joe scian
Very Senior Member
Are you sure that eth0 is your WAN interface and NOT ppp0 ? {WAN-IP} above should be your public IP Address and Bcast should be WAN Gateway address. Mine is actually ppp0 NOT eth0
Suricata Suricata - IDS on AsusWRT Merlin
- Thread starter rgnldo
- Start date
-
- Tags
- asuswrt merlin entware ids suricata
Are you sure that eth0 is your WAN interface and NOT ppp0 ? {WAN-IP} above should be your public IP Address and Bcast should be WAN Gateway address. Mine is actually ppp0 NOT eth0
visortgw
Very Senior Member
{WAN-IP} is my public address, and Broadcast is the WAN Gateway -- I removed both for privacy. I verified again via ifconfig, and I do not have a pppo.
joe scian
Very Senior Member
Disabling jumbo frames across router/switches/NICs got rid of this behavior & error message in some routers. Also try disabling AI Protection?
set system offload ipv4 vlan disable fixed this in others - the following link below has some info
https://community.ui.com/questions/...dev-eth0/232f8bbe-c95b-4561-ad9f-ebcace524cd5
Last edited:
joe scian
Very Senior Member
Suricata is a free and open source, mature, fast and robust network threat detection engine.
The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.
Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.
Suricata’s fast paced community driven development focuses on security, usability and efficiency.
The installation proposal is experimental. Installation is recommended for HND routers, with a 4.x kernel.
I do not recommend installing with Skynet, as long as there is no firewall support.
Instalation step:
Create Swap file
We will need the Entware-NG repository.
Get suricata.yamlCode:opkg update opkg install suricata
Edit onCode:curl -o /opt/etc/suricata/suricata.yaml https://raw.githubusercontent.com/rgnldo/knot-resolver-suricata/master/suricata.yaml
address-groups:
HOME_NET:
and
DNS_SERVERS:
af-packet:
- interface: -> your interface wan
example:
Code:address-groups: HOME_NET: "[192.168.0.0/16]" EXTERNAL_NET: "any" DNS_SERVERS: "[192.168.1.1]" af-packet: - interface: eth0
Get S82suricata
Code:curl -o /opt/etc/init.d/S82suricata https://raw.githubusercontent.com/rgnldo/knot-resolver-suricata/master/S82suricataCode:chmod +x /opt/etc/init.d/S82suricata
Get rules and classification.config:
owner folder:Code:mkdir /opt/var/lib/suricata/rules
Code:chown nobody /opt/var/lib/suricata/rulesandCode:curl -o /opt/etc/suricata/classification.config https://rules.emergingthreats.net/open/suricata-4.0/rules/classification.config
run suricata:Code:curl -SL https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -zxC /opt/var/lib/suricata/
Code:/opt/etc/init.d/S82suricata start
Update rules:
step 1
nano /opt/var/lib/suricata/rules/upd_rules_suricata.sh
Code:#! /bin/sh curl -o /opt/etc/suricata/classification.config https://rules.emergingthreats.net/open/suricata-4.0/rules/classification.config curl -SL https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -zxC /opt/var/lib/suricata/ sleep 2s /opt/etc/init.d/S82suricata stop sleep 2s /opt/etc/init.d/S82suricata start
step 2
Enjoy!
Hi Rgnldo
Your step 2 on page 1 should read
Code:
cru a suricata_updte "0 3 * * * /opt/var/lib/suricata/rules/upd_rules_suricata.sh
rgnldo
Very Senior Member
yes
If you want to check Suricata logs, there are
- http-log:
enabled: yes
- eve-log:
enabled: yes
- file:
enabled: yes
filename: /opt/var/log/suricata/suricata.log
rgnldo
Very Senior Member
Sends the return of the ifconfig command
Guessing that a final quote (") got truncated somewhere along the line!?
Rgnldo, might be good to update page 1!?
rgnldo
Very Senior Member
That's right. I didn't notice it when I added it. But it was corrected.
So i can get it to run for a few minutes then it crashes here is the log output
29/4/2020 -- 09:38:32 - <Notice> - This is Suricata version 4.1.7 RELEASE
29/4/2020 -- 09:38:32 - <Info> - CPUs/cores online: 4
29/4/2020 -- 09:38:32 - <Info> - Found an MTU of 1500 for 'eth0'
29/4/2020 -- 09:38:32 - <Info> - Found an MTU of 1500 for 'eth0'
29/4/2020 -- 09:38:32 - <Info> - fast output device (regular) initialized: fast.log
29/4/2020 -- 09:38:32 - <Info> - stats output device (regular) initialized: stats.log
29/4/2020 -- 09:38:32 - <Info> - storing files in /opt/var/log/suricata/files
29/4/2020 -- 09:38:32 - <Info> - 8 rule files processed. 746 rules successfully loaded, 0 rules failed
29/4/2020 -- 09:38:32 - <Info> - Threshold config parsed: 0 rule(s) found
29/4/2020 -- 09:38:32 - <Info> - 746 signatures processed. 115 are IP-only rules, 36 are inspecting packet payload, 584 inspect application layer, 0 are decoder event only
29/4/2020 -- 09:38:33 - <Info> - Going to use 4 thread(s)
29/4/2020 -- 09:38:33 - <Notice> - AFL mode starting
29/4/2020 -- 09:38:33 - <Notice> - AFL mode starting
29/4/2020 -- 09:38:33 - <Notice> - AFL mode starting
29/4/2020 -- 09:38:33 - <Notice> - AFL mode starting
29/4/2020 -- 09:38:33 - <Notice> - all 4 packet processing threads, 0 management threads initialized, engine started.
29/4/2020 -- 09:38:33 - <Info> - All AFP capture threads are running.
29/4/2020 -- 09:40:05 - <Notice> - Signal Received. Stopping engine.
29/4/2020 -- 09:40:05 - <Info> - (W#01-eth0) Files extracted 0
29/4/2020 -- 09:40:05 - <Info> - (W#04-eth0) Files extracted 0
29/4/2020 -- 09:40:05 - <Info> - (W#03-eth0) Files extracted 0
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21832700: type 0 name W#01-eth0 tmm_flags 0F flags 743 stream_pq (nil)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21832700: -> slot 0x218348b0 id 0 tm_id 18 name ReceiveAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21832700: -> slot 0x21834a00 id 1 tm_id 19 name DecodeAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21832700: -> slot 0x21834b50 id 2 tm_id 0 name FlowWorker
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21832700: -> slot 0x21836d50 id 3 tm_id 10 name RespondReject
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: type 0 name W#02-eth0 tmm_flags 0F flags 703 stream_pq 0x21839418
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: -> slot 0x21839210 id 0 tm_id 18 name ReceiveAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: -> slot 0x21839360 id 1 tm_id 19 name DecodeAFP <==== stream_pq
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: -> slot 0x218394b0 id 2 tm_id 0 name FlowWorker
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: -> slot 0x2183b6d0 id 3 tm_id 10 name RespondReject
29/4/2020 -- 09:40:05 - <Notice> - tv 0x2183b950: type 0 name W#03-eth0 tmm_flags 0F flags 743 stream_pq (nil)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x2183b950: -> slot 0x2183db90 id 0 tm_id 18 name ReceiveAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x2183b950: -> slot 0x2183dce0 id 1 tm_id 19 name DecodeAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x2183b950: -> slot 0x2183de30 id 2 tm_id 0 name FlowWorker
29/4/2020 -- 09:40:05 - <Notice> - tv 0x2183b950: -> slot 0x2183fe30 id 3 tm_id 10 name RespondReject
29/4/2020 -- 09:40:05 - <Notice> - tv 0x218400b0: type 0 name W#04-eth0 tmm_flags 0F flags 743 stream_pq (nil)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x218400b0: -> slot 0x217f76f0 id 0 tm_id 18 name ReceiveAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x218400b0: -> slot 0x217f7840 id 1 tm_id 19 name DecodeAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x218400b0: -> slot 0x217f7990 id 2 tm_id 0 name FlowWorker
29/4/2020 -- 09:40:05 - <Notice> - tv 0x218400b0: -> slot 0x217f80f0 id 3 tm_id 10 name RespondReject
29/4/2020 -- 09:40:05 - <Notice> - Thread 1, W#01-eth0 type 0, tv 0x21832700 in_use 1
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21832700 type 0 name W#01-eth0 tmm_flags 0F flags 743
29/4/2020 -- 09:40:05 - <Notice> - Thread 2, W#02-eth0 type 0, tv 0x21836fd0 in_use 1
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0 type 0 name W#02-eth0 tmm_flags 0F flags 703
29/4/2020 -- 09:40:05 - <Notice> - Thread 3, W#03-eth0 type 0, tv 0x2183b950 in_use 1
29/4/2020 -- 09:40:05 - <Notice> - tv 0x2183b950 type 0 name W#03-eth0 tmm_flags 0F flags 743
29/4/2020 -- 09:40:05 - <Notice> - Thread 4, W#04-eth0 type 0, tv 0x218400b0 in_use 1
29/4/2020 -- 09:40:05 - <Notice> - tv 0x218400b0 type 0 name W#04-eth0 tmm_flags 0F flags 743
So i ran the update script again to fetch new rules and it all seems happy now. Maybe there were some bad rules that were causing the crash. I installed gdb on the router, so i'll look at the core file backtrace next time it happens.
29/4/2020 -- 09:38:32 - <Notice> - This is Suricata version 4.1.7 RELEASE
29/4/2020 -- 09:38:32 - <Info> - CPUs/cores online: 4
29/4/2020 -- 09:38:32 - <Info> - Found an MTU of 1500 for 'eth0'
29/4/2020 -- 09:38:32 - <Info> - Found an MTU of 1500 for 'eth0'
29/4/2020 -- 09:38:32 - <Info> - fast output device (regular) initialized: fast.log
29/4/2020 -- 09:38:32 - <Info> - stats output device (regular) initialized: stats.log
29/4/2020 -- 09:38:32 - <Info> - storing files in /opt/var/log/suricata/files
29/4/2020 -- 09:38:32 - <Info> - 8 rule files processed. 746 rules successfully loaded, 0 rules failed
29/4/2020 -- 09:38:32 - <Info> - Threshold config parsed: 0 rule(s) found
29/4/2020 -- 09:38:32 - <Info> - 746 signatures processed. 115 are IP-only rules, 36 are inspecting packet payload, 584 inspect application layer, 0 are decoder event only
29/4/2020 -- 09:38:33 - <Info> - Going to use 4 thread(s)
29/4/2020 -- 09:38:33 - <Notice> - AFL mode starting
29/4/2020 -- 09:38:33 - <Notice> - AFL mode starting
29/4/2020 -- 09:38:33 - <Notice> - AFL mode starting
29/4/2020 -- 09:38:33 - <Notice> - AFL mode starting
29/4/2020 -- 09:38:33 - <Notice> - all 4 packet processing threads, 0 management threads initialized, engine started.
29/4/2020 -- 09:38:33 - <Info> - All AFP capture threads are running.
29/4/2020 -- 09:40:05 - <Notice> - Signal Received. Stopping engine.
29/4/2020 -- 09:40:05 - <Info> - (W#01-eth0) Files extracted 0
29/4/2020 -- 09:40:05 - <Info> - (W#04-eth0) Files extracted 0
29/4/2020 -- 09:40:05 - <Info> - (W#03-eth0) Files extracted 0
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21832700: type 0 name W#01-eth0 tmm_flags 0F flags 743 stream_pq (nil)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21832700: -> slot 0x218348b0 id 0 tm_id 18 name ReceiveAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21832700: -> slot 0x21834a00 id 1 tm_id 19 name DecodeAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21832700: -> slot 0x21834b50 id 2 tm_id 0 name FlowWorker
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21832700: -> slot 0x21836d50 id 3 tm_id 10 name RespondReject
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: type 0 name W#02-eth0 tmm_flags 0F flags 703 stream_pq 0x21839418
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: -> slot 0x21839210 id 0 tm_id 18 name ReceiveAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: -> slot 0x21839360 id 1 tm_id 19 name DecodeAFP <==== stream_pq
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: ==> post_pq: slot id 1 slot tm_id 19 post_pq.len 12 packet src stream (flow timeout)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: -> slot 0x218394b0 id 2 tm_id 0 name FlowWorker
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0: -> slot 0x2183b6d0 id 3 tm_id 10 name RespondReject
29/4/2020 -- 09:40:05 - <Notice> - tv 0x2183b950: type 0 name W#03-eth0 tmm_flags 0F flags 743 stream_pq (nil)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x2183b950: -> slot 0x2183db90 id 0 tm_id 18 name ReceiveAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x2183b950: -> slot 0x2183dce0 id 1 tm_id 19 name DecodeAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x2183b950: -> slot 0x2183de30 id 2 tm_id 0 name FlowWorker
29/4/2020 -- 09:40:05 - <Notice> - tv 0x2183b950: -> slot 0x2183fe30 id 3 tm_id 10 name RespondReject
29/4/2020 -- 09:40:05 - <Notice> - tv 0x218400b0: type 0 name W#04-eth0 tmm_flags 0F flags 743 stream_pq (nil)
29/4/2020 -- 09:40:05 - <Notice> - tv 0x218400b0: -> slot 0x217f76f0 id 0 tm_id 18 name ReceiveAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x218400b0: -> slot 0x217f7840 id 1 tm_id 19 name DecodeAFP
29/4/2020 -- 09:40:05 - <Notice> - tv 0x218400b0: -> slot 0x217f7990 id 2 tm_id 0 name FlowWorker
29/4/2020 -- 09:40:05 - <Notice> - tv 0x218400b0: -> slot 0x217f80f0 id 3 tm_id 10 name RespondReject
29/4/2020 -- 09:40:05 - <Notice> - Thread 1, W#01-eth0 type 0, tv 0x21832700 in_use 1
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21832700 type 0 name W#01-eth0 tmm_flags 0F flags 743
29/4/2020 -- 09:40:05 - <Notice> - Thread 2, W#02-eth0 type 0, tv 0x21836fd0 in_use 1
29/4/2020 -- 09:40:05 - <Notice> - tv 0x21836fd0 type 0 name W#02-eth0 tmm_flags 0F flags 703
29/4/2020 -- 09:40:05 - <Notice> - Thread 3, W#03-eth0 type 0, tv 0x2183b950 in_use 1
29/4/2020 -- 09:40:05 - <Notice> - tv 0x2183b950 type 0 name W#03-eth0 tmm_flags 0F flags 743
29/4/2020 -- 09:40:05 - <Notice> - Thread 4, W#04-eth0 type 0, tv 0x218400b0 in_use 1
29/4/2020 -- 09:40:05 - <Notice> - tv 0x218400b0 type 0 name W#04-eth0 tmm_flags 0F flags 743
So i ran the update script again to fetch new rules and it all seems happy now. Maybe there were some bad rules that were causing the crash. I installed gdb on the router, so i'll look at the core file backtrace next time it happens.
Last edited:
rgnldo
Very Senior Member
this is when the Suricata dies. Process terminated
Last edited:
visortgw
Very Senior Member
Here is the output of ifconfig with non-private IP and MAC addresses obscured:
Code:
# ifconfig
br0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:50
inet addr:192.168.222.1 Bcast:192.168.222.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:19135484 errors:0 dropped:256 overruns:0 frame:0
TX packets:20809050 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:16478911014 (15.3 GiB) TX bytes:29659125678 (27.6 GiB)
br0:pixelserv-t Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:50
inet addr:192.168.222.2 Bcast:192.168.222.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:50
inet addr:###.###.22.## Bcast:###.###.23.255 Mask:255.255.252.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:19549984 errors:0 dropped:0 overruns:0 frame:0
TX packets:9224784 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23939709317 (22.2 GiB) TX bytes:1819507452 (1.6 GiB)
eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:50
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:13731248 errors:0 dropped:4944 overruns:0 frame:0
TX packets:23229395 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6985493041 (6.5 GiB) TX bytes:28101698006 (26.1 GiB)
eth2 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:50
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:17543 errors:0 dropped:6 overruns:0 frame:0
TX packets:365818 errors:0 dropped:4608 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1459150 (1.3 MiB) TX bytes:115155084 (109.8 MiB)
eth3 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:50
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:34819 errors:0 dropped:4 overruns:0 frame:0
TX packets:425179 errors:0 dropped:4047 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8240373 (7.8 MiB) TX bytes:211248516 (201.4 MiB)
eth4 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:50
UP BROADCAST ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth5 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:50
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:355527 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:121055469 (115.4 MiB)
eth6 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:50
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:31023 errors:0 dropped:18 overruns:0 frame:0
TX packets:307191 errors:0 dropped:40995 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6872092 (6.5 MiB) TX bytes:88801151 (84.6 MiB)
eth7 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:50
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:49442211 errors:0 dropped:15 overruns:0 frame:0
TX packets:24488083 errors:0 dropped:1468 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:54033841194 (50.3 GiB) TX bytes:18770696537 (17.4 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
RX packets:397413 errors:0 dropped:0 overruns:0 frame:0
TX packets:397413 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:67036284 (63.9 MiB) TX bytes:67036284 (63.9 MiB)
lo:0 Link encap:Local Loopback
inet addr:127.0.1.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
spu_ds_dummy Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
spu_us_dummy Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tap22 Link encap:Ethernet HWaddr yy:yy:yy:yy:yy:yy
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:349520 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:117947176 (112.4 MiB)
tun21 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.222.1 P-t-P:10.8.222.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:118892 errors:0 dropped:0 overruns:0 frame:0
TX packets:78607 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10689286 (10.1 MiB) TX bytes:19884315 (18.9 MiB)
wl0.1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:51
inet addr:10.11.1.1 Bcast:10.11.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:74126 errors:0 dropped:0 overruns:0 frame:0
TX packets:337502 errors:0 dropped:90 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:29055010 (27.7 MiB) TX bytes:149169281 (142.2 MiB)
wl0.2 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:52
inet addr:10.11.2.1 Bcast:10.11.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:233824 errors:0 dropped:0 overruns:0 frame:0
TX packets:345512 errors:0 dropped:40998 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15113669 (14.4 MiB) TX bytes:95309817 (90.8 MiB)rgnldo
Very Senior Member
Some configuration is making it difficult to function.
I was getting suricata to crash all of the time so i changed /opt/var/lib/suricata/rules/updates_rules_suricata.sh
to be like below.
also the instructions should be changed to update
to add this line
cru a suricata_updte "0 3 * * * /opt/var/lib/suricata/rules/updates_rules_suricata.sh"
to services-start instead of services.start
to be like below.
also the instructions should be changed to update
to add this line
cru a suricata_updte "0 3 * * * /opt/var/lib/suricata/rules/updates_rules_suricata.sh"
to services-start instead of services.start
Code:
#! /bin/sh
logger "Updating:suricata rules..."
/opt/etc/init.d/S82suricata stop
curl -o /opt/etc/suricata/classification.config https://rules.emergingthreats.net/open/suricata-4.0/rules/classification.config
curl -SL https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -zxC /opt/var/lib/suricata/
logger "Updating:suricata starting..."
sleep 10s
/opt/etc/init.d/S82suricata startrgnldo
Very Senior Member
Most likely it is the memory. Much to your suggestion. Let's wait a little longer to add in the installation post.
You might be right (running out of memory?) i do have a 2Gb swap file, so if its running out of memory that seems odd.
Its been fine now for a few days. so i am not sure what is happening.
rgnldo
Very Senior Member
I believe that is the reason. Suricata's engine system is powerful. The initial post resolves for me. It's been quiet here for a while. Try not to use logs only fast.log and stats.log. Avoid using log monitoring services.
rgnldo
Very Senior Member
The problem is generating waste of processing in Suricata in the generation of logs. The important logs in Suricata are fast.log and stats.log, which are for the detection log. Whatever the solution, registration is only for errors or detection. Arm routers are very limited.
distilled
Senior Member
This was my primary concern, it would be asking too much of a small processor to provide real time reactionary data to a complex Aanval type interface.
I think it is entirely unnecessary to create colorful charts and graphs of residential IDS data anyway, but if it was do able, of course we would.
When I was a child in the 60s and 70s, I judged how cool a car was not by the body or engine, but by the dash and how much data it reported to the driver. Some things never change.
Awesome package mate, I can't wait to play with it.
I think it is entirely unnecessary to create colorful charts and graphs of residential IDS data anyway, but if it was do able, of course we would.
When I was a child in the 60s and 70s, I judged how cool a car was not by the body or engine, but by the dash and how much data it reported to the driver. Some things never change.
Awesome package mate, I can't wait to play with it.
Similar threads
Similar threads
Similar threads
-
scMerlin scMerlin 2.5.2 - Service and script control menu for Asuswrt-Merlin, April 22, 2024- Started by thelonelycoder
- Replies: 44
-
uKasa uKasa - A utility script that manages Kasa smart outlets and switches with Asuswrt-Merlin routers- Started by JGrana
- Replies: 29
-
Updated Hue Utility - huetil Control and manage your Hue system from Asuswrt-Merlin or Raspbian
- Started by JGrana
- Replies: 1
-
DNScrypt Dnscrypt Proxy Installer For Asuswrt-Merlin late 2023 Releases- Started by SomeWhereOverTheRainBow
- Replies: 8
-
AdGuardHome Help for beginner with AdGuardHome Asuswrt-Merlin- Started by fanasus
- Replies: 26
-
Scribe Asuswrt-Merlin 388.2 is now available for select models
- Started by Weblee2407
- Replies: 10
Latest threads
-
-
How to use the XT8 logs to troubleshoot?
- Started by rudedog71
- Replies: 0
-
-
-
ASUS AX-11000 Pro - 5GB Fiber
- Started by Tricky111
- Replies: 1
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!