Suricata Some general questions

[Jeff-]

I changed the "test" URL for Suricata_manager.sh so it works now as indicated here. When I go to the router's UI it doesn't show up until the next day. I ran related cron jobs for logging and clicked Update Stats, and it seems to work. I just don't understand enough "under the hood" to feel comfortable navigating the CLI. Is there Merlin specific documentation available?
How do I verify new rules are downloaded by cron at 3am?
Also, in Github it doesn't show any activity for 3 years. Is it still supported?
Should I even be using it?
Is there a newer IDS/IPS solution being used by this community?
Any help and/or pointers would be greatly appreciated.

 

[Tech9]

Should I even be using it?

It was never designed to run on a severely limited RAM home router. Experimental dead end project.

 

[Jeff-]

It was never designed to run on a severely limited RAM home router. Experimental dead end project

Thanks Tech9, I was wondering. I do have a newer router but, your right. I used to run Snort on a Linux server years ago and was aware that was a mem hog, there were remarks that's how it got it's name. I'll pull Suricata. Any thoughts on Skynet? I know it's not IDS/IPS but seems like a good addition to default firewall?

 

[Tech9]

On-device IDS/IPS needs RAM and CPU. Home routers have a little of both. IDS/IPS is not very effective with encrypted traffic. It doesn't see most of the traffic. If you run SSL proxy - more RAM and CPU plus issues. Snort/Suricata - on x86 hardware. Skynet is an IP-blocker with community blocklists. The built-in firewall blocks all unsolicited connections by default, Skynet mostly takes the credit for matched IP addresses in blocklists. Many people get impressed how much work it does, freak out as a result and block more and more closing the gap between WAN and LAN really fast. I have studied the going downhill process some time ago. Skynet is a useful tool in the hands of who knows how it works and what to use it for. History of false positives in community blocklists blocking access to popular DNS servers, Google, Microsoft, GitHub. Use only if you know how to troubleshoot yourself.

 

[Jeff-]

Thank you again tech9. I just have it look at internet 'chatter', not acting on what I see. I've talked to folks that freak out when given the ability to see the random traffic that is normal internet activity. I'm just interested in the whole Merlin FW as I just bought a router that's supported. Well, I don't want to waist your time in a nonproductive chat here, so I'll stop short of a long conversation.

 

[Tech9]

I understand. Make a clean configuration, save your settings. Play with whatever you like, reset and restore the settings when you run into issues. It will save you time between the game sessions. I have one dedicated Asus router for this purpose alone. It was flashed and reset 100+ times already. I don't touch my main system though. Make sure you don't piss off other network users too much. The couch is waiting for you.

 

[Jeff-]

Absolutly, I really like my roommate and want her to receive the best customer service I can provide. Speaking of backups: If I use the web UI and do "Router Settings" and "JFFS" soes that cover it? I see NSRUM addon, should I use that as well?

 

[Tech9]

I see NSRUM addon, should I use that as well?

Don't use this add-on. Old and unsupported since 384 firmware series. Router settings and jffs is good enough. After you stop playing with add-ons use only the ones you need and remove the rest. Some add-ons will have negative impact on your Internet experience. If you are using USB stick for your swap/scripts your router is as reliable as the USB stick. They fail quite often with this type of use. They were never designed for constant read/write.

 

[Jeff-]

Got it. And I was playing actually. I'm using a spindle drive for USB as I partitioned it for sda1 and sda2 using part for media. I have searched for some guidelines like yours and welcome any other advice for someone new to Merlin. I'm an old IT guy, I saw this and just couldn't resist.