Suricata Suricata - IDS on AsusWRT Merlin

[rgnldo]

As can be seen, pcap isn't an IPS mode, so no better than af_packet, which seems to be a mode which can support IPS, so we should probably stick to that.

I trust your observations. I agree. Check if the br0 interface and the WAN generate kernel errors in the log. If not mistakes, perfect.

Changed the init.d script,

I'm using another system. If you want to be able to organize these innovations in your github. I cooperate as much as possible.
There is a script @ttgapers already in progress to help other members of the forum.

 

[XIII]

@juched Nice that you’re improving the Suricata setup! Where can we find/follow your config file?

 

[juched]

I trust your observations. I agree. Check if the br0 interface and the WAN generate kernel errors in the log. If not mistakes, perfect.

I'm using another system. If you want to be able to organize these innovations in your github. I cooperate as much as possible.
There is a script @ttgapers already in progress to help other members of the forum.

I will look to fork in github and share my findings. As I find time and it is summer, it may be slow, but I will share my learning. So far I can get it into IPS mode, and my main traffic works fine. But the guest networks do not.

 

[rgnldo]

I will look to fork in github and share my findings. As I find time and it is summer, it may be slow,

Your contribution will be of great importance. Feel free. Needing to change the post links to your fork github.

But the guest networks do not.

Is it a vlan?

 

[heysoundude]

There is a script @ttgapers already in progress to help other members of the forum.

That looks to me like it shares some commonalities with Cake-QoS...perhaps bringing them both closer to being available to amtm, and coherent and co-operative with each other...
If I'm right, that's just wow!

 

[heysoundude]

@juched Nice that you’re improving the Suricata setup! Where can we find/follow your config file?

right here! you're doing it!! You've got to jump in with terminal/nano or however you modify things and do it yourself for now.

 

[Mutzli]

From this link :


From this paper it seems to me that sticking with af-packet is better.




from the suricata docs it seems:



Finally, workers mode is considered the best performance according to the suricata docs.


And it seems that pcap mode needs to be in autofp mode. So, the configuration posted which defaults to worker, isn't the right mode for pcap mode.

I noticed you're reading in the Suricata docs v.5.0.3. Here is the link to Suricata 4.1.8 docs. Not sure if much has changed from version 4.1.8 to version 5.0.3?

 

[juched]

I noticed you're reading in the Suricata docs v.5.0.3. Here is the link to Suricata 4.1.8 docs. Not sure if much has changed from version 4.1.8 to version 5.0.3?

Thanks, I was reading the 4.1.8, but another tab and google search ended me back at 5.0.3 one.

The 4.1.8 still confirm the same findings

 

[Smokey613]

So, the one question I keep wanting an answer to is does this “Merlin” version of suricata actually have IPS functionality?

 

[mike37]

So, the one question I keep wanting an answer to is does this “Merlin” version of suricata actually have IPS functionality?

.
.

Yes!!

And how did you test/confirm it?

Presuming you had to create some custom rules, please share those rules (along with the config)

 

[Mutzli]

So, the one question I keep wanting an answer to is does this “Merlin” version of suricata actually have IPS functionality?

I think it's not a true IPS solution. It's more like an IDS/IPS Hybrid. See also this link: (posted earlier today by juched).

 

[juched]

So, the one question I keep wanting an answer to is does this “Merlin” version of suricata actually have IPS functionality?

based on the default config it is IDS not IPS. IPS can be accomplished by using the configuration I posted earlier with copy to parameters. You will see IPS mode in the logs if successful.
I believe I am having iptables issues with my guest network. So if not using a guest network or would be willing to test please do share what you find.

 

[Smokey613]

based on the default config it is IDS not IPS. IPS can be accomplished by using the configuration I posted earlier with copy to parameters. You will see IPS mode in the logs if successful.
I believe I am having iptables issues with my guest network. So if not using a guest network or would be willing to test please do share what you find.

I am testing your latest IPS "config" and I do have a desktop on a guest wifi network. I started a ping from that desktop to 8.8.8.8 and then restarted suricata with your settings. Here is the output of my suricata log. My desktop never lost the ping connection, but I do get an error in the log. The alert shown is my Govee unit that monitors temp/humidity in my outside music room.

Aug 5 08:33:59 RT-AC86U suricata: 5/8/2020 -- 08:33:59 - <Notice> - This is Suricata version 4.1.8 RELEASE
Aug 5 08:33:59 RT-AC86U suricata: 5/8/2020 -- 08:33:59 - <Info> - CPUs/cores online: 2
Aug 5 08:33:59 RT-AC86U suricata: 5/8/2020 -- 08:33:59 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 5 08:33:59 RT-AC86U suricata: 5/8/2020 -- 08:33:59 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 5 08:33:59 RT-AC86U suricata: 5/8/2020 -- 08:33:59 - <Info> - Found an MTU of 1500 for 'br0'
Aug 5 08:33:59 RT-AC86U suricata: 5/8/2020 -- 08:33:59 - <Info> - Found an MTU of 1500 for 'br0'
Aug 5 08:33:59 RT-AC86U suricata: 5/8/2020 -- 08:33:59 - <Info> - AF_PACKET: Setting IPS mode
Aug 5 08:33:59 RT-AC86U suricata: 5/8/2020 -- 08:33:59 - <Info> - fast output device (regular) initialized: fast.log
Aug 5 08:33:59 RT-AC86U suricata: 5/8/2020 -- 08:33:59 - <Info> - stats output device (regular) initialized: stats.log
Aug 5 08:33:59 RT-AC86U suricata[10202]: 5/8/2020 -- 08:33:59 - <Info> - Syslog output initialized
Aug 5 08:33:59 RT-AC86U suricata[10202]: 5/8/2020 -- 08:33:59 - <Info> - 20 rule files processed. 3117 rules successfully loaded, 0 rules failed
Aug 5 08:33:59 RT-AC86U suricata[10202]: 5/8/2020 -- 08:33:59 - <Info> - Threshold config parsed: 0 rule(s) found
Aug 5 08:33:59 RT-AC86U suricata[10202]: 5/8/2020 -- 08:33:59 - <Info> - 3117 signatures processed. 223 are IP-only rules, 567 are inspecting packet payload, 2466 inspect application layer, 0 are decoder event only
Aug 5 08:34:03 RT-AC86U suricata[10202]: 5/8/2020 -- 08:34:03 - <Info> - Using 2 live device(s).
Aug 5 08:34:03 RT-AC86U suricata[10202]: 5/8/2020 -- 08:34:03 - <Info> - AF_PACKET IPS mode activated eth0->br0
Aug 5 08:34:04 RT-AC86U suricata[10202]: 5/8/2020 -- 08:34:04 - <Info> - AF_PACKET IPS mode activated br0->eth0
Aug 5 08:34:04 RT-AC86U suricata[10202]: 5/8/2020 -- 08:34:04 - <Info> - Found an MTU of 1500 for 'br0'
Aug 5 08:34:04 RT-AC86U suricata[10202]: 5/8/2020 -- 08:34:04 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 5 08:34:04 RT-AC86U suricata[10202]: 5/8/2020 -- 08:34:04 - <Info> - Found an MTU of 1500 for 'br0'
Aug 5 08:34:04 RT-AC86U suricata[10202]: 5/8/2020 -- 08:34:04 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 5 08:34:04 RT-AC86U suricata[10202]: 5/8/2020 -- 08:34:04 - <Notice> - all 7 packet processing threads, 2 management threads initialized, engine started.
Aug 5 08:34:04 RT-AC86U suricata[10202]: 5/8/2020 -- 08:34:04 - <Info> - All AFP capture threads are running.
Aug 5 08:34:41 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:16794 -> 18.233.186.252:80
Aug 5 08:35:00 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:2591 -> 18.233.186.252:80
Aug 5 08:35:41 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:23452 -> 18.233.186.252:80
Aug 5 08:35:46 RT-AC86U suricata[10202]: 5/8/2020 -- 08:35:46 - <Warning> - [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 7: Message too long
Aug 5 08:35:46 RT-AC86U suricata[10202]: 5/8/2020 -- 08:35:46 - <Warning> - [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 7: Message too long
Aug 5 08:35:58 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:2087 -> 18.233.186.252:80
Aug 5 08:36:41 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:14805 -> 18.233.186.252:80
Aug 5 08:36:56 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:14532 -> 18.233.186.252:80
Aug 5 08:37:41 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:2591 -> 18.233.186.252:80
Aug 5 08:37:55 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:12015 -> 18.233.186.252:80
Aug 5 08:38:41 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:9270 -> 18.233.186.252:80
Aug 5 08:38:53 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:32175 -> 18.233.186.252:80
Aug 5 08:39:41 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:1405 -> 18.233.186.252:80
Aug 5 08:39:51 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:2591 -> 18.233.186.252:80
Aug 5 08:40:41 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:27847 -> 18.233.186.252:80
Aug 5 08:40:50 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:26661 -> 18.233.186.252:80
Aug 5 08:41:41 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:2002 -> 18.233.186.252:80
Aug 5 08:41:45 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.201:38259 -> 192.230.66.121:80
Aug 5 08:41:48 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:6530 -> 18.233.186.252:80
Aug 5 08:42:41 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:2591 -> 18.233.186.252:80
Aug 5 08:42:46 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:28714 -> 18.233.186.252:80
Aug 5 08:43:41 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:30688 -> 18.233.186.252:80
Aug 5 08:43:45 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:1385 -> 18.233.186.252:80
Aug 5 08:44:41 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:32430 -> 18.233.186.252:80
Aug 5 08:44:43 RT-AC86U suricata[10202]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:2591 -> 18.233.186.252:80

 

[Smokey613]

I had a typo in my config. Here is my latest after a suricata restart. My desktop on the guest network has maintained the ping to 8.8.8.8

Aug 5 08:52:21 RT-AC86U S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Aug 5 08:52:21 RT-AC86U suricata[11909]: 5/8/2020 -- 08:52:21 - <Notice> - Signal Received. Stopping engine.
Aug 5 08:52:22 RT-AC86U suricata[11909]: 5/8/2020 -- 08:52:22 - <Info> - time elapsed 41.476s
Aug 5 08:52:23 RT-AC86U suricata[11909]: 5/8/2020 -- 08:52:23 - <Info> - Alerts: 0
Aug 5 08:52:23 RT-AC86U suricata[11909]: 5/8/2020 -- 08:52:23 - <Info> - cleaning up signature grouping structure... complete
Aug 5 08:52:23 RT-AC86U suricata[11909]: 5/8/2020 -- 08:52:23 - <Notice> - Stats for 'eth0': pkts: 444, drop: 0 (0.00%), invalid chksum: 0
Aug 5 08:52:23 RT-AC86U suricata[11909]: 5/8/2020 -- 08:52:23 - <Notice> - Stats for 'br0': pkts: 26638, drop: 3487 (13.09%), invalid chksum: 0
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Notice> - This is Suricata version 4.1.8 RELEASE
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - CPUs/cores online: 2
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - Found an MTU of 1500 for 'br0'
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - Found an MTU of 1500 for 'br0'
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - AF_PACKET: Setting IPS mode
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - fast output device (regular) initialized: fast.log
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - stats output device (regular) initialized: stats.log
Aug 5 08:52:24 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:24 - <Info> - Syslog output initialized
Aug 5 08:52:26 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:24 - <Info> - 20 rule files processed. 3117 rules successfully loaded, 0 rules failed
Aug 5 08:52:26 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:26 - <Info> - Threshold config parsed: 0 rule(s) found
Aug 5 08:52:26 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:26 - <Info> - 3117 signatures processed. 223 are IP-only rules, 567 are inspecting packet payload, 2466 inspect application layer, 0 are decoder event only
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - AF_PACKET IPS mode activated eth0->br0
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - Going to use 2 thread(s)
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - AF_PACKET IPS mode activated br0->eth0
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - Going to use 2 thread(s)
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - Found an MTU of 1500 for 'br0'
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - Found an MTU of 1500 for 'br0'
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Notice> - all 4 packet processing threads, 2 management threads initialized, engine started.
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - All AFP capture threads are running.
Aug 5 08:52:41 RT-AC86U suricata[12058]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:29292 -> 18.233.186.252:80
Aug 5 08:53:26 RT-AC86U suricata[12058]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:5469 -> 18.233.186.252:80

 

[juched]

I had a typo in my config. Here is my latest after a suricata restart. My desktop on the guest network has maintained the ping to 8.8.8.8

Aug 5 08:52:21 RT-AC86U S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Aug 5 08:52:21 RT-AC86U suricata[11909]: 5/8/2020 -- 08:52:21 - <Notice> - Signal Received. Stopping engine.
Aug 5 08:52:22 RT-AC86U suricata[11909]: 5/8/2020 -- 08:52:22 - <Info> - time elapsed 41.476s
Aug 5 08:52:23 RT-AC86U suricata[11909]: 5/8/2020 -- 08:52:23 - <Info> - Alerts: 0
Aug 5 08:52:23 RT-AC86U suricata[11909]: 5/8/2020 -- 08:52:23 - <Info> - cleaning up signature grouping structure... complete
Aug 5 08:52:23 RT-AC86U suricata[11909]: 5/8/2020 -- 08:52:23 - <Notice> - Stats for 'eth0': pkts: 444, drop: 0 (0.00%), invalid chksum: 0
Aug 5 08:52:23 RT-AC86U suricata[11909]: 5/8/2020 -- 08:52:23 - <Notice> - Stats for 'br0': pkts: 26638, drop: 3487 (13.09%), invalid chksum: 0
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Notice> - This is Suricata version 4.1.8 RELEASE
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - CPUs/cores online: 2
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - Found an MTU of 1500 for 'br0'
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - Found an MTU of 1500 for 'br0'
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - AF_PACKET: Setting IPS mode
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - fast output device (regular) initialized: fast.log
Aug 5 08:52:24 RT-AC86U suricata: 5/8/2020 -- 08:52:24 - <Info> - stats output device (regular) initialized: stats.log
Aug 5 08:52:24 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:24 - <Info> - Syslog output initialized
Aug 5 08:52:26 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:24 - <Info> - 20 rule files processed. 3117 rules successfully loaded, 0 rules failed
Aug 5 08:52:26 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:26 - <Info> - Threshold config parsed: 0 rule(s) found
Aug 5 08:52:26 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:26 - <Info> - 3117 signatures processed. 223 are IP-only rules, 567 are inspecting packet payload, 2466 inspect application layer, 0 are decoder event only
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - AF_PACKET IPS mode activated eth0->br0
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - Going to use 2 thread(s)
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - AF_PACKET IPS mode activated br0->eth0
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - Going to use 2 thread(s)
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - Found an MTU of 1500 for 'br0'
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - Found an MTU of 1500 for 'br0'
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - Found an MTU of 1500 for 'eth0'
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Notice> - all 4 packet processing threads, 2 management threads initialized, engine started.
Aug 5 08:52:30 RT-AC86U suricata[12058]: 5/8/2020 -- 08:52:30 - <Info> - All AFP capture threads are running.
Aug 5 08:52:41 RT-AC86U suricata[12058]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:29292 -> 18.233.186.252:80
Aug 5 08:53:26 RT-AC86U suricata[12058]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:5469 -> 18.233.186.252:80

Your guest network, are you using YazFi? or just regular guest wifi built into Asus? Do you allow "Intranet access"?

Thank you for trying this. Seems you have a functional IPS system now.

 

[Smokey613]

Your guest network, are you using YazFi? or just regular guest wifi built into Asus? Do you allow "Intranet access"?

Thank you for trying this. Seems you have a functional IPS system now.

Just the built in guest network and I do not allow intranet access. I did some more test and it seems that cake and suricata do not play well together. If I run either program by itself my speedtest BW is 48/4.5 on my 50/5 service. If I run them together I get 40 /2.6 for results. I even tried starting suricata first then cake and then starting cake first and then suricata. The results were the same.

 

[Smokey613]

BTW, here is the pertinent part from my config file:

# Linux high speed capture support
af-packet:
- interface: eth0
copy-mode: ips
copy-iface: br0
use-mmap: yes
tpacket-v3: no
- interface: br0
copy-mode: ips
copy-iface: eth0
use-mmap: yes
tpacket-v3: no
# IPS Mode Configuration
# PCAP
pcap:
- interface: auto
checksum-checks: auto
promisc: yes

 

[Smokey613]

Can someone "decode" what is happening here. Is suricata just alerting on my Govee sensor hub but not deeming it a real threat?

Aug 5 08:52:41 RT-AC86U suricata[12058]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:29292 -> 18.233.186.252:80

 

[Jack Yaz]

Your guest network, are you using YazFi? or just regular guest wifi built into Asus? Do you allow "Intranet access"?

Thank you for trying this. Seems you have a functional IPS system now.

I suspect it may be adequate to add a section for interfaces using wl0.1 and so on

 

[juched]

I suspect it may be adequate to add a section for interfaces using wl0.1 and so on

I thought that too, but for IPS mode you need pairs of interfaces for the copy-iface, so eth0->br0 (WAN to LAN) and br0->eth0 (LAN to WAN). As I recall if I added in eth->wl0.1 and wl0.1->eth0, it failed since eth0 is already being copied to br0.

wl0.1 is part of br0, so I think that is ok... the problem I believe is that iptables is blocking wl0.1 to br0... only wl0.1 to eth0 for guest networks.