Suricata Suricata - IDS on AsusWRT Merlin

[Smokey613]

I finally got Suricata up and running in IDS/IPS mode.

I got this off Amazon

https://www.amazon.com/gp/product/B072C4YQQH/?tag=snbforums-20

and installed OPNsense on it. I then put my main RT-AC86U in AP mode with my second RT-AC86U as AiMesh node. My setup is running real good.

 

[XIII]

I finally got Suricata up and running in IDS/IPS mode.

My setup is running real good.

How did you do that on a 86u?

 

[Milan]

I finally got Suricata up and running in IDS/IPS mode.

I got this off Amazon

https://www.amazon.com/gp/product/B072C4YQQH/?tag=snbforums-20

and installed OPNsense on it. I then put my main RT-AC86U in AP mode with my second RT-AC86U as AiMesh node. My setup is running real good.

How did you do that on a 86u?

i think he makes running Suricata on this box, not on the router ...

 

[Smokey613]

i think he makes running Suricata on this box, not on the router ...

That is correct. I am running OPNsense on the Qotom mini pc and Suricata is the IDS/IPS I am using with OPNsense. I like Suricata but trying to use it to it’s full potential on an Asus wifi router is futile. Now my mini pc handles all networking duties such as QoS, DHCP, DNS, firewall, etc. Not an economical or simple solution, but for me it is worth it.

 

[rgnldo]

I finally got Suricata up and running in IDS/IPS mode.

I got this off Amazon

https://www.amazon.com/gp/product/B072C4YQQH/?tag=snbforums-20

and installed OPNsense on it. I then put my main RT-AC86U in AP mode with my second RT-AC86U as AiMesh node. My setup is running real good.

Very good!
Except for vulnerability issues on older intel processors, it looks great. I believe that the OPNSense team has sent the patches that mitigate the problems.
I recommend blocking all LAN traffic and manually adding the access ports you need
Intel Celeron J1900 does not support AES-NI. For starters, excellent acquisition

 

[Smokey613]

Very good!
Except for vulnerability issues on older intel processors, it looks great. I believe that the OPNSense team has sent the patches that mitigate the problems.
I recommend blocking all LAN traffic and manually adding the access ports you need
Intel Celeron J1900 does not support AES-NI. For starters, excellent acquisition

The lack of AES-NI is not a deal breaker for me since I do not use any type of VPN and my budget was limited. Considering my limited bandwidth ( 50m/5m ) this should handle my needs.

 

[steelskinz]

I asked myself on going to a real dedicated box to do router/pppoe/switch and all the security stuff. I'm going to OPNsense too and will use Sensei (need huge CPU) with Surricata and i'm waiting it from my postal service..

 

[Galeriusinmood]

I mirror all the traffic from my asus router to a machine on the network and i am running suricata on it . Overhead to my RT-AC1900U - AC68U was creating some performance problems

Good project anyway rgnldo

 

[rgnldo]

IDS vs IPS

 

[Smokey613]

I made just the switch from OPNsense to PFsense on my little mini pc box. Maybe my years of running PFsense in the past is the reason, but I just could not warm up to OPNsense. I like PFsense much better.

 

[Wisiwyg]

I made just the switch from OPNsense to PFsense on my little mini pc box. Maybe my years of running PFsense in the past is the reason, but I just could not warm up to OPNsense. I like PFsense much better.

Gotta ask, what sort of firewall rules are you running on the PF box? What's a good, safe setup for a home network?

 

[Smokey613]

Gotta ask, what sort of firewall rules are you running on the PF box? What's a good, safe setup for a home network?

I run Suricata default setup, plus a Snort Home subscription and ETOpen free edition rule sets. The biggest surprise is my IPV6 hand off from my ISP now works great. I was never able to get it working properly using just the RT-AC86U even though my ISP modem is in bridge mode. I am very happy about this.

 

[steelskinz]

I made just the switch from OPNsense to PFsense on my little mini pc box. Maybe my years of running PFsense in the past is the reason, but I just could not warm up to OPNsense. I like PFsense much better.

Could you give us some feedbacks on why you didn't warm on opnsense ? I never test pfsense to be honest.

 

[Smokey613]

OPNsense had more packages available and a prettier webui, but the platform seemed to be in more of a “beta” state. It seemed to require more work to get the packages working as expected. I never did get IPV6 working properly so that my clients received valid IPV6 addresses. On PFsense, there are fewer available packages but when you install them, they just work. I got IPV6 setup and working properly in just a few minutes. PFsense is a more mature stable platform with more support resources.

 

[rgnldo]

Privacy and security is everything. I have Suricata 5.0.3 in INLINE mode on the wan and lan. Do not use adblock or logs via DNS, it generates problems with DNSSEC. I have the squid proxy with squidguard via wpad. My firewall policy is blocking. I manually add the ports. I recommend.

 

[Wisiwyg]

Privacy and security is everything. I have Suricata 5.0.3 in INLINE mode on the wan and lan. Do not use adblock or logs via DNS, it generates problems with DNSSEC. I have the squid proxy with squidguard via wpad. My firewall policy is blocking. I manually add the ports. I recommend.

Can you recommend a firewall policy rule set for home use, with no external access, no externally accessible ports? I've never setup firewall rules, wouldn't know where to start. TIA

 

[Smokey613]

Privacy and security is everything. I have Suricata 5.0.3 in INLINE mode on the wan and lan. Do not use adblock or logs via DNS, it generates problems with DNSSEC. I have the squid proxy with squidguard via wpad. My firewall policy is blocking. I manually add the ports. I recommend.

What hardware are you using? I was reading about INLINE mode and that NFQ support is required as well as a supported network interface.

 

[KW.]

I have a problem with disabling suricata. I thought I killed to process but "suricata-main" is still running even if I get the output.

"root@R9000:~$ /opt/etc/init.d/S82suricata check
Checking suricata... dead."

how do I uninstall the software?

EDIT: Thank you for the answer @rgnldo. I also want to make clear that Suricata have worked very good. Just want to try some stuff. So I do not uninstall because of any problems. As a network monitor it have been working great. I will install it again

 

[rgnldo]

I have a problem with disabling suricata. I thought I killed to process but "suricata-main" is still running even if I get the output.

"root@R9000:~$ /opt/etc/init.d/S82suricata check
Checking suricata... dead."

how do I uninstall the software?

opkg remove suricata

 

[JGrana]

opkg remove suricata

And after the remove, reboot ;-)