What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Sparrows Suricata - IDS on AsusWRT Merlin

Jack-Sparr0w

Jack-Sparr0w

Senior Member
whitelisted firewall settings that reflect unbound config

I changed the values for whitelisting vpn and etc. does it look alright

%YAML 1.1
---

# Holds variables that would be used by the engine.
vars:

# Holds the address group vars that would be passed in a Signature.
address-groups:
HOME_NET: "[192.168.50.0/16,10.0.0.0/8,127.0.0.0/8,172.16.0.0/12,169.254.0.0/16]"
EXTERNAL_NET: "any"
DNS_SERVERS: "[103.86.96.100,103.86.99.100]"
SMTP_SERVERS: "$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
FTP_SERVERS: "$HOME_NET"
SSH_SERVERS: "$HOME_NET"
VPN_IP: "[use vpn public ip add hear!!!!!!! and erase message if used or not used]"

# Holds the port group vars that would be passed in a Signature.
port-groups:
FTP_PORTS: "21"
HTTP_PORTS: "80"
ORACLE_PORTS: "1521"
SSH_PORTS: "29100"
SHELLCODE_PORTS: "!80"
DNP3_PORTS: "20000"
FILE_DATA_PORTS: "$HTTP_PORTS,110,143"
VPN_PORTS: "53,443,1194"
 
It’s probably best to ask in the thread that indicates how to install suricata on your router… I remember someone got it working a number of years ago (pre covid?) on a prior generation of routers, but this would be better on the more capable ones now…

Your sig doesn’t indicate your hardware or current firmware etc…
 
I seemed to recall @rgnldo a number of years ago had a thread about suricata

www.snbforums.com

Suricata - Suricata - IDS on AsusWRT Merlin

Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata inspects the network...
www.snbforums.com www.snbforums.com
 
JGrana said:
I seemed to recall @rgnldo a number of years ago had a thread about suricata

www.snbforums.com

Suricata - Suricata - IDS on AsusWRT Merlin

Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata inspects the network...
www.snbforums.com www.snbforums.com
Click to expand...
same guide i used just changed the values so it works with all other programs
 
JGrana said:
I seemed to recall @rgnldo a number of years ago had a thread about suricata

www.snbforums.com

Suricata - Suricata - IDS on AsusWRT Merlin

Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata inspects the network...
www.snbforums.com www.snbforums.com
Click to expand...
That was it! Thanks for reminding us…
 
on an old router it takes to it fine, on new asus be router with vpn im getting an issue failed to start. any tricks I could do to fix it. maybe sleep command just so vpn can start first.
 
Just a friendly heads‑up from someone who’s spent a lot of time with Suricata.

Running Suricata directly on an Asus router might look like a clever way to add IDS/IPS, but it’s really not a great idea from a security or stability standpoint. These routers simply aren’t designed to run a full packet‑inspection engine at the OS level.

A few points worth considering:
  • Asuswrt isn’t a general‑purpose Linux distro. It’s a heavily customized embedded environment with limited resources, non‑standard kernel modules, and no guarantee that Suricata’s dependencies behave the way they do on a normal Linux system.
  • You’re placing trust in a security tool running on a platform that was never meant to support it. That means no hardened kernel, no guaranteed memory isolation, and no assurance that Suricata’s detection engine is actually inspecting traffic correctly under load.
  • Performance and reliability are unpredictable. Even high‑end BE‑series routers can choke when you bolt on a full IDS/IPS stack. Packet drops, false negatives, and random service failures are common because the hardware acceleration pipeline isn’t built for this.
  • The Suricata build used in this script is already outdated. It’s not really maintained by anyone, and nobody knows if or when it will ever be updated. That means no current rule‑set compatibility guarantees, no security patches, and no fixes if something breaks.
  • If something breaks, you’re on your own. Neither Asus nor the Merlin project supports Suricata. Any update—kernel, firmware, driver, or even a minor change in the networking stack—can silently break your IDS without you noticing.
If you want real IDS/IPS, you’ll get far better results running Suricata on a proper platform: a small x86 box, or anything with a standard Linux environment and enough CPU to handle deep packet inspection reliably. That’s exactly how I run it: an older AMD system with dual Ethernet ports sitting between the router and the modem. It gives you proper performance, current Suricata builds, and a security stack that behaves the way it’s supposed to.

Just wanted to point this out so you’re not relying on a security layer that might not actually be protecting you the way you expect.
 
You must log in or register to reply here.

Similar threads

M
Suricata 4 on Asuswrt-Merlin
2
Replies
36
Views
12K
rgnldo
rgnldo
Similar threads
Thread starter Title Forum Replies Date
K AX3000v2 cant find lan port ids in cli Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,794 (members: 13, guests: 1,781)
Back
Top