What's new

[Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

faux123

Regular Contributor
What is Snort? It is an open source intrusion prevention system (IPS) capable of real-time traffic analysis and packet logging.

Snort is an open source project under Gnu Public License (GPL) 2.0, it is an open source alternative to some of the proprietary IDS/IPS such as TrendMicro's AiProtect (which Asus has bundled with many Asus routers).

snort_logo.jpeg

Quick background: Snort classic (2.x series) is single threaded (means it could only use 1 core regardless of the CPU architecture), this was a great limiting factor for its IPS performance and so not as widely adopted as Suricata (which was multi-threaded to begin with). Snort 3 was a HUGE rewrite from the Snort team to bring multi-threading capability to snort, now with 3.0+, snort has the same performance benefits as Suricata allowing the Snort IPS to scale with more CPU cores. One COOL thing about snort3 is the integration of OpenAppID (allows you to track specific apps such as Facebook, Twitter etc etc).

The Challenge: Snort3 is quite resource intensive in terms of both CPU and RAM (a resource hog, pun intended ;) ). It was really designed for beefy computers or network appliances using Intel CPUs and with at least 2 Gigabytes of RAM. It needs the beefy CPUs in order to process many different rule sets and plenty of RAM to keep those rule sets in memory to perform Deep Packet Inspection (DPI) with minimal effect on overall network performance. By default, if you run snort3 on RT-AC86U with its laughable 512 MB of RAM, it would instantly crash with Out Of Memory (OOM) exception. To get it running on my setup, I had to read all its manuals and source code to understand how it uses the RAM and figure out what to enable and what to disable. After a few days of intensive reading, I have settled on a set of tweaks to allow snort 3 to run in IPS mode on the RT-AC86U.

WARNING (RT-AC86U): To run snort3, it is recommended to have ACTIVE COOLING solution as the demands of Snort3 will CAUSE the router to HEAT UP. An external USB Fan or equivalent solution IS RECOMMENDED! You have been WARNED! (RT-AX88U users have reported to be okay, just be careful)

Installation:

[prerequisite]:
1. You will need to have 2 GB of swap enabled and of course Entware installed already and functioning.
2. You want to disable TrendMicro's AiProtect and TrendMicro's Adaptive QoS (these options will interfere with Snort3 due to proprietary modules used bypass normal packet processing).

[Compatibility]:
1. Snort3 is compatible with Skynet
2. Snort3 is compatible with Unbound
3. Snort3 is compatible with YazFi
4. Snort3 is compatible with OpenVPN
5. Snort3 is compatible with CakeQoS (and highly recommended since disabling of AdaptiveQoS will need a replacement and CakeQoS just works)
6. Snort3 is compatible with Wireguard (alternative to OpenVPN)

Snort3 has many similar dependencies as Snort classic. At this moment, snort classic is available as part of Entware. So the best way to install snort3 is to install snort classic first, then delete snort classic and install my packages afterwards which are specific to snort3.

SSH into your router:
ssh your_username@your_router_ip

Bash:
opkg update
opkg install snort
after snort classic installation, remove it by:
Bash:
opkg remove snort
then download snort3 specific packages from my repo here:

Bash:
wget https://github.com/faux123/snort3/releases/download/3.0.0.0-beta4/libpciaccess_0.16-1_aarch64-3.10.ipk
wget https://github.com/faux123/snort3/releases/download/3.0.0.0-beta4/libhwloc_2.1.0-1_aarch64-3.10.ipk
wget https://github.com/faux123/snort3/releases/download/3.0.0.0-beta4/snort3_3.0.0-beta-4_aarch64-3.10.ipk

opkg install libpciaccess_0.16-1_aarch64-3.10.ipk
opkg install libhwloc_2.1.0-1_aarch64-3.10.ipk
opkg install snort3_3.0.0-beta-4_aarch64-3.10.ipk

At this moment, you should test your snort3 installation by typing the following command:

Bash:
snort -V
this validates your snort version (3.0.0) and you should see information about the build feature sets
then follow by below:

Next is to register with snort.org, so you can download the latest snort3 rule sets here:
(above can only be accessible to registered users)

Oh and grab their community rules here as well:
(I put my community rules under: /opt/lib/snort3/ folder but you can put it anywhere you want, just change the -R option in the init.d file).

Oh and definitely grab the OpenAppID here:
(I put my OpenAppID folder 'odp' under '/opt/lib/', but you can put it anywhere you want, just change snort.lua file with the right locations).

To unzip the archives:
tar -xzf your_filename.tar.gz

Then grab my init.d script from my repo here:
Bash:
wget https://raw.githubusercontent.com/faux123/snort3_config/master/init.d/S81Snort3
cp S81Snort3 /opt/etc/init.d/
chmod 755 /opt/etc/init.d/S81Snort3

To get started you want to first edit a couple of files:
open /opt/etc/snort/snort.lua and change:
from line 32 to line 35: add -- in front of all those lua path settings
Code:
lua_path = os.getenv('LUA_PATH')
if ( not lua_path ) then
    package.path = '/opt/include/snort/lua/?.lua;?;'
end
to
Code:
--lua_path = os.getenv('LUA_PATH')
--if ( not lua_path ) then
--    package.path = '/opt/include/snort/lua/?.lua;?;'
--end
line 55: from HOME_NET = 'any' to HOME_NET='192.168.1.1/24' (whatever your internal LAN address was assigned to)
line 123: from --app_detector_dir = 'directory to load appid detectors from' to app_detector_dir='/opt/lib', (this assumes you put your odp folder under /opt/lib/)
line 201: from --enable_builtin_rules = true, to enable_builtin_rules = true, (remove the -- in front of that line)
and finally change
line 261: from --alert_fast = { } to alert_fast = { file = true, }
then create the folder for the logs by:
Bash:
mkdir /opt/var/log/snort/

Final validation to ensure all the settings are correct!
Bash:
snort -T -z 1 --daq afpacket --daq-dir /opt/lib/daq --daq-var buffer_size_mb=32 -Q -i eth0:br0 -c /opt/etc/snort/snort.lua

Now to finally get it started:
Bash:
/opt/etc/init.d/S81Snort3 start
This will kick start snort3 in IPS mode (assuming all the settings are working, since snort is a very heavy process and resource intensive, it may take up to 45 seconds or more to have it up and fully running).

To stop it, simply do:
Bash:
/opt/etc/init.d/S81Snort3 stop
NOTE: Often time it would say 'failed', but that's not the case, it simply 'timed out' because the shutdown process is also VERY HEAVY (it doesn't die immediately as it needs to flush all its memory content, free up the swap usage etc etc), it may take up to 2 min or more for the process to finally shutdown (patience is required here).

To see the logs, they are located in /opt/var/log/snort/ folder and you should see alert_fast.txt file to log all activities.

I have captured my own configurations here as a reference:
(this is assuming you have community rules downloaded, the VRT rules downloaded for registered users, OpenAppID download and all of them placed in the folders based on my own settings).

With the above tweaks and settings, this will allow RT-AC86U (and RT-AX88U) to have a functioning IPS with Snort3. This is JUST the beginning, I hope this will get some users started to think about IPS for home and then develop rule sets which we can all benefit from and share with everyone else here as I have shared my work here.
One other note, I'm pretty busy normally, so I won't be "supporting" users here often, but I'm hoping the community members here to help each other out with issues, I will focus more on the code aspect!

Enjoy, have fun and keep the Open Source Spirit going!

Special shout out to @rgnldo with his Suricata thread to get me started and of course to @RMerlin for his Merlin magic.
 
Last edited:
reserved 1
 
test command is throwing :

Code:
admin@RT-AX88U-F810:/tmp/mnt/sda/entware/etc/init.d# snort -T -z 1 --daq afpacket --daq-dir /opt/lib/daq --daq-var buffer_size_mb=32 -Q -i eth0:br0 -c /opt/etc/snort/snort.lua
--------------------------------------------------
o")~   Snort++ 3.0.0-247
--------------------------------------------------
Loading /opt/etc/snort/snort.lua:
FATAL: can't init /opt/etc/snort/snort.lua: /opt/etc/snort/snort.lua:39: module 'snort_config' not found:
        no field package.preload['snort_config']
        no file '/opt/include/snort/lua/snort_config.lua'
        no file 'snort_config'
        no file './snort_config.so'
        no file '/opt/lib/lua/snort_config.so'
        no file '/opt/lib/lua/snort_config.so'
        no file '/opt/lib/lua/loadall.so'
Fatal Error, Quitting..
 
I guess it’s safe to run this for a couple of minutes without a fan?

I would like to test whether snort (unlike Suricata) does block traffic on my AC86u router for the simple test someone suggested in the Suricata topic.
 
test command is throwing :

Code:
admin@RT-AX88U-F810:/tmp/mnt/sda/entware/etc/init.d# snort -T -z 1 --daq afpacket --daq-dir /opt/lib/daq --daq-var buffer_size_mb=32 -Q -i eth0:br0 -c /opt/etc/snort/snort.lua
--------------------------------------------------
o")~   Snort++ 3.0.0-247
--------------------------------------------------
Loading /opt/etc/snort/snort.lua:
FATAL: can't init /opt/etc/snort/snort.lua: /opt/etc/snort/snort.lua:39: module 'snort_config' not found:
        no field package.preload['snort_config']
        no file '/opt/include/snort/lua/snort_config.lua'
        no file 'snort_config'
        no file './snort_config.so'
        no file '/opt/lib/lua/snort_config.so'
        no file '/opt/lib/lua/snort_config.so'
        no file '/opt/lib/lua/loadall.so'
Fatal Error, Quitting..
Try this, add -- from line 32 to line 35 (basically taking out the incorrect lua path setup)
 
I guess it’s safe to run this for a couple of minutes without a fan?

I would like to test whether snort (unlike Suricata) does block traffic on my AC86u router for the simple test someone suggested in the Suricata topic.
Just monitor your temperatures closely, as long as it's below 100 degrees C (before router decides to thermal protect itself) you should be fine.
 
test command is throwing :

Code:
admin@RT-AX88U-F810:/tmp/mnt/sda/entware/etc/init.d# snort -T -z 1 --daq afpacket --daq-dir /opt/lib/daq --daq-var buffer_size_mb=32 -Q -i eth0:br0 -c /opt/etc/snort/snort.lua
--------------------------------------------------
o")~   Snort++ 3.0.0-247
--------------------------------------------------
Loading /opt/etc/snort/snort.lua:
FATAL: can't init /opt/etc/snort/snort.lua: /opt/etc/snort/snort.lua:39: module 'snort_config' not found:
        no field package.preload['snort_config']
        no file '/opt/include/snort/lua/snort_config.lua'
        no file 'snort_config'
        no file './snort_config.so'
        no file '/opt/lib/lua/snort_config.so'
        no file '/opt/lib/lua/snort_config.so'
        no file '/opt/lib/lua/loadall.so'
Fatal Error, Quitting..
Same here, test is failing looking for snort_config in /opt/include/snort/lua
 
Now it's working, the CPU is working hard, but the temperatures on my AX88U are not too bad. I'll let it run for a while and see how they rise.
1598791140756.png



Temperatures 2.4 GHz: 49°C - 5 GHz: 49°C - CPU: 80°C
 

Attachments

  • 1598791259869.png
    1598791259869.png
    19.1 KB · Views: 239
What tools and logs do we have available to monitor what snort is doing?
 
Last edited:
What is Snort? It is an open source intrusion prevention system (IPS) capable of real-time traffic analysis and packet logging.

Snort is an open source project under Gnu Public License (GPL) 2.0, it is an open source alternative to some of the proprietary IDS/IPS such as TrendMicro's AiProtect (which Asus has bundled with many Asus routers).


Quick background: Snort classic (2.x series) is single threaded (means it could only use 1 core regardless of the CPU architecture), this was a great limiting factor for its IPS performance and so not as widely adopted as Suricata (which was multi-threaded to begin with). Snort 3 was a HUGE rewrite from the Snort team to bring multi-threading capability to snort, now with 3.0+, snort has the same performance benefits as Suricata allowing the Snort IPS to scale with more CPU cores. One COOL thing about snort3 is the integration of OpenAppID (allows you to track specific apps such as Facebook, Twitter etc etc).

The Challenge: Snort3 is quite resource intensive in terms of both CPU and RAM (a resource hog, pun intended ;) ). It was really designed for beefy computers or network appliances using Intel CPUs and with at least 2 Gigabytes of RAM. It needs the beefy CPUs in order to process many different rule sets and plenty of RAM to keep those rule sets in memory to perform Deep Packet Inspection (DPI) with minimal effect on overall network performance. By default, if you run snort3 on RT-AC86U with its laughable 512 MB of RAM, it would instantly crash with Out Of Memory (OOM) exception. To get it running on my setup, I had to read all its manuals and source code to understand how it uses the RAM and figure out what to enable and what to disable. After a few days of intensive reading, I have settled on a set of tweaks to allow snort 3 to run in IPS mode on the RT-AC86U.

WARNING: To run snort3, it is recommended to have ACTIVE COOLING solution as the demands of Snort3 will CAUSE the router to HEAT UP. An external USB Fan or equivalent solution IS RECOMMENDED! You have been WARNED!

Installation:
[prerequisite]: You will need to have 2 GB of swap enabled and of course Entware installed already and functioning.
Snort3 has many similar dependencies as Snort classic. At this moment, snort classic is available as part of Entware. So the best way to install snort3 is to install snort classic first, then delete snort classic and install my packages afterwards which are specific to snort3.

SSH into your router:
ssh your_username@your_router_ip

Bash:
opkg update
opkg install snort
after snort classic installation, remove it by:
Bash:
opkg remove snort
then download snort3 specific packages from my repo here:

Bash:
wget https://github.com/faux123/snort3/releases/download/3.0.0.0-beta4/libpciaccess_0.16-1_aarch64-3.10.ipk
wget https://github.com/faux123/snort3/releases/download/3.0.0.0-beta4/libhwloc_2.1.0-1_aarch64-3.10.ipk
wget https://github.com/faux123/snort3/releases/download/3.0.0.0-beta4/snort3_3.0.0-beta-4_aarch64-3.10.ipk

opkg install libpciaccess_0.16-1_aarch64-3.10.ipk
opkg install libhwloc_2.1.0-1_aarch64-3.10.ipk
opkg install snort3_3.0.0-beta-4_aarch64-3.10.ipk

At this moment, you should test your snort3 installation by typing the following command:

Bash:
snort -V
this validates your snort version (3.0.0) and you should see information about the build feature sets
then follow by below:
Bash:
snort -T -z 1 --daq afpacket --daq-dir /opt/lib/daq --daq-var buffer_size_mb=32 -Q -i eth0:br0 -c /opt/etc/snort/snort.lua
this validates your initial setup with IPS mode using af_packet drivers from the Linux kernel.

Next is to register with snort.org, so you can download the latest snort3 rule sets here:
(above can only be accessible to registered users)

Oh and grab their community rules here as well:
(I put my community rules under: /opt/lib/snort3/ folder but you can put it anywhere you want, just change the -R option in the init.d file).

Oh and definitely grab the OpenAppID here:
(I put my OpenAppID folder 'odp' under '/opt/lib/', but you can put it anywhere you want, just change snort.lua file with the right locations).

To unzip the archives:
tar -xzf your_filename.tar.gz

Then grab my init.d script from my repo here:
Bash:
wget https://raw.githubusercontent.com/faux123/snort3_config/master/init.d/S81Snort3
cp S81Snort3 /opt/etc/init.d/
chmod 755 /opt/etc/init.d/S81Snort3

To get started you want to first edit a couple of files:
open /opt/etc/snort/snort.lua and change:
from line 32 to line 35: add -- in front of all those lua path settings
Code:
lua_path = os.getenv('LUA_PATH')
if ( not lua_path ) then
    package.path = '/opt/include/snort/lua/?.lua;?;'
end
to
Code:
--lua_path = os.getenv('LUA_PATH')
--if ( not lua_path ) then
--    package.path = '/opt/include/snort/lua/?.lua;?;'
--end
line 55: from HOME_NET = 'any' to HOME_NET='192.168.1.1/24' (whatever your internal LAN address was assigned to)
line 123: from --app_detector_dir = 'directory to load appid detectors from' to app_detector_dir='/opt/lib', (this assumes you put your odp folder under /opt/lib/)
line 201: from --enable_builtin_rules = true, to enable_builtin_rules = true, (remove the -- in front of that line)
and finally change
line 261: from --alert_fast = { } to alert_fast = { file = true, }
Bash:
snort -T -z 1 --daq afpacket --daq-dir /opt/lib/daq --daq-var buffer_size_mb=32 -Q -i eth0:br0 -c /opt/etc/snort/snort.lua
Final validation to ensure all the settings are correct!

Now to finally get it started:
Bash:
/opt/etc/init.d/S81Snort3 start
This will kick start snort3 in IPS mode (assuming all the settings are working, since snort is a very heavy process and resource intensive, it may take up to 45 seconds or more to have it up and running).

To stop it, simply do:
Bash:
/opt/etc/init.d/S81Snort3 stop
NOTE: Often time it would say 'failed', but that's not the case, it simply 'timed out' because the shutdown process is also VERY HEAVY (it doesn't die immediately as it needs to flush all its memory content, free up the swap usage etc etc), it may take up to 2 min or more for the process to finally shutdown (patience is required here).

To see the logs, they are located in /opt/var/log/snort/ folder and you should see alert_fast.txt file to log all activities.

I have captured my own configurations here as a reference:
(this is assuming you have community rules downloaded, the VRT rules downloaded for register users, OpenAppID download and all of them placed in the folders based on my own settings).

With the above tweaks and settings, this will allow RT-AC86U (and RT-AX88U) to have a functioning IPS with Snort3. This is JUST the beginning, I hope this will get some users started to think about IPS for home and then develop rule sets which we can all benefit from and share with everyone else here as I have shared my work here.
One other note, I'm pretty busy normally, so I won't be "supporting" users here often, but I'm hoping the community members here to help each other out with issues, I will focus more on the code aspect!

Enjoy, have fun and keep the Open Source Spirit going!

Special shout out to @rgnldo with his Suricata thread to get me started and of course to @RMerlin for his Merlin magic.

This may get missed in this guide but the assumption is that AiProtect must be disabled when installing Snort? Any thoughts on co-existence with Skynet?

Are there any other requirements to follow prior to installing?
 
Now it's working, the CPU is working hard, but the temperatures on my AX88U are not too bad. I'll let it run for a while and see how they rise.
View attachment 25871


Temperatures 2.4 GHz: 49°C - 5 GHz: 49°C - CPU: 80°C
working fine, with similar results for me on AX88U

question is why it is written in this way, that it is occupying the whole CPU. Suricata is working in a different way.
 
I checked the impart on my DOCSIS connection and there is no measurable difference between Suricata vs. Snort in download and upload speeds. Also the temperature is stable at around 80C, even with some stress tests. It looks like the AX88U can easily handle Snort.
 
This may get missed in this guide but the assumption is that AiProtect must be disabled when installing Snort? Any thoughts on co-existence with Skynet?

Are there any other requirements to follow prior to installing?
This is compatible with Skynet (almost everything is since Skynet is using iptables for blocking so does not interfere with snort3, though because of the preset blocking rules from skynet, it means snort3 won't be looking at all those malicious sites already blocked by skynet).
 
Last edited:
can people with RT-AX88U post your system stats for me to salivate over ;)

Bash:
cat /proc/meminfo
cat /proc/buddyinfo
uptime

Thanks!
 
can people with RT-AX88U post your system stats for me to salivate over ;)

Bash:
cat /proc/meminfo
cat /proc/buddyinfo
uptime

Thanks!
Code:
admin@RT-AX88U-F810:/tmp/home/root# cat /proc/meminfo
MemTotal:         903572 kB
MemFree:           27944 kB
MemAvailable:      42108 kB
Buffers:            1172 kB
Cached:            56272 kB
SwapCached:        28760 kB
Active:           172996 kB
Inactive:         227640 kB
Active(anon):     150928 kB
Inactive(anon):   192544 kB
Active(file):      22068 kB
Inactive(file):    35096 kB
Unevictable:           0 kB
Mlocked:               0 kB
SwapTotal:       2097148 kB
SwapFree:        1853216 kB
Dirty:              3856 kB
Writeback:          9640 kB
AnonPages:        336864 kB
Mapped:            22400 kB
Shmem:               408 kB
Slab:             346960 kB
SReclaimable:      16396 kB
SUnreclaim:       330564 kB
KernelStack:        3376 kB
PageTables:         4364 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:     2548932 kB
Committed_AS:    1204876 kB
VmallocTotal:   260046784 kB
VmallocUsed:      124544 kB
VmallocChunk:   259794800 kB
Code:
admin@RT-AX88U-F810:/tmp/home/root# cat /proc/buddyinfo
Node 0, zone      DMA   1147   1527    306    147     10      4      4      2      0      1      0
Code:
admin@RT-AX88U-F810:/tmp/home/root# uptime
 15:31:16 up 8 days, 19:20,  load average: 3.86, 3.94, 3.88
 
Code:
ASUSWRT-Merlin RT-AX88U 384.19_0 Fri Aug 14 19:20:07 UTC 2020
admin@RT-AX88U:/tmp/home/root# cat /proc/meminfo
MemTotal: 903572 kB
MemFree: 120252 kB
MemAvailable: 150516 kB
Buffers: 1484 kB
Cached: 88000 kB
SwapCached: 860 kB
Active: 338188 kB
Inactive: 64296 kB
Active(anon): 271800 kB
Inactive(anon): 51364 kB
Active(file): 66388 kB
Inactive(file): 12932 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 2097148 kB
SwapFree: 2095216 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 312324 kB
Mapped: 28868 kB
Shmem: 10164 kB
Slab: 322528 kB
SReclaimable: 4288 kB
SUnreclaim: 318240 kB
KernelStack: 2544 kB
PageTables: 2688 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 2548932 kB

Code:
Node 0, zone      DMA    588    352    503    181    299    150     73     37     10      3      2

Code:
 09:40:01 up  1:50,  load average: 3.61, 3.71, 3.76

Temp is still stable at 80C
 
Definitely watching this thread.... good job!
 
in my case, temp is 85 C, but it is hot here in my city now...
and there is running transmission, skynet, unbound, enabled Flex QOS ...
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top