Suricata Suricata - IDS on AsusWRT Merlin

[amigohd]

Suricata dies on my AC86 after some seconds:

admin@RT-AC86U-CAF0:/tmp/mnt/sda/entware/var/log/suricata# cat suricata.log
28/4/2020 -- 19:44:10 - <Notice> - This is Suricata version 4.1.7 RELEASE
28/4/2020 -- 19:44:10 - <Info> - CPUs/cores online: 2
28/4/2020 -- 19:44:10 - <Info> - Found an MTU of 1500 for 'eth0'
28/4/2020 -- 19:44:10 - <Info> - Found an MTU of 1500 for 'eth0'
28/4/2020 -- 19:44:10 - <Info> - fast output device (regular) initialized: fast.log
28/4/2020 -- 19:44:10 - <Info> - stats output device (regular) initialized: stats.log
28/4/2020 -- 19:44:10 - <Info> - 8 rule files processed. 746 rules successfully loaded, 0 rules failed
28/4/2020 -- 19:44:10 - <Info> - Threshold config parsed: 0 rule(s) found
28/4/2020 -- 19:44:10 - <Info> - 746 signatures processed. 115 are IP-only rules, 36 are inspecting packet payload, 584 inspect application layer, 0 are decoder event only
28/4/2020 -- 19:44:10 - <Info> - Going to use 2 thread(s)
28/4/2020 -- 19:44:10 - <Notice> - AFL mode starting
28/4/2020 -- 19:44:10 - <Notice> - AFL mode starting
28/4/2020 -- 19:44:10 - <Notice> - all 2 packet processing threads, 0 management threads initialized, engine started.
28/4/2020 -- 19:44:10 - <Info> - All AFP capture threads are running.
28/4/2020 -- 19:45:19 - <Notice> - Signal Received. Stopping engine.
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: type 0 name W#01-eth0 tmm_flags 0F flags 703 stream_pq 0x3a04d3d8
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: -> slot 0x3a04d1d0 id 0 tm_id 18 name ReceiveAFP
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: -> slot 0x3a04d320 id 1 tm_id 19 name DecodeAFP <==== stream_pq
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: -> slot 0x3a04d470 id 2 tm_id 0 name FlowWorker
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: -> slot 0x3a04f460 id 3 tm_id 10 name RespondReject
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: type 0 name W#02-eth0 tmm_flags 0F flags 703 stream_pq 0x3a051908
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: -> slot 0x3a051700 id 0 tm_id 18 name ReceiveAFP
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: -> slot 0x3a051850 id 1 tm_id 19 name DecodeAFP <==== stream_pq
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 4 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 4 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 4 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 4 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: -> slot 0x3a0519a0 id 2 tm_id 0 name FlowWorker
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: -> slot 0x3a009660 id 3 tm_id 10 name RespondReject
28/4/2020 -- 19:45:20 - <Notice> - Thread 1, W#01-eth0 type 0, tv 0x3a04b020 in_use 1
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020 type 0 name W#01-eth0 tmm_flags 0F flags 703
28/4/2020 -- 19:45:20 - <Notice> - Thread 2, W#02-eth0 type 0, tv 0x3a04f6e0 in_use 1
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0 type 0 name W#02-eth0 tmm_flags 0F flags 703

 

[vdemarco]

I think i have it correct, here are some pieces of the yaml file


# Holds variables that would be used by the engine.
vars:

# Holds the address group vars that would be passed in a Signature.
address-groups:
HOME_NET: "[10.0.0.0/16]"
EXTERNAL_NET: "any"
DNS_SERVERS: "[10.0.0.1]"
SMTP_SERVERS: "$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
FTP_SERVERS: "$HOME_NET"
SSH_SERVERS: "[10.0.0.155]"

# Linux high speed capture support
af-packet:
- interface: eth0
defrag: yes
use-mmap: yes

All seems to be working now.i can ssh in etc. Now i just need to see if its really doing anything at all.

 

[Mutzli]

Can Suricata handle requests made by browsers utilizing DoH?

 

[mike37]

All seems to be working now.i can ssh in etc. Now i just need to see if its really doing anything at all.

Ahh.... good for you!!!

1. Understanding that I have NO experience with suricata, IIRC you couldn't ssh in after a port scan. You might now try first a scan, then see if you can still ssh in from the same address (The logic would be that a port scan precedes an attack and that subsequent connection attempts from that scanning address are malevolent and to be blocked - logic that may or may not make sense depending on if this is a private access point (e.g. vpn) or public (e.g. https).

If you want to allow port scans first, you can likely edit the rule and change the action from something like "drop" or "block" to "log" or "report" (or comment out the rule entirely).

2. If you're going to "see if its really doing anything at all", how about comparing it's response to an attack with the response of AiProtect to the same attack!?

Wish I had the time to jump into this - maybe next week! Good Luck!!

 

[vdemarco]

Ahh.... good for you!!!

1. Understanding that I have NO experience with suricata, IIRC you couldn't ssh in after a port scan. You might now try first a scan, then see if you can still ssh in from the same address (The logic would be that a port scan precedes an attack and that subsequent connection attempts from that scanning address are malevolent and to be blocked - logic that may or may not make sense depending on if this is a private access point (e.g. vpn) or public (e.g. https).

If you want to allow port scans first, you can likely edit the rule and change the action from something like "drop" or "block" to "log" or "report" (or comment out the rule entirely).

2. If you're going to "see if its really doing anything at all", how about comparing it's response to an attack with the response of AiProtect to the same attack!?

Wish I had the time to jump into this - maybe next week! Good Luck!!

I tired that. and it still worked. the scan always shows just the 1 port open which is exactly as expected.

I think i need to turn on all of the logging and watch it to see whats up. (not 100% sure what i need to change in the yaml file to do this)

I am expecting to see stuff in the /opt/var/log/suricata/fast.log but that one is empty
the /opt/var/log/suricata/suricata.log has stuff but its really only startup info.

like this

28/4/2020 -- 08:04:56 - <Notice> - This is Suricata version 4.1.7 RELEASE
28/4/2020 -- 08:04:56 - <Info> - CPUs/cores online: 4
28/4/2020 -- 08:04:56 - <Info> - Found an MTU of 1500 for 'eth0'
28/4/2020 -- 08:04:56 - <Info> - Found an MTU of 1500 for 'eth0'
28/4/2020 -- 08:04:56 - <Info> - fast output device (regular) initialized: fast.log
28/4/2020 -- 08:04:56 - <Info> - stats output device (regular) initialized: stats.log
28/4/2020 -- 08:04:56 - <Info> - storing files in /opt/var/log/suricata/files
28/4/2020 -- 08:04:56 - <Info> - 8 rule files processed. 746 rules successfully loaded, 0 rules failed
28/4/2020 -- 08:04:56 - <Info> - Threshold config parsed: 0 rule(s) found
28/4/2020 -- 08:04:56 - <Info> - 746 signatures processed. 115 are IP-only rules, 36 are inspecting packet payload, 584 inspect application layer, 0 are decoder event only
28/4/2020 -- 08:04:56 - <Info> - Going to use 4 thread(s)
28/4/2020 -- 08:04:56 - <Notice> - AFL mode starting
28/4/2020 -- 08:04:56 - <Notice> - AFL mode starting
28/4/2020 -- 08:04:56 - <Notice> - AFL mode starting
28/4/2020 -- 08:04:56 - <Notice> - AFL mode starting
28/4/2020 -- 08:04:56 - <Notice> - all 4 packet processing threads, 0 management threads initialized, engine started.
28/4/2020 -- 08:04:56 - <Info> - All AFP capture threads are running.

which all seems correct.

 

[mike37]

Can Suricata handle requests made by browsers utilizing DoH?

(I'm a newbie; Rgnldo needs to confirm this)

The answer is yes - you can confirm the content of dns records (e.g. looking for invalid fields; overflows; etc.)
https://suricata.readthedocs.io/en/suricata-5.0.2/rules/dns-keywords.html

Other rules can confirm current encryption standards, certs, etc.

If there is a wonderful new attack/zero-day, there'll likely be an "emerging threat" rule that'll look for it.

 

[XIII]

All seems to be working now.i can ssh in etc. Now i just need to see if its really doing anything at all.

This page seems to describe a test:

https://suricata.readthedocs.io/en/latest/quickstart.html#installation

Apparently "the signature with ID 2100498 from the ET Open ruleset is written specific for such test cases" and you can trigger it by:

curl http://testmyids.com/

PS: I find this an interesting topic, but due to the Corona crisis I work from home and should not experiment too much with my router...

 

[rgnldo]

I think i have it correct, here are some pieces of the yaml file


# Holds variables that would be used by the engine.
vars:

# Holds the address group vars that would be passed in a Signature.
address-groups:
HOME_NET: "[10.0.0.0/16]"
EXTERNAL_NET: "any"
DNS_SERVERS: "[10.0.0.1]"
SMTP_SERVERS: "$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
FTP_SERVERS: "$HOME_NET"
SSH_SERVERS: "[10.0.0.155]"

# Linux high speed capture support
af-packet:
- interface: eth0
defrag: yes
use-mmap: yes

Is correct

 

[rgnldo]

Suricata dies on my AC86 after some seconds:

admin@RT-AC86U-CAF0:/tmp/mnt/sda/entware/var/log/suricata# cat suricata.log
28/4/2020 -- 19:44:10 - <Notice> - This is Suricata version 4.1.7 RELEASE
28/4/2020 -- 19:44:10 - <Info> - CPUs/cores online: 2
28/4/2020 -- 19:44:10 - <Info> - Found an MTU of 1500 for 'eth0'
28/4/2020 -- 19:44:10 - <Info> - Found an MTU of 1500 for 'eth0'
28/4/2020 -- 19:44:10 - <Info> - fast output device (regular) initialized: fast.log
28/4/2020 -- 19:44:10 - <Info> - stats output device (regular) initialized: stats.log
28/4/2020 -- 19:44:10 - <Info> - 8 rule files processed. 746 rules successfully loaded, 0 rules failed
28/4/2020 -- 19:44:10 - <Info> - Threshold config parsed: 0 rule(s) found
28/4/2020 -- 19:44:10 - <Info> - 746 signatures processed. 115 are IP-only rules, 36 are inspecting packet payload, 584 inspect application layer, 0 are decoder event only
28/4/2020 -- 19:44:10 - <Info> - Going to use 2 thread(s)
28/4/2020 -- 19:44:10 - <Notice> - AFL mode starting
28/4/2020 -- 19:44:10 - <Notice> - AFL mode starting
28/4/2020 -- 19:44:10 - <Notice> - all 2 packet processing threads, 0 management threads initialized, engine started.
28/4/2020 -- 19:44:10 - <Info> - All AFP capture threads are running.
28/4/2020 -- 19:45:19 - <Notice> - Signal Received. Stopping engine.
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: type 0 name W#01-eth0 tmm_flags 0F flags 703 stream_pq 0x3a04d3d8
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: -> slot 0x3a04d1d0 id 0 tm_id 18 name ReceiveAFP
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: -> slot 0x3a04d320 id 1 tm_id 19 name DecodeAFP <==== stream_pq
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 9 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: -> slot 0x3a04d470 id 2 tm_id 0 name FlowWorker
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020: -> slot 0x3a04f460 id 3 tm_id 10 name RespondReject
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: type 0 name W#02-eth0 tmm_flags 0F flags 703 stream_pq 0x3a051908
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: -> slot 0x3a051700 id 0 tm_id 18 name ReceiveAFP
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: -> slot 0x3a051850 id 1 tm_id 19 name DecodeAFP <==== stream_pq
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 4 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 4 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 4 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 4 packet src stream (flow timeout)
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: -> slot 0x3a0519a0 id 2 tm_id 0 name FlowWorker
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0: -> slot 0x3a009660 id 3 tm_id 10 name RespondReject
28/4/2020 -- 19:45:20 - <Notice> - Thread 1, W#01-eth0 type 0, tv 0x3a04b020 in_use 1
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04b020 type 0 name W#01-eth0 tmm_flags 0F flags 703
28/4/2020 -- 19:45:20 - <Notice> - Thread 2, W#02-eth0 type 0, tv 0x3a04f6e0 in_use 1
28/4/2020 -- 19:45:20 - <Notice> - tv 0x3a04f6e0 type 0 name W#02-eth0 tmm_flags 0F flags 703

Follow the installation correctly, as posted

 

[rgnldo]

I tired that. and it still worked. the scan always shows just the 1 port open which is exactly as expected.

I think i need to turn on all of the logging and watch it to see whats up. (not 100% sure what i need to change in the yaml file to do this)

I am expecting to see stuff in the /opt/var/log/suricata/fast.log but that one is empty
the /opt/var/log/suricata/suricata.log has stuff but its really only startup info.

like this

28/4/2020 -- 08:04:56 - <Notice> - This is Suricata version 4.1.7 RELEASE
28/4/2020 -- 08:04:56 - <Info> - CPUs/cores online: 4
28/4/2020 -- 08:04:56 - <Info> - Found an MTU of 1500 for 'eth0'
28/4/2020 -- 08:04:56 - <Info> - Found an MTU of 1500 for 'eth0'
28/4/2020 -- 08:04:56 - <Info> - fast output device (regular) initialized: fast.log
28/4/2020 -- 08:04:56 - <Info> - stats output device (regular) initialized: stats.log
28/4/2020 -- 08:04:56 - <Info> - storing files in /opt/var/log/suricata/files
28/4/2020 -- 08:04:56 - <Info> - 8 rule files processed. 746 rules successfully loaded, 0 rules failed
28/4/2020 -- 08:04:56 - <Info> - Threshold config parsed: 0 rule(s) found
28/4/2020 -- 08:04:56 - <Info> - 746 signatures processed. 115 are IP-only rules, 36 are inspecting packet payload, 584 inspect application layer, 0 are decoder event only
28/4/2020 -- 08:04:56 - <Info> - Going to use 4 thread(s)
28/4/2020 -- 08:04:56 - <Notice> - AFL mode starting
28/4/2020 -- 08:04:56 - <Notice> - AFL mode starting
28/4/2020 -- 08:04:56 - <Notice> - AFL mode starting
28/4/2020 -- 08:04:56 - <Notice> - AFL mode starting
28/4/2020 -- 08:04:56 - <Notice> - all 4 packet processing threads, 0 management threads initialized, engine started.
28/4/2020 -- 08:04:56 - <Info> - All AFP capture threads are running.

which all seems correct.

Is correct. You followed the installation guidance correctly.

 

[rgnldo]

(I'm a newbie; Rgnldo needs to confirm this)

I'm such a newbie. I'm learning from all of you.

If there is a wonderful new attack/zero-day, there'll likely be an "emerging threat" rule that'll look for it.

There are Suricata rules for DNS UDP and TCP.

 

[rgnldo]

Can Suricata handle requests made by browsers utilizing DoH?

Suricata is not based on DNS traffic. It is by engine and signed rules.

 

[joe scian]

Hi rgnldo

On starting suricata I do not have an /opt/var/log/suricata/suricata.log - I only have stats.log and fast.log -
is this normal - both of those files empty


Resolved - enabled log in suricata.yaml file -

29/4/2020 -- 13:15:44 - <Notice> - This is Suricata version 4.1.7 RELEASE
29/4/2020 -- 13:15:44 - <Info> - CPUs/cores online: 2
29/4/2020 -- 13:15:44 - <Info> - Found an MTU of 1464 for 'ppp0'
29/4/2020 -- 13:15:44 - <Info> - Found an MTU of 1464 for 'ppp0'
29/4/2020 -- 13:15:45 - <Info> - fast output device (regular) initialized: fast.log
29/4/2020 -- 13:15:45 - <Info> - stats output device (regular) initialized: stats.log
29/4/2020 -- 13:15:45 - <Info> - 8 rule files processed. 746 rules successfully loaded, 0 rules failed
29/4/2020 -- 13:15:45 - <Info> - Threshold config parsed: 0 rule(s) found
29/4/2020 -- 13:15:45 - <Info> - 746 signatures processed. 115 are IP-only rules, 36 are inspecting packet payload, 584 inspect application layer, 0 are decoder event only
29/4/2020 -- 13:15:45 - <Info> - Going to use 1 thread(s)
29/4/2020 -- 13:15:45 - <Notice> - AFL mode starting
29/4/2020 -- 13:15:45 - <Notice> - all 1 packet processing threads, 0 management threads initialized, engine started.
29/4/2020 -- 13:15:45 - <Info> - All AFP capture threads are running.

BTW is it worth enabling the other rules in .yaml file?

 # - ciarmy.rules
  # - teste.rules
  # - emerging-worm.rules
  # - tor.rules
  # - emerging-attack_response.rules
  # - emerging-shellcode.rules
  # - emerging-dns.rules
  # - emerging-dos.rules
  # - emerging-exploit.rules
  # - emerging-trojan.rules
  # - emerging-web_client.rules
  # - emerging-web_server.rules

 

[vdemarco]

Suricata can also be configured to block outgoing packets right? from simple reading i can set it up to block dns queries for facebook, etc.. Very interesting. I am assuming that all works with this version too?

 

[rgnldo]

/opt/var/log/suricata/suricata.log

There is no need for suricata.log. But you can enable it.
suricata.log return:

suricata -c /opt/etc/suricata/suricata.yaml --af-packet

 

[rgnldo]

Suricata can also be configured to block outgoing packets right? from simple reading i can set it up to block dns queries for facebook, etc.. Very interesting. I am assuming that all works with this version too?

IDS/IPS.
Study the rules and the classification.config file

 

[rgnldo]

BTW is it worth enabling the other rules in .yaml file?

The rules that are enabled are enough for your router.

 

[JaimeZX]

Well now this makes me want to get a newer router. This and the fact that Merlin said my 3200 is on "life support..."

 

[rgnldo]

3200 is on "life support..."

Do the test.

 

[visortgw]

After installing and configuring Suricata, my syslog is flooded with the following:

Apr 29 00:16:32 RT-AX88U-xxxx kernel: device eth0 entered promiscuous mode
Apr 29 00:16:32 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:16:35 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:16:35 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:16:35 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:16:38 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:16:41 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:16:44 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:16:47 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:16:50 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:16:53 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:16:56 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:16:57 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:16:59 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:17:00 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:17:02 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:17:03 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:17:05 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:17:05 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:17:05 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:17:08 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
Apr 29 00:17:11 RT-AX88U-xxxx kernel: protocol 0800 is buggy, dev eth0
...

ifconfig shows:

eth0      Link encap:Ethernet  HWaddr {MAC-ADDRESS}
          inet addr:{WAN-IP}  Bcast:{WAN-BROADCAST} Mask:255.255.252.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:464713 errors:0 dropped:0 overruns:0 frame:0
          TX packets:229411 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:531012108 (506.4 MiB)  TX bytes:48786336 (46.5 MiB)

I configured /opt/etc/suricata/suricata.yaml as follows:

  address-groups:
    HOME_NET: "[192.168.222.0/24]"
    EXTERNAL_NET: "any"
    DNS_SERVERS: "[192.168.222.1]"

af-packet:
 - interface: eth0

In addition to primary network (192.168.222.0/24), I have OpenVPN and two VLANs configured with their own subnets. Any thoughts on what might be causing the syslog errors and how to resolve?