Suricata Suricata - IDS on AsusWRT Merlin

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

rgnldo

Very Senior Member
INHO, Suricata is configured as a good, efficient IDS. Together with Skynet, they form great tools for an ARM router.
Open source always.
 

faux123

Regular Contributor
Leave TSO enabled for Linux AF_PACKET runmode
Code:
suricata -c /opt/etc/suricata/suricata.yaml -i eth0 --set capture.disable-offloading=false

Could you update the release version with your changes?
Another update to my forked firmware:


BTW, snort3 is working well as IPS, should I release it? Do people want another IPS tool (it will have high load so a fan or an ice box is required and will slow down internet speed by a bit)?
 

rgnldo

Very Senior Member
Another update to my forked firmware:


BTW, snort3 is working well as IPS, should I release it? Do people want another IPS tool (it will have high load so a fan or an ice box is required and will slow down internet speed by a bit)?
Yes I agree. But I believe that it is necessary to open another topic. In this topic it is already certain that the IDS for Suricata is adequate and stable. It will leave the condition of experimental.

With snort you can reduce the rules and some adjustments.
 
Last edited:

steelskinz

Regular Contributor
Another update to my forked firmware:


BTW, snort3 is working well as IPS, should I release it? Do people want another IPS tool (it will have high load so a fan or an ice box is required and will slow down internet speed by a bit)?
Everybody don't have the chance to cap the hardware limit of the router as we don't all have fiber at home. I'm still on adsl with 16Mbps and prefer local security over bandwidth. We need profil like yours to give enhancements to the community. I want to thanks also rgnldo for his contributions to the subject. It is great to see such buddies in our community.. Thanks guys ! :)

(sorry for all i forgot to mention !)
 

Mutzli

Very Senior Member
BTW, snort3 is working well as IPS, should I release it? Do people want another IPS tool (it will have high load so a fan or an ice box is required and will slow down internet speed by a bit)?
I'm very interested to see of it works on my AX88U, yes please.
 

heysoundude

Very Senior Member
@faux123 what was the consensus here about using suricata as IPS only? too much for ac86?
can also confirm IDS doesn't work with IPv6...does that change for IPS/Native IPv6? anyone???
 

faux123

Regular Contributor
@faux123 what was the consensus here about using suricata as IPS only? too much for ac86?
can also confirm IDS doesn't work with IPv6...does that change for IPS/Native IPv6? anyone???
The issues I had with IPV6 was related to the af_packet implementation of Suricata in IPS mode, I didn't look any further once I realized the bug in IPS mode. So I believe IDS mode is working fine esp with in pcap mode (which is the default if you followed the guided instructions).
 

heysoundude

Very Senior Member
The issues I had with IPV6 was related to the af_packet implementation of Suricata in IPS mode, I didn't look any further once I realized the bug in IPS mode. So I believe IDS mode is working fine esp with in pcap mode (which is the default if you followed the guided instructions).
I did, but I'm not seeing any "action" on the graph/chart in the GUI.
I changed my WAN setup slightly, however; perhaps I just need to re-run the install.
 

heysoundude

Very Senior Member
um, how does one make suricata_manager executable? I've issued it and all I get is
-sh: suricata_manager: not found
even though I've checked that it IS in the /jffs/addons/suricata folder

(could this be why my GUI graph isn't populating?)
 

JJohnson1988

Occasional Visitor
um, how does one make suricata_manager executable? I've issued it and all I get is
-sh: suricata_manager: not found
even though I've checked that it IS in the /jffs/addons/suricata folder

(could this be why my GUI graph isn't populating?)
Yeah you currently have to run it directly from /jffs/addons/suricata.

Just do "sh suricata_manager.sh <argument>" from the above directory.
 

abracadabra11

Regular Contributor
Has something changed? Is Suricata IDS suitable for an RT-AC68U? I thought I recall an earlier version of thread indicated only 86U and above.
 

heysoundude

Very Senior Member
Yeah you currently have to run it directly from /jffs/addons/suricata.

Just do "sh suricata_manager.sh <argument>" from the above directory.
I had to uninstall and reinstall, and it's all working again, even the chart in the GUI. so disregard my earlier support of the claim that suricata doesn't work under native IPv6
 

archiel

Senior Member
@faux123 @rgnldo As I understand it, with an AX88U I have the choice of running suricata or snort as IDS/IPS, I am already running skynet. What I do not understand is which combination is 'better' - what are the advantages / disadvantages of each.
 

rgnldo

Very Senior Member
@faux123 @rgnldo As I understand it, with an AX88U I have the choice of running suricata or snort as IDS/IPS, I am already running skynet. What I do not understand is which combination is 'better' - what are the advantages / disadvantages of each.
Suricata by Entware, only IDS.
Snort3 work IDS/IPS on AX88U and AC86U
 

abracadabra11

Regular Contributor
It works. In IDS mode it is smooth and stable. Skynet + Suricata IDS, a good partnership.
Thanks!

Is it possible to run QoS with Suricata active? I saw that Adaptive Qos is not compatible (and currently using FlexQoS), but is it possible to use traditional QoS? Perhaps I should also ask if there's any advantage to running traditional QoS?

There are certain applications where QoS is very useful for my network, so trying to balance possibly using Suricata with some form of QoS.

As noted above, using RT-AC68U so CakeQoS is not an option.
 

juched

Senior Member
After running Suricata for a while now, I have today decided to disable some of the "noise" false positives. I disabled:

# - emerging-dns.rules
# - emerging-icmp_info.rules
# - emerging-user_agents.rules
# - emerging-policy.rules
# - emerging-games.rules

Policy items, tracking pings on the network, DNS lookups to more rarely used top level domains and interesting user agents, does seem to be worth the effort to filter through.

Added this change to the default yaml file and also updated the stats to group by day, making it easier to see items by day.
 

heysoundude

Very Senior Member
After running Suricata for a while now, I have today decided to disable some of the "noise" false positives. I disabled:

# - emerging-dns.rules
# - emerging-icmp_info.rules
# - emerging-user_agents.rules
# - emerging-policy.rules
# - emerging-games.rules

Policy items, tracking pings on the network, DNS lookups to more rarely used top level domains and interesting user agents, does seem to be worth the effort to filter through.

Added this change to the default yaml file and also updated the stats to group by day, making it easier to see items by day.
wonderful, thank you.
now can you work on making it so I can issue suricata_manager update please?
 

ugandy

Very Senior Member
on the webui suricata report, the column for "Date" is not wide enough (on firefox at least); "Destination IP" column title is misspelled.
 
Last edited:

ugandy

Very Senior Member
maybe a silly question, but curious. Suricata has to set the eth0/br0 interface to promiscuous mode to sniff packets. Are there any security considerations to using this mode on an interface?
thx
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top