Recent content by mike37

  • ATTENTION! As of November 1, 2020, you will not be able to reply to threads 6 months after the thread is opened. Threads will not be locked, so posts may still be edited by their authors.
  1. M

    securing internal network traffic against rogue apps / devices

    You might be interested in: https://www.snbforums.com/threads/suricata-ids-on-asuswrt-merlin.63280/ and https://www.snbforums.com/threads/experimental-snort3-ids-ips-on-asusmerlin-ac86-ax88-routers-only.66123/ These come with rules that'l flag many of the actions you listed. In IDS mode you'll...
  2. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Try: suricata -c /opt/etc/suricata/suricata.yaml -T
  3. M

    Suricata Suricata - IDS on AsusWRT Merlin

    err....... nah! I'm old and over the hill. Something like this should be spearheaded by an energetic, young guy - preferably from Brazil - with a powerful, developer's computer. :-)
  4. M

    Suricata Suricata - IDS on AsusWRT Merlin

    So here are the alerts - outgoing and incoming...
  5. M

    Suricata Suricata - IDS on AsusWRT Merlin

    For Me, the answer is Yes. In order to get it to function as IPS, rgnldo suggested the following https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/page-12#post-585513 I applied those changes to my week-old yaml and found that the IDS performance was improved, but IPS...
  6. M

    Suricata Suricata - IDS on AsusWRT Merlin

    And for this we are VERY grateful!! Rgnldo, I have an observation and suggestion(s): There are a number of suggested tweaks to the yaml floating about - it is hard for us (and you) to know "which" yaml file is being discussed. May I STRONGLY suggest/request that you: 1. update your current...
  7. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Were we talking about going from v4.1.7-1 to v4.1.8 that might make sense - of course coordinating with rgnldo. Going from v4.1.7-1 to v5.0.3 will quite likely include configuration changes, changed compilation dependencies, perhaps new rule formats, etc. (I even noted af-packet specification...
  8. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Opkg indicates it (suricata_4.1.7-1armv7..) is the only package available; no later v4 or v5 beta listed. Package maintainer is not indicated. ============================ Package: suricata Version: 4.1.7-1 Depends: libc, libssp, librt, libpthread, libyaml, jansson, libpcap, libpcre, file...
  9. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Different apps can add and define different interfaces; for e.g. I don't have ethx, eth6 or eth7 on my up-to-date RT-AC68U which is used with both wired and wireless clients. I also don't have QOS, cloud functions, VPN servers or clients, etc. You might list your router model, firmware version...
  10. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Got a chance to play with IPS today and didn't get very far. The af-packet configuration, which is crucial for IPS, has evolved significantly since our version of suricata (4.7) was upgraded to 4.8 and now to 5.03. I considered upgrading to either 4.8 or 5.03 and starting there (sigh...
  11. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Yep! ....... FWICT it doesn't work as an af_packet IPS with the current settings. And it was compiled without NFQ support so it can't use the traditional method were IpTables/Netfilter able to support it. If I get the time I'll play with it this weekend: reconfigure yaml, and add an address -...
  12. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Indeed - which makes Suricata so interesting. AiProtection seems to work, but to an unknown degree (rules).
  13. M

    Suricata Suricata - IDS on AsusWRT Merlin

    https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/ .
  14. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Heh....ROTFLMAO! You're a full-service hotel and host. :)
  15. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Agreed - IMHO that is how an IDS/IPS should work. But there are current/maintained Suricata rules (e.g. "drop.rules", "compromised.rules" ) that are simply website blocking lists. Perhaps they are intended as an option for users who do not have a Skynet type of address blocker (In that...
Top