Suricata Suricata - IDS on AsusWRT Merlin

[rgnldo]

err....... nah! I'm old and over the hill. Something like this should be spearheaded by an energetic, young guy - preferably from Brazil - with a powerful, developer's computer.

I'm a little Jedi, just like you. We will adapt Suricata as much as possible with the support of everyone.

 

[Slawek P]

edit for yes

  - file:
      enabled: no
      filename: /opt/var/log/suricata/suricata.log

when I want to test Suricata, I run

suricata -c /opt/etc/suricata/suricata.yaml --af-packet

Thanks - so I think it start healthy, but surprisingly on 4 threads (?)
But then its termination appears does core dump... What am I missing?

26/5/2020 -- 21:35:30 - <Info> - Configuration node 'defrag' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
26/5/2020 -- 21:35:30 - <Notice> - This is Suricata version 4.1.7 RELEASE
26/5/2020 -- 21:35:30 - <Info> - CPUs/cores online: 4
26/5/2020 -- 21:35:30 - <Info> - Found an MTU of 1492 for 'ppp0'
26/5/2020 -- 21:35:30 - <Info> - Found an MTU of 1492 for 'ppp0'
26/5/2020 -- 21:35:30 - <Info> - storing files in /opt/var/log/suricata
26/5/2020 -- 21:35:30 - <Info> - fast output device (regular) initialized: fast.log
26/5/2020 -- 21:35:30 - <Info> - http-log output device (regular) initialized: http.log
26/5/2020 -- 21:35:30 - <Info> - stats output device (regular) initialized: stats.log
26/5/2020 -- 21:35:30 - <Info> - eve-log output device (regular) initialized: eve-%Y-%m-%d-%H:%M.json
26/5/2020 -- 21:35:30 - <Info> - 17 rule files processed. 2315 rules successfully loaded, 0 rules failed
26/5/2020 -- 21:35:30 - <Info> - Threshold config parsed: 0 rule(s) found
26/5/2020 -- 21:35:30 - <Info> - 2315 signatures processed. 210 are IP-only rules, 439 are inspecting packet payload, 1741 inspect application layer, 0 are decoder event only
26/5/2020 -- 21:35:32 - <Info> - Going to use 4 thread(s)
26/5/2020 -- 21:35:32 - <Notice> - AFL mode starting
26/5/2020 -- 21:35:32 - <Notice> - AFL mode starting
26/5/2020 -- 21:35:32 - <Notice> - AFL mode starting
26/5/2020 -- 21:35:32 - <Notice> - AFL mode starting
26/5/2020 -- 21:35:32 - <Notice> - all 4 packet processing threads, 0 management threads initialized, engine started.
26/5/2020 -- 21:35:32 - <Info> - All AFP capture threads are running.

 

[mike37]

Try:
suricata -c /opt/etc/suricata/suricata.yaml -T

 

[Slawek P]

Got to the bottom of core dumps and I will need to change my version S82suricata. Basically, killall from rc.func appears to be too aggressive for multithreaded suricata. Killing gently suricata's master pid allows it to stop threads gracefully. Multi threading appears to be its standard behaviour on AX88U controlled by cpu afinity settings.
On a seperate note (but maybe relevant), has anybody worked out how to use Suricata Socket Control?
/suricata.readthedocs.io/en/suricata-5.0.0/manpages/suricatasc.htm
I do not see it entware package (which is 4.1.7), perhaps it is only available from 5.0.

This would allow for much nicer management and stats capturing..

EDIT: There's also yaml setting for core-dump size, setting it to zero instead of unlimited is a good idea. I am keeping my clean shutdown too

 

[ugandy]

there's an updated suricata.yaml on github...

 

[vdemarco]

there's an updated suricata.yaml on github...

I just installed it. Took a tiny bit to edit the file so it all works. No problem though.

spoke too soon, just reverted the file, my wifi 5ghz wifi stopped working

 

[ugandy]

i notice that with the last yaml file, suricata process dies rather frequently. would anything be recorded in the logs? i couldn't find any record about the crash

 

[rgnldo]

i notice that with the last yaml file, suricata process dies rather frequently. would anything be recorded in the logs? i couldn't find any record about the crash

Probably concurrent with simultaneous processes. There are incompatible processes. Suricata is still experimental. The fewer applications installed, the better. Working normal here.
Try and edit suricata.yaml

host-mode: auto

 

[ugandy]

thanks. changing host-mode to 'auto' helped. I guess IPS mode is not working right.

 

[rgnldo]

thanks. changing host-mode to 'auto' helped. I guess IPS mode is not working right.

IDS/IPS -> auto
on demand

 

[rgnldo]

Suricata, the relentless
only alerts

Spoiler: http.log

2020-06-05-10:50:16 -[**]-[**]-[**]-[**]-[**]/libhtp::request_uri_not_seen[**]204[**]0 byte[**]100.64.2.5:47914 -> 172.217.30.100:80
2020-06-05-10:52:09 -[**]-[**]-[**]-[**]-[**]/libhtp::request_uri_not_seen[**]200[**]2605 byte[**]100.64.2.5:59871 -> 187.45.234.5:80
2020-06-06-06:55:41 -[**]-[**]-[**]-[**]-[**]/libhtp::request_uri_not_seen[**]301[**]175 byte[**]100.64.2.5:64390 -> 65.111.254.7:80
2020-06-06-06:55:46 -[**]-[**]-[**]-[**]-[**]/libhtp::request_uri_not_seen[**]301[**]176 byte[**]100.64.2.5:64394 -> 65.111.254.7:80
2020-06-06-08:28:24 api.wolframalpha.com[**]-[**]curl/7.69.1[**]HTTP/1.1[**]GET[**]/v2/query?input=googlevideo.com&appid=$RL2&format=plaintext&p>
2020-06-06-08:57:26 api.wolframalpha.com[**]-[**]curl/7.69.1[**]HTTP/1.1[**]GET[**]/v2/query?input=googlevideo.com&appid=$RL2&format=plaintext&p>
2020-06-06-09:01:20 api.wolframalpha.com[**]-[**]curl/7.69.1[**]HTTP/1.1[**]GET[**]/v2/query?input=googlevideo.com&appid=$RL2Q8W-YJ47GKTEP4&format=plaintext&p>
2020-06-06-09:03:28 api.wolframalpha.com[**]-[**]curl/7.69.1[**]HTTP/1.1[**]GET[**]/v2/query?input=googlevideo.com&appid=$RL2&format=plaintext&p>
2020-06-06-09:26:01 api.wolframalpha.com[**]-[**]curl/7.69.1[**]HTTP/1.1[**]GET[**]/v2/query?input=googlevideo.com&appid=$RL2&format=plaintext&p>
2020-06-06-09:27:59 api.wolframalpha.com[**]-[**]curl/7.69.1[**]HTTP/1.1[**]GET[**]/v2/query?input=googlevideo.com&appid=$RL2&format=plaintext&p
2020-06-06-20:58:47 -[**]-[**]-[**]-[**]-[**]/libhtp::request_uri_not_seen[**]204[**]0 byte[**]100.64.2.5:57190 -> 172.217.30.100:80

 

[Deleted member 62525]

I noticed that stats.log is empty even if enabled and suricata started correctly on my rt86u router. It should be showing some stats to confirm that pockets are examined. Do you guys see anything in stats.log?

 

[Smokey613]

I noticed that stats.log is empty even if enabled and suricata started correctly on my rt86u router. It should be showing some stats to confirm that pockets are examined. Do you guys see anything in stats.log?

As I have posted before, I really like the idea of Suricata on my router. But..... I need a way to verify it’s benefit and so far, this implementation fails to provide an easy method to do that. I really hope it continues to evolve into an IDS/IPS solution we can use on our routers.

 

[rgnldo]

I noticed that stats.log is empty even if enabled and suricata started correctly on my rt86u router. It should be showing some stats to confirm that pockets are examined. Do you guys see anything in stats.log?

The dynamic logs are at http.log. The Default Configuration is configured for detection only. You can configure and see how it works.

edit and add

  - http-log:
      enabled: yes
      filename: http.log
      append: yes
      extended: yes
      filetype: regular

I recommend leaving it as detection only. Suricata does the service competently.

 

[rgnldo]

As I have posted before, I really like the idea of Suricata on my router. But..... I need a way to verify it’s benefit and so far, this implementation fails to provide an easy method to do that. I really hope it continues to evolve into an IDS/IPS solution we can use on our routers.

The ideal would be a graphical interface. Some asked for the method of installing Suricata. It's done.

 

[Smokey613]

The ideal would be a graphical interface. Some asked for the method of installing Suricata. It's done.

Being a longtime AIX, FreeBSD, Debian, etc. user, a gui is not needed for me but maybe I need to get a better understanding of Suricata’s functioning. I would really like to get it running to where I am comfortable with it’s functionality. If I cannot use it for IDS and IPS too then for me it is of little value.

 

[Smokey613]

I did not mean to sound harsh in my previous post. Is there a reliable configuration that would provide the IPS along with the IDS functionality on a Merlin based router?

 

[rgnldo]

IPS along with the IDS functionality

It works perfectly for me.

 

[Smokey613]

It works perfectly for me.

Is this provided using the provided default install routine or is there some customization required for the IPS function?

 

[Smokey613]

IDS/IPS -> auto
on demand

Do we just need to use this setting for IPS?