Suricata Suricata - IDS on AsusWRT Merlin

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you will not be able to reply to threads 6 months after the thread is opened. Threads will not be locked, so posts may still be edited by their authors.

rgnldo

Very Senior Member
Suricata is a free and open source, mature, fast and robust network threat detection engine.
The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.
Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.
Suricata’s fast paced community driven development focuses on security, usability and efficiency.


IDS vs IPS


Not compatible with AiProtection Trend Micro and QoS Adaptive

ABOUT: I would like to inform you that all members who help in this thread are volunteers. Therefore, some problems may take a day or more to be answered. Wait patiently.

Instalation step:
Create Swap file
We will need the Entware-NG repository.


Suricata script installer
This repo includes support files used by suricata_manager.sh maintained by @juched https://github.com/juched78/suricata-merlin

Includes scripts to support features like:
  • Install and Uninstall Suricata
  • Auto update rules nightly at 3AM
  • Collect Logs
  • Display stats on UI
Pre-requisites
  1. Currently only supports Asus routers running Merlin firmware
  2. Asus QoS and AiProtection Trend Micro DISABLED
  3. Entware
  4. USB Storage
  5. JFFS Custom Scripts Enabled
Install/Update Example
  1. Run the installer:
Bash:
mkdir /jffs/addons 2>/dev/null;mkdir /jffs/addons/suricata 2>/dev/null; curl --retry 3 "https://raw.githubusercontent.com/juched78/suricata-merlin/master/suricata_manager.sh" -o "/jffs/addons/suricata/suricata_manager.sh" && chmod 755 "/jffs/addons/suricata/suricata_manager.sh" && /jffs/addons/suricata/suricata_manager.sh install

Usage
Usage: suricata_manager ['help'|'-h'] | [ 'debug' ] [ 'install' | 'uninstall' | 'check' | 'stop' | 'start' | 'logs' | 'config[x]' | 'test' ]

suricata_manager config: View the suricata.yml file

suricata_manager configx: Edit the suricata.yml file

suricata_manager check: Syntax check the suricata.yml file

suricata_manager test: Generate a spoof HTTPS attack (To see it you will need to enable the http.log) uid=0(root) gid=0(root) groups=0(root)

suricata_manager logs: View the logs for activity

Bash:
/opt/var/log/suricata/fast.log
Bash:
/opt/var/log/suricata/stats.log
Optional:
Credits: @faux123
Fork FW Merlin adapted for Suricata.
WARNING: this is a GPL only release, meaning if you use this release with AdaptiveQoS or AiProtect (AiMesh is okay which I'm using myself).

Because Zswap is enabled by default. Add the following line to your script located in /jffs/scripts/post-mount

echo 100 > /proc/sys/vm/swappiness

just before the swapon line. Zswap will use 25% of your RAM and using z3fold memory compression (about 2.6x compression ratio) to expand your RAM further. so 25% of 512MBytes, then 128Mbytes * 2.6 compression ratio = 332 MByte total compressed memory then add back to your remaining real RAM of 384 MBytes, you will have approximately 716 Mbytes of RAM to play with which helps the poor AC86U with just 512 MBytes of real RAM. This will help suricata a bit as suricata is a memory hog.

For Wireguard, please follow the wireguard post in the VPN forum, the only thing you need to change is to change the line in the wireguard shell scripts (located /opt/etc/wireguard/wg-up wg-policy wg-server) where you see:

Bash:
#insmod /opt/lib/modules/wireguard
insmod /lib/modules/4.1.27/kernel/net/wireguard/wireguard
so it uses the built-in kernel module rather than kernel module from Entware.

For CakeQos make the following change to /jffs/addons/cake-qos/cake-qos script where

Bash:
        #insmod /opt/lib/modules/sch_cake.ko 2>/dev/null
        insmod /lib/modules/4.1.27/kernel/net/sch_cake/sch_cake.ko 2>/dev/null
Get faux123_fork_fw_merlin
Download and use at your own risk.

Enjoy!
 
Last edited:

TonyK132

Senior Member
Maybe I'm brain dead today (always?), but please explain your statement:

I do not recommend installing with Skynet, as long as there is no firewall support.
 

intr0

Occasional Visitor
I saw Suricata IDS and :D. Awesome.
 

SomeWhereOverTheRainBow

Very Senior Member
Suricata is a free and open source, mature, fast and robust network threat detection engine.
The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.
Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.
Suricata’s fast paced community driven development focuses on security, usability and efficiency.


The installation proposal is experimental. Installation is recommended for HND routers, with a 4.x kernel.
I do not recommend installing with Skynet, as long as there is no firewall support.

Instalation step:
Create Swap file
We will need the Entware-NG repository.

Code:
opkg update
opkg install suricata
Get suricata.yaml
Code:
curl -o /opt/etc/suricata/suricata.yaml https://raw.githubusercontent.com/rgnldo/knot-resolver-suricata/master/suricata.yaml
Edit on
address-groups:
HOME_NET:
and
DNS_SERVERS:

Get S82suricata
Code:
curl -o /opt/etc/init.d/S82suricata https://raw.githubusercontent.com/rgnldo/knot-resolver-suricata/master/S82suricata
Code:
chmod +x /opt/etc/init.d/S82suricata
Get rules and classification.config:
Code:
mkdir /opt/var/lib/suricata/rules
owner folder:
Code:
chown nobody /opt/var/lib/suricata/rules
Code:
curl -o /opt/etc/suricata/classification.config https://rules.emergingthreats.net/open/suricata-4.0/rules/classification.config
and
Code:
curl -SL https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -zxC /opt/var/lib/suricata/
run suricata:
Code:
/opt/etc/init.d/S82suricata start
Enjoy!


I appreciate that you got around to this. :)
 

XIII

Very Senior Member
You need firewall rules. If you managed to live with Skynet, that's fine.
I’m afraid I don’t understand this answer.

Can someone please explain to a newbie that wants to learn?

Does this replace SkyNet? Or is it (currently) incompatible?

(I might be confused by the “as long as” in the first post; to me that suggests something is currently missing and I should wait for that - but the confusion might also be caused by the fact that we both are not native speakers?)
 

coxhaus

Part of the Furniture
I like this. You will have a bright future as router CPUs are getting faster and faster with more RAM.
 

thelonelycoder

Part of the Furniture
I’m afraid I don’t understand this answer.

Can someone please explain to a newbie that wants to learn?

Does this replace SkyNet? Or is it (currently) incompatible?

(I might be confused by the “as long as” in the first post; to me that suggests something is currently missing and I should wait for that - but the confusion might also be caused by the fact that we both are not native speakers?)
The usual confusion.
 

rgnldo

Very Senior Member
I’m afraid I don’t understand this answer.

Can someone please explain to a newbie that wants to learn?

Does this replace SkyNet? Or is it (currently) incompatible?

(I might be confused by the “as long as” in the first post; to me that suggests something is currently missing and I should wait for that - but the confusion might also be caused by the fact that we both are not native speakers?)
There is no goal of replacing applications. For now, there is no support. Soon we will have support. But if you follow the rules of Suricata and the engine mode, you will see something ROBUST and completely compatible with IPV4/IPV6.
 

rgnldo

Very Senior Member
An application like trojans. Suricata acting.
Code:
04/26/2020-10:48:59.208024  [**] [1:2404303:5712] ET CNC Feodo Tracker Reported CnC Server group 4 [**] [Classification: A Network Trojan was Detected] [Prior>
04/26/2020-18:50:29.049005  [**] [1:2404303:5712] ET CNC Feodo Tracker Reported CnC Server group 4 [**] [Classification: A Network Trojan was Detected] [Prior>
 

mike37

Regular Contributor
thanks, working like a charm.
Good to know; thank you for posting, Milan!!

And thank you Rgnldo for the OP!!

Some questions, please:

1. Which router? Which firmware?

2. What else are you running? Any conflicts or performance degradation?

3. How did you test it? e.g. NMAP? Metasploit? Possibly a testing site on the web (I used to know of an NMAP site, but lost it)? And what tests?

4. How frequently are the signatures updated? Is this a manual operation; or perhaps automatically weekly?

5. Could/would you compare/contrast it with the AiProtect, please.

Thank you very much In Advance!!!
 
Last edited:

Milan

Senior Member
get new suricata.yaml
edit on:
HOME_NET:
DNS_SERVERS:
and
af-packet:
- interface: -> your interface wan
the interface is br0 I think?

Good to know; thank you for posting, Milan!!

And thank you Rgnldo for the OP!!

Some questions, please:

1. Which router? Which firmware?

2. What else are you running? Any conflicts or performance degradation?

3. How did you test it? e.g. NMAP? Metasploit? Possibly a testing site on the web (I used to know of an NMAP site, but lost it)? And what tests?

4. How frequently are the signatures updated? Is this a manual operation; or perhaps automatically weekly?

5. Could/would you compare/contrast it with the AiProtect, please.

Thank you very much In Advance!!!
1.ax88u with the latest merlin
2. all other scripts from here - haven't seen any perf degradation.
3. haven't tested
4. no clue, haven't checked till now.
5. no clue how to compare.

http log is showing info, but stats are empty...
 

rgnldo

Very Senior Member
1. Which router? Which firmware?
I recommend installing on a HND router.
2. What else are you running? Any conflicts or performance degradation?
the rules that I have enabled are enough to obtain a good functioning.
3. How did you test it? e.g. NMAP? Metasploit? Possibly a testing site on the web (I used to know of an NMAP site, but lost it)? And what tests?
Yes, tested.

5. Could/would you compare/contrast it with the AiProtect, please.
open source, engine detect ipv4/ipv6, strong development community.
4. How frequently are the signatures updated? Is this a manual operation; or perhaps automatically weekly?
via cron, I will organize in the post.
 

SuperDuke

Regular Contributor
@rgnldo .....do you disable AiProtect as well with this setup?

Suricata reads like a very good solution....I would be interested in understanding what the thoughts are comparing it to say Skynet.

Also, is there any Unbound interfaces?
 

dffvb

Occasional Visitor
Sounds interesting and like a severe security upgrade for the Asus routers. Speaking for myself: I think you need to communicate a little bit better, for the people to understand. Thanks for the work so far.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top