Suricata Suricata 6 is available for testing

Kingp1n · Nov 30, 2021

heysoundude said:
Surprising (and disappointing, even), given the 8 Likes to your announcement post at the top of this thread. But maybe no news is good news?

What does Suricata do? I've been trying to see if I can use it with diversion, skynet and unbound.

Also can I use this on the GT-AX11000 and how simple is it to install?

heysoundude · Dec 1, 2021

Start here and follow the link on their page. It's probably not for everyone, but if you poke around for the original threads on here, you should find a good set of instructions.
I think your machine should be fine to run it if you decide to go that way. OP of this thread can probably offer further guidance - he's the person to ping

slidermike · Dec 1, 2021

Kingp1n said:
What does Suricata do?

Its an IPS similar to Snort.

rgnldo · Dec 4, 2021

Legal. Vou verificar se funciona a função IPS pela LAN. Depende muito dos Network Adapter drivers do roteador.

glehel · Mar 28, 2022

Thanks for the new version!

I installed suricata 6.0.4 currently in test mode af-packet copy back and forth between the br0-eth0 interface. I later saw that the extra version supports nfqueue mode, which creates a new opportunity to test and maybe activate the ips feature. Who can please help to compile a usable configuration, iptables rule, yaml optimization for AX88 router. The init.d file and the rule update script, and I took over the webui, from the old version 4, all work with a little modification.
So far it has found 2 dns incidents on your webui.
I think it's only IDS and not IPS mode.

the eve.json file size increases rapidly.

eve.json sample line

{"timestamp":"2022-03-28T07:10:44.582834+0200","flow_id":1226190670301487,"in_iface":"br0","event_type":"dns","src_ip":"192.168.1.111","src_port":16652,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","dns":{"version":2,"type":"answer","id":10382,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"www.youtube.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"www.youtube.com","rrtype":"CNAME","ttl":84600,"rdata":"youtube-ui.l.google.com"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.250.180.206"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.251.39.78"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"172.217.20.14"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"172.217.19.110"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.251.39.46"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.251.39.14"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.250.180.238"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.250.201.206"}],"grouped":{"A":["142.250.180.206","142.251.39.78","172.217.20.14","172.217.19.110","142.251.39.46","142.251.39.14","142.250.180.238","142.250.201.206"],"CNAME":["youtube-ui.l.google.com"]}}}

__________________________________________

27/3/2022 -- 21:47:59 - <Info> - Running in live mode, activating unix socket
27/3/2022 -- 21:47:59 - <Info> - Using unix socket file '/opt/var/run/suricata/suricata-command.socket'
27/3/2022 -- 21:47:59 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started.
27/3/2022 -- 21:47:59 - <Info> - All AFP capture threads are running.

BreakingDad · Mar 31, 2022

Would a pi 4 run this ? I'm looking for something to try on my spare one.

Don't worry, apparently it runs well on a rpi.

Well that's the weekend sorted, apart from the pizza.

Clark Griswald · Mar 31, 2022

@BreakingDad
Wow, you've got a spare Pi 4

BreakingDad · Mar 31, 2022

Clark Griswald said:
@BreakingDad
Wow, you've got a spare Pi 4

and a spare pi3, only 1 running right now. (yeah i heard their is a shortage of them right now)

glehel · Apr 2, 2022

Looks like IPS mode works in NFQUEUE mode.
The test rule was used to block a download file that I uploaded to a web server.

CPU Load Average (1, 5, 15 mins)	3.93, 3.62, 3.53

fast.log:

04/02/2022: 12: 54.223803 [Drop] [**] [1: 1: 1] Alarm detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 8x.2.3 x.1x3: 80 -> 192.168.1.100:65108
04/02/2022-15: 13: 54.508244 [Drop] [**] [1: 1: 1] Alarm detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 8x.2.3 x.1x3: 80 -> 192.168.1.106:42572

My iptables:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
629K 630M NFQUEUE all - * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
0 0 ACCEPT all - eth0 * 0.0.0.0/0 224.0.0.0/4
1 40 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED
0 0 other2wan all -! Br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all - br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all - * * 0.0.0.0/0 0.0.0.0/0 state INVALID
1 105 NSFW all - * * 0.0.0.0/0 0.0.0.0/0
1 105 ACCEPT all - br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 OVPN all - * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DNSFILTER_DOT tcp - br + * 0.0.0.0/0 0.0.0.0/0 tcp dpt: 853
0 0 logdrop all - * * 0.0.0.0/0 0.0.0.0/0

Milan · Apr 2, 2022

glehel said:
Looks like IPS mode works in NFQUEUE mode.
The test rule was used to block a download file that I uploaded to a web server.

CPU Load Average (1, 5, 15 mins) 3.93, 3.62, 3.53

fast.log:

04/02/2022: 12: 54.223803 [Drop] [**] [1: 1: 1] Alarm detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 8x.2.3 x.1x3: 80 -> 192.168.1.100:65108
04/02/2022-15: 13: 54.508244 [Drop] [**] [1: 1: 1] Alarm detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 8x.2.3 x.1x3: 80 -> 192.168.1.106:42572

My iptables:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
629K 630M NFQUEUE all - * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
0 0 ACCEPT all - eth0 * 0.0.0.0/0 224.0.0.0/4
1 40 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED
0 0 other2wan all -! Br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all - br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all - * * 0.0.0.0/0 0.0.0.0/0 state INVALID
1 105 NSFW all - * * 0.0.0.0/0 0.0.0.0/0
1 105 ACCEPT all - br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 OVPN all - * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DNSFILTER_DOT tcp - br + * 0.0.0.0/0 0.0.0.0/0 tcp dpt: 853
0 0 logdrop all - * * 0.0.0.0/0 0.0.0.0/0

Hi,

can you share what and how needs to be modified in v4 scripts to make it working, please?

glehel · Apr 2, 2022

Milan said:
Hi,

can you share what and how needs to be modified in v4 scripts to make it working, please?

there is no installation script, everything has to be installed one by one manually

Index of /aarch64-k3.10/test/suricata6/

suricata6-extra_6.0.4-1_aarch64-3.10.ipk

iptables -I FORWARD -j NFQUEUE

instead of this --runmode: workers-- You can try this --runmode: autofp--

Milan · Apr 2, 2022

glehel said:
there is no installation script, everything has to be installed one by one manually

Index of /aarch64-k3.10/test/suricata6/

suricata6-extra_6.0.4-1_aarch64-3.10.ipk

iptables -I FORWARD -j NFQUEUE

Thanks, working fine.

There was a GUI page for Suricata, but I can't find it now ...

heysoundude · Apr 2, 2022

Clark Griswald said:
@BreakingDad
Wow, you've got a spare Pi 4

do you need one? I've a 1GB Pi4 w PS sitting next to me I could probably part with

Clark Griswald · Apr 3, 2022

@heysoundude
Thank You for the offer! I am on the wait list for several Pi 4 8GBs.

heysoundude · Apr 3, 2022

Clark Griswald said:
@heysoundude
Thank You for the offer! I am on the wait list for several Pi 4 8GBs.

If you're pressed for time and need one, I figured I'd offer. hopefully the wait isn't too long for you

Milan · Apr 28, 2022

Just to mention - running on my router for some weeks now and no issue so far in IPS.
I am only missing some gui as was there for previous version :-(

skeal · Apr 28, 2022

I'm sure somehow this is great but there is such a small following. Why?

XIII · Apr 29, 2022

skeal said:
I'm sure somehow this is great but there is such a small following. Why?

Hardware requirements?

rgnldo · May 1, 2022

glehel said:
IPS mode works in NFQUEUE mode.

Nice! IPS NFQUEUE + selected rules + SSL fingerprint

XIII · May 21, 2022

XIII said:
Hardware requirements?

Does anyone know what they are?

I was able to purchase a Raspberry 4 with 8 GB (for a different project) and now I wonder whether this tiny computer can run Suricata?

Thread starter	Title	Forum	Replies	Date
	BACKUPMON BACKUPMON v1.7.2 -Apr 1, 2024- Backup/Restore your Router: JFFS + NVRAM + External USB Drive! CIFS/SMB/NFS! (Now available in AMTM!)	Asuswrt-Merlin AddOns	204	Mar 2, 2024
	MerlinAU MerlinAU v1.1.1 - The Ultimate Firmware Auto-Updater (Now available in AMTM)	Asuswrt-Merlin AddOns	322	Jan 21, 2024
	VPNMON VPNMON-R3 v1.3.3 -Apr 2, 2024- Monitor WAN/Dual-WAN/VPN Health & Reset Multiple OpenVPN Connections (Now available in AMTM!)	Asuswrt-Merlin AddOns	203	Nov 27, 2023
	AdGuard Home WebGui - "AdGuard Home is available at the following addresses"	Asuswrt-Merlin AddOns	7	Sep 18, 2023
W	Scribe Asuswrt-Merlin 388.2 is now available for select models	Asuswrt-Merlin AddOns	10	Jun 3, 2023

Suricata Suricata 6 is available for testing

Very Senior Member

Part of the Furniture

Regular Contributor

Very Senior Member

Regular Contributor

Very Senior Member

Very Senior Member

Very Senior Member

Regular Contributor

Senior Member

Regular Contributor

Attachments

Senior Member

Part of the Furniture

Very Senior Member

Part of the Furniture

Senior Member

Part of the Furniture

Very Senior Member

Very Senior Member

Very Senior Member

Similar threads

Similar threads

Sign Up For SNBForums Daily Digest