Suricata Suricata - IDS on AsusWRT Merlin

[Smokey613]

Hi,

Are this number of threads, with the default suricata.yaml, expected?

cromo@RT-AX88U-8158:/tmp/home/root# ps T|grep suri
19668 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19675 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19676 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19677 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19678 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19679 cromo 733m S {W#01} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19680 cromo 733m S {W#02} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19681 cromo 733m S {W#03} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19682 cromo 733m S {W#04} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19683 cromo 733m S {W#05} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19684 cromo 733m S {W#06} suricata -c /opt/etc/suricata/suricata.yaml --af-packet

Check my post #141

 

[ugandy]

Check my post #141

i see. 1 single process, but multiple threads.
thx

 

[rgnldo]

Analyzing the Martineau script, in the pre-reqs conference, it was for me like AiProtection activated. It was not enabled. If this happens, organize these commands:

nvram set TM_EULA=0
nvram commit
service start_reboot

Source:
https://www.snbforums.com/threads/aiprotection-online-features.45285/#post-397729

 

[mike37]

So you restart the script often? Thanks....I appreciate that this is less a Skynet kind of thing....

Yes, so as to catch the latest rule updates (Suricata folks seem to be aggressively keeping up with/correcting the changing landscape ). Rules are changing/improving every few days - it's rather like Kaspersky keeping up with 0-days.

Note that restarting will update rules and will clear out temporary work spaces, etc. - but unless you modify the script, it will not delete logs.

 

[rgnldo]

For logs limit, insert option limit:

  - unified2-alert:
      enabled: no
      filename: unified2.alert
      limit: 32mb

 

[mike37]

firewall

IDS/IPS

These are applications for different purposes.

As I understand it, Suricata does not block websites, but the action of the website, application or any attempted intrusion....

Agreed - IMHO that is how an IDS/IPS should work. But there are current/maintained Suricata rules (e.g. "drop.rules", "compromised.rules" ) that are simply website blocking lists. Perhaps they are intended as an option for users who do not have a Skynet type of address blocker (In that situation blocking an address outright would be good).

And they seem to use some of the same sources as Skynet - though not nearly as many - so I'm suggesting it is best to NOT use Suricata for simple address blocking; to use Skynet/ipset for that function; and to use Suricata for packet analysis.

 

[mike37]

That sounds reasonable. I remember back when I was running Untangle behind my Cisco router some relatives came over to spend the night and their laptop had malware on it spewing out stuff which Untangle caught. They complained their laptop was not working. I had to disinfect it for it to pass Untangle.

Heh....ROTFLMAO! You're a full-service hotel and host.

 

[penguin22]

Once my workday is over, I will test installing to provide feedback; I do have Traditional QoS enabled, though looking through this thread, believe that the limitation is Adaptive QoS... only one way to find out for sure .

Will also need to determine recovery/uninstall method should things go awry. I've become good at undo/revert with multiple joyous occurrences of breaking things to make them better.

I was able to load, though needed to browse to the created directory and execute with the install configuration. So far, so good. Thanks and I'll continue testing over the next several days.

 

[glehel]

My af-packet config 1 WAN 1 TUN (vpn) interface (tun11=vpn1)
all 2 interface working on suricata
test who has a vpn connection and ask for feedback on how it works

af-packet:
- interface: eth0
threads: 1
defrag: no
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: tun11
buffer-size: 64535
use-mmap: yes
- interface: tun11
threads: 1
cluster-id: 97
defrag: no
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth0
buffer-size: 64535
use-mmap: yes

 

[Milan]

[✖] ***ERROR QoS ENABLED

is it a real problem to have it enabled together wit Suricata ? it is running on mine for 3 weeks together and no issues ...
suricata_manager is not continuing due this.

 

[joe scian]

is it a real problem to have it enabled together wit Suricata ? it is running on mine for 3 weeks together and no issues ...
suricata_manager is not continuing due this.

should be fine - on my RT-Ac5300 i dont get any of those protocol errors that HND routers are getting and I have adaptive QOS running with FreshJr QOS script. I might add Im running 20 Suricata rules without any stability issues on the Router and I have memory to spare.

 

[rgnldo]

protocol errors that HND routers are getting and I have adaptive QOS running with FreshJr QOS scrip

Good to know. We need feedbacks like yours to work out a pre-reqs pattern.

 

[glehel]

I would be interested in how to monitor the 2 interfaces? Maybe I should run 2 Suricata/ 2 interface at a time?
What I set up works but uses a lot of CPU power, which slows down the net.
The ids test works for both the vpn client and the wan client, the log is displayed. It works nicely, but something isn't good.
I have currently disabled all Trend Micro stuff. There is no error in the log. Really the qos don't even need 200 Mbit net. I will replace the rest with other programs. Trend Micro communicates a lot outside, it might be better to disable it forever.

 

[glehel]

# Linux high speed capture support
af-packet:
- interface: eth0
- interface: tun11
defrag: yes
use-mmap: yes

netmap:
- interface: br0

testing, working!

 

[ugandy]

af-packet:
- interface: eth0
- interface: tun11
defrag: yes
use-mmap: yes

netmap:
- interface: br0

is this the single change needed to monitor the vpn traffic too? (adding the "-interface:tun11" line)
thx

 

[penguin22]

My af-packet config 1 WAN 1 TUN (vpn) interface (tun11=vpn1)
all 2 interface working on suricata
test who has a vpn connection and ask for feedback on how it works

af-packet:
- interface: eth0
threads: 1
defrag: no
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: tun11
buffer-size: 64535
use-mmap: yes
- interface: tun11
threads: 1
cluster-id: 97
defrag: no
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth0
buffer-size: 64535
use-mmap: yes

Is there a benefit to supporting a VPN interface in this method compared to adding just -interface: tun11 following eth0? It appears that you are separately defining settings per interface in this manner, perhaps for more clear logging purposes or is this for other value?

How has your testing gone with these configurations? I only added tun11 this evening and will monitor logs and continue to monitor performance.

Thanks for all the support everyone!

 

[vdemarco]

So i added
- emerging-web_client.rules
- emerging-current_events.rules
to the rule-files

Is there some reason that those are not in the yaml file?

 

[penguin22]

@Martineau; the install script is working great so far. I have found that when running with the log command, suricata stops once you break out of it; issuing with a start command does the trick and there aren't any logs showing why it stops, so thinking there would need to be a restart issued once breaking from logs.

 

[glehel]

I have a question: why is AF_PACKET IPS mode right for us? Why not the Iptables configuration?
https://suricata.readthedocs.io/en/...ine-for-linux.html#settings-up-ips-at-layer-2

 

[mike37]

I have a question: why is AF_PACKET IPS mode right for us? Why not the Iptables configuration?
https://suricata.readthedocs.io/en/...ine-for-linux.html#settings-up-ips-at-layer-2

https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/

.