domains and interesting user agents, does seem to be worth the effort to filter through.

Added this change to the default yaml file and also updated the stats to group by day, making it easier to see items by day.

 

[heysoundude]

After running Suricata for a while now, I have today decided to disable some of the "noise" false positives. I disabled:

# - emerging-dns.rules
# - emerging-icmp_info.rules
# - emerging-user_agents.rules
# - emerging-policy.rules
# - emerging-games.rules

Policy items, tracking pings on the network, DNS lookups to more rarely used top level domains and interesting user agents, does seem to be worth the effort to filter through.

Added this change to the default yaml file and also updated the stats to group by day, making it easier to see items by day.

wonderful, thank you.
now can you work on making it so I can issue suricata_manager update please?

 

[ugandy]

on the webui suricata report, the column for "Date" is not wide enough (on firefox at least); "Destination IP" column title is misspelled.

 

[ugandy]

maybe a silly question, but curious. Suricata has to set the eth0/br0 interface to promiscuous mode to sniff packets. Are there any security considerations to using this mode on an interface?
thx