TheUntouchable
Regular Contributor
I used your kernels since the HTC Desire or Sensation till the M7, I cant remember anymore..
And I still own the Faux123 Kernel Enhancment Pro App But now back to topic Nice to see your work here again![Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]
- Thread starter faux123
- Start date
I used your kernels since the HTC Desire or Sensation till the M7, I cant remember anymore..
And I still own the Faux123 Kernel Enhancment Pro App But now back to topic Nice to see your work here again!
Mutzli
Very Senior Member
A question on the rules updates. I downloaded the latest rules and saw that they always come with an updated snort.lua file as well. @faux123 , How do you handle the update? Do you use the new snort config file or do you copy only the section about the updated rules into the existing snort file?
Edit: I tried the updated snort.lua with all the rules in section 6. and included community.rules and builtins.rules as well. Here is validation output:
with all the rules loaded my Snort is now taking up 685MB. This is up from 507MB with only the builtins.rules loaded. Here is the meminfo output:
Edit: I tried the updated snort.lua with all the rules in section 6. and included community.rules and builtins.rules as well. Here is validation output:
Code:
--------------------------------------------------
rule counts
total rules loaded: 14100
text rules: 13641
builtin rules: 459
option chains: 14100
chain headers: 473
--------------------------------------------------with all the rules loaded my Snort is now taking up 685MB. This is up from 507MB with only the builtins.rules loaded. Here is the meminfo output:
Code:
cat /proc/meminfo
MemTotal: 903572 kB
MemFree: 153664 kB
MemAvailable: 151284 kB
Buffers: 1384 kB
Cached: 42656 kB
SwapCached: 30500 kB
Active: 128404 kB
Inactive: 242756 kB
Active(anon): 102576 kB
Inactive(anon): 225184 kB
Active(file): 25828 kB
Inactive(file): 17572 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 2097148 kB
SwapFree: 1720076 kB
Dirty: 12 kB
Writeback: 12 kB
AnonPages: 314736 kB
Mapped: 19880 kB
Shmem: 648 kB
Slab: 319504 kB
SReclaimable: 3036 kB
SUnreclaim: 316468 kB
KernelStack: 2512 kB
PageTables: 3340 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 2548932 kB
Committed_AS: 871620 kB
VmallocTotal: 260046784 kB
VmallocUsed: 27988 kB
VmallocChunk: 259973300 kB
Last edited:
Thank you Faux123 all for putting this together. I really like Snort, appreciate your and others' work on this.
I loaded it up early this morning, before anyone got up. At around 4 pm my online gamer and my Netflix maven both asked if I had 'done something' to the internet, that it was running slow for both of them. I uninstalled snort, rebooted, asked how it was now after a reboot and they said it was fine now. I also noticed slower speeds with DSLReports speedtest, but wanted to see how that translated to real-world use. For me, without performing any optimization, it appears that it comes with a speed burden, which is understandable. But this may improve with better tuning for the environment.
Note this could have also been an artifact of updating all of the entware files at the same time, although I did run through a reboot after setup. I was having trouble like others with Skynet as noted in the support forum. I have a homemade appliance that I have been considering placing inline, mini-ITX quad i7 4-gb ports, just haven't taken the next step. May resurrect it now...
Hardware config if helpful: AX88U, Merlin 384.19, (see sig) - also running Link Agg through SB8200 (Comcast, 1GB svc) incoming (WAN & Port4) and LACP (Ports 1&2) to managed switch, with all hardwired coming through the switch. AX88U with 2x Mesh nodes handling all wi-fi, nodes connected through wired backhaul through Engenious managed switch.
I loaded it up early this morning, before anyone got up. At around 4 pm my online gamer and my Netflix maven both asked if I had 'done something' to the internet, that it was running slow for both of them. I uninstalled snort, rebooted, asked how it was now after a reboot and they said it was fine now. I also noticed slower speeds with DSLReports speedtest, but wanted to see how that translated to real-world use. For me, without performing any optimization, it appears that it comes with a speed burden, which is understandable. But this may improve with better tuning for the environment.
Note this could have also been an artifact of updating all of the entware files at the same time, although I did run through a reboot after setup. I was having trouble like others with Skynet as noted in the support forum. I have a homemade appliance that I have been considering placing inline, mini-ITX quad i7 4-gb ports, just haven't taken the next step. May resurrect it now...
Hardware config if helpful: AX88U, Merlin 384.19, (see sig) - also running Link Agg through SB8200 (Comcast, 1GB svc) incoming (WAN & Port4) and LACP (Ports 1&2) to managed switch, with all hardwired coming through the switch. AX88U with 2x Mesh nodes handling all wi-fi, nodes connected through wired backhaul through Engenious managed switch.
thecheapseats
Senior Member
snort is trick, but demands an appliance with some zoom - even with an x88, I wouldn't run it on there for other than experimental purposes...
personally, I'm saving my nickels and dimes for a freebsd hardware-compliant pfsense appliance (that has the 'juice' for snort as well) - as the pfsense freebsd rev is a few revs behind and sooo very finiky about fully qualified hardware... for any interested, it will bite you on the butt if that point is neglected/ignored... been there...
on paper, many of the current crop of sbc boards (or other hardware) look like they'd do a pfsense job on the network edge - but there can be hardware gotchas...
Last edited:
MoonPie2000
Regular Contributor
so i am still a little unclear does this configuration of Snort3 do both IDS/IPS on an AX88U? Is it a hardware limitiation for AX88U to do both? Thanks.
Mutzli
Very Senior Member
@faux123 I saw that Snort released an updated build for Version 3.0.0 from Sept. 23. Is it possible to merge the new files with your custom configured build? And if so, how would I go about it?
Btw. I have it running now for over a month on two locations and it works great. The only problem I encountered is when you stop and start Snort several times on the router it will eventually just quit until you do a router reboot.
Btw. I have it running now for over a month on two locations and it works great. The only problem I encountered is when you stop and start Snort several times on the router it will eventually just quit until you do a router reboot.
Aptxope
New Around Here
Hi there!
Fist of all, best wishes for 2021! Second, faux123, thanks alot for your research and work, really appreciated.
I know this topic is kinda old and not that active anymore, nevertheless I'm willing to ask you guys for help. I installed Snort just as faux123 had described and it is actually working. However, after a couple of minutes Snort stop working and I cant find out why. I am using my own config, but as far as I know it is only slightly different from the one faux123 is using. Or did faux123 enabled some performance settings in his config?
Here's a screenshot from the gui where you can see the CPU activity, and then drops:
Before and afterwards I'm checking the status and it states it's dead..
I cant find anything in the alert_fast log. I'm not aware of any other available logfiles though.
I'm using Merlin 384.19.
Beside Snort I do not have anything special running on my AX88U. I even wasn't aware of Entware before reading this thread And due some privacy concerns I'm not even using the built-in tools provided by Trend Micro.
I hope you guys can guide me to the answer. Thanks in advance!
Fist of all, best wishes for 2021! Second, faux123, thanks alot for your research and work, really appreciated.
I know this topic is kinda old and not that active anymore, nevertheless I'm willing to ask you guys for help. I installed Snort just as faux123 had described and it is actually working. However, after a couple of minutes Snort stop working and I cant find out why. I am using my own config, but as far as I know it is only slightly different from the one faux123 is using. Or did faux123 enabled some performance settings in his config?
Here's a screenshot from the gui where you can see the CPU activity, and then drops:
Before and afterwards I'm checking the status and it states it's dead..
I cant find anything in the alert_fast log. I'm not aware of any other available logfiles though.
I'm using Merlin 384.19.
Beside Snort I do not have anything special running on my AX88U. I even wasn't aware of Entware before reading this thread
And due some privacy concerns I'm not even using the built-in tools provided by Trend Micro.I hope you guys can guide me to the answer. Thanks in advance!
Mutzli
Very Senior Member
Hi there!
Fist of all, best wishes for 2021! Second, faux123, thanks alot for your research and work, really appreciated.
I know this topic is kinda old and not that active anymore, nevertheless I'm willing to ask you guys for help. I installed Snort just as faux123 had described and it is actually working. However, after a couple of minutes Snort stop working and I cant find out why. I am using my own config, but as far as I know it is only slightly different from the one faux123 is using. Or did faux123 enabled some performance settings in his config?
Here's a screenshot from the gui where you can see the CPU activity, and then drops:
View attachment 29040
Before and afterwards I'm checking the status and it states it's dead..
View attachment 29041
I cant find anything in the alert_fast log. I'm not aware of any other available logfiles though.
I'm using Merlin 384.19.
Beside Snort I do not have anything special running on my AX88U. I even wasn't aware of Entware before reading this thread
I hope you guys can guide me to the answer. Thanks in advance!
I had the same problem. But it only happened when I changed something on the configuration when it was already running. When I restarted the router and didn't touch Snort it would run for weeks without any issues. I simply checked with TOP to see if everything was working and of course the logs to see if it was doing its job. As mentioned above, Snort did release some updates during the last few months, but I don't have the time or expertise to takle an update to the existing files on git. Faux123's version is based on the last beta 4 before it was released, currently it's on version 3.0.3. I haven't heard from faux123 or anyone else that would be still using this experimental build or maintain it. A shame really, since it is a far superior solution to the Trend Micro built in solution and Suricata. So, after installing the latest beta 386.1-b3 and doing a factory reset i didn't reinstall Snort and went back to the included solution. I wish there was more community interest in a none Trend Micro solution like Snort since Trend comes with some questionable privacy terms.
Last edited:
Aptxope
New Around Here
Thanks for your reply.
I ran some tests and didnt touch Snort or any config either. It is strange, I tried to let it run a couple of times but still it got terminated. I monitored and it does after 13 minutes. I think it has something to do with memory short, but don't know how to find out. Any suggestions on that? Is there any particular log I can check?
Mutzli
Very Senior Member
Did you create a swap file of 2GB before installing Snort? You can do this through amtm or Skynet.
Track the memory usage with command top from the SSH console. Restart the router and open a SSH session and watch top (sorted by memory utilization, press m). Snort should load as the top memory hog. Watch your memory allocation drop when snort starts. Mine showed around 75 to 100MB free after Snort was loaded. Over time it would get better when the swap file was utilized, and memory freed up. It got up to 150MB available.
Track the memory usage with command top from the SSH console. Restart the router and open a SSH session and watch top (sorted by memory utilization, press m). Snort should load as the top memory hog. Watch your memory allocation drop when snort starts. Mine showed around 75 to 100MB free after Snort was loaded. Over time it would get better when the swap file was utilized, and memory freed up. It got up to 150MB available.
XIII
Very Senior Member
Snort 3 Becomes Generally Available
Cisco announces the official release and general availability of Snort 3, seven years after the alpha version was unveiled.
JGrana
Very Senior Member
Hopefully @faux123 saw this as well ;-)Snort 3 Becomes Generally Available
Cisco announces the official release and general availability of Snort 3, seven years after the alpha version was unveiled.www.securityweek.com
linuxbozo
New Around Here
For those still wanting an updated snort3, I put a little something together that may be of interest. Enjoy!
https://github.com/LinuxBozo/snort3-merlin
https://github.com/LinuxBozo/snort3-merlin
linuxbozo
New Around Here
Can you provide more details than "it breaks entware"? How does it break? What happens?
Assuming you changed the
This should allow you to keep using entware as-is, and install the updated 4.1 packages.
Assuming you changed the
opkg.conf as mentioned, it shouldn't break anything. It should now look like this:
Code:
src/gz entware https://bin.entware.net/aarch64-k3.10
dest root /
dest ram /opt/tmp
lists_dir ext /opt/var/opkg-lists
option tmp_dir /opt/tmp
arch all 100
arch aarch64-3.10 160
arch aarch64-4.1 200This should allow you to keep using entware as-is, and install the updated 4.1 packages.
linuxbozo
New Around Here
This is after installing my version of libopenssl I would guess? I did mention it would be better to install from entware if you can so you have the k-3.10 version. Also, it should go without saying that you should always opkg update && opkg upgrade before installing other packages.
EDIT: Actually, looks like this is coincidental: https://www.snbforums.com/threads/error-libssl-so-1-1-wrong-elf-class-elfclass32.84052/ and just something going on with Entware.
EDIT: Actually, looks like this is coincidental: https://www.snbforums.com/threads/error-libssl-so-1-1-wrong-elf-class-elfclass32.84052/ and just something going on with Entware.
Last edited:
Similar threads
Latest threads
-
-
-
-
Can't get 2gbps to my unraid server
- Started by zekesdad
- Replies: 2
-
changed AC68U to AX86U Pro, same guest network setting but all devices gone?
- Started by Heronimos
- Replies: 4
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!