Suricata Suricata - IDS on AsusWRT Merlin

[glehel]

i also get:
May 7 09:24:28 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 7 09:23:27 RT-AX88U-8158 kernel: htb: htb qdisc 13: is non-work-conserving?
May 7 09:23:27 RT-AX88U-8158 kernel: htb: too many events!

same error message in eth0

 

[vdemarco]

I was getting this too. if you google for "kernel: htb: too many events!" you find a workaround.

 

[ugandy]

I was getting this too. if you google for "kernel: htb: too many events!" you find a workaround.

found the thread but couldn't figure out the workaround (something about kernel version? jumbo frames?), can you share what is the workaround?

 

[vdemarco]

found the thread but couldn't figure out the workaround (something about kernel version? jumbo frames?), can you share what is the workaround?

I can't find it now, but you basically have to echo a variable into /proc/* device to increase the event limit size.

 

[rgnldo]

what is name of the infected Mac app? That’s a big deal because most Mac users don’t use anti-virus or analyze their network activity. Hopefully Apple is aware of it.

A fork of the chromium browser, those projects that remove the codec, sync etc. In fact, he behaved like a trojan. But I believe it must be a compilation thing. As this was strange behavior, I uninstalled it.
I don't use antivirus either.

 

[rgnldo]

Hello!

I want to try Suricata!
What are the basic settings recommendations?
I have an AC86 router, openvpn client, skynet, unbound.
Should skynet and AI protection be disabled?
There are clients who connect to the internet through the wan interface and there are those who connect to the internet through the vpn interface.
Does suricata work in this form as well?

AI protection must is disabled
Install and check.

 

[ugandy]

i've installed Suricata, per instructions in post #1.
other than the "kernel: protocol 0800 is buggy" syslog msg i don't see any errors.
having used the install instructions/config in post #1, if Suricata detects something bad, what happens? are packets/connection dropped automatically, or simply reported in fast.log?

 

[glehel]

i've installed Suricata, per instructions in post #1.
other than the "kernel: protocol 0800 is buggy" syslog msg i don't see any errors.
having used the install instructions/config in post #1, if Suricata detects something bad, what happens? are packets/connection dropped automatically, or simply reported in fast.log?

same error message in AC86U Merlin 384.17

 

[rgnldo]

same error message in AC86U Merlin 384.17

identified the wan interface?
What services are installed on your router?

 

[glehel]

identified the wan interface?
What services are installed on your router?

ntpmerlin
unbound
skynet (disabled, same error message)
2x openvpn client
it may work, the size of the swap file used will increase and the processor will work better. because I enabled the http log and when I looked at an http page in the log I saw the request. However, if the openvpn client looked at the http page it did not show in the log. Does the openvpn TUN interface bypass suricata ?! I read that multiple interfaces can handle it but how?

 

[rgnldo]

try to comment on this option. Just to check

# host-mode: auto

 

[rgnldo]

TUN interface bypass suricata

we need to check

 

[rgnldo]

I set up a VPN. Works well.

May  8 08:44:43 dnsmasq-dhcp[20054]: DHCP, IP range 10.0.30.10 -- 10.0.30.50, lease time 1d
May  8 08:44:43 dnsmasq-dhcp[20054]: DHCPv6 stateless on br0
May  8 08:44:43 dnsmasq-dhcp[20054]: router advertisement on br0
May  8 08:44:43 dnsmasq-dhcp[20054]: DHCPv6 stateless on 2804:4474:201:bf::, constructed for br0
May  8 08:44:43 dnsmasq-dhcp[20054]: router advertisement on 2804:4474:201:bf::, constructed for br0
May  8 08:44:43 dnsmasq-dhcp[20054]: IPv6 router advertisement enabled
May  8 08:44:45 ovpn-client2[19753]: /sbin/route add -net 91.132.136.5 netmask 255.255.255.255 gw 45.71.172.2
May  8 08:44:45 ovpn-client2[19753]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.1.1
May  8 08:44:45 ovpn-client2[19753]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.1.1
May  8 08:44:45 ovpn-client2[19753]: Initialization Sequence Completed
May  8 08:45:19 wlceventd: WLCEVENTD wlceventd_proc_event(386): eth6: Deauth_ind 3C:BD:3E:57:D5:50, status: 0, reason: Disassociated due to inactivity (4)
May  8 08:45:19 wlceventd: WLCEVENTD wlceventd_proc_event(401): eth6: Disassoc 3C:BD:3E:57:D5:50, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
May  8 08:45:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:72: SRC=0.0.0.0 DST=255.255.255.255 LEN=199 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=179 MARK=0x8000000
May  8 08:45:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:73: SRC=0.0.0.0 DST=255.255.255.255 LEN=199 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=179 MARK=0x8000000
May  8 08:45:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:79: SRC=0.0.0.0 DST=255.255.255.255 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=181 MARK=0x8000000
May  8 08:45:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:72:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=190 MARK=0x8000000
May  8 08:45:51 S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
May  8 08:45:52 kernel: device ppp0 entered promiscuous mode
May  8 08:45:52 rgnldo: Started suricata from .
May  8 08:46:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:72:SRC=0.0.0.0 DST=255.255.255.255 LEN=199 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=179 MARK=0x8000000
May  8 08:46:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:73: SRC=0.0.0.0 DST=255.255.255.255 LEN=199 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=179 MARK=0x8000000
May  8 08:46:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:79: SRC=0.0.0.0 DST=255.255.255.255 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=181 MARK=0x8000000
May  8 08:46:37 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:0e:9a:72: SRC=0.0.0.0 DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=190 MARK=0x8000000

 

[ugandy]

try to configure in this mode.

# Runmode the engine should use.
runmode: autofp
autofp-scheduler: active-packets

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Linux high speed capture support
af-packet:
 - interface: br0
defrag: yes
# use-mmap: yes

# netmap:
# - interface: br0

'protocol is buggy' message still appears.
by the way, is af-packet:interface supposed to be eth0 or br0 ?

 

[rgnldo]

af-packet:interface supposed to be eth0 or br0

You must identify the listening interface for the Suricata.

'protocol is buggy'

as I checked, this error is generated by malformed packages.
As my access is through ppp0, it is the interface used in Suricata.

 

[glehel]

You must identify the listening interface for the Suricata.

as I checked, this error is generated by malformed packages.
As my access is through ppp0, it is the interface used in Suricata.

adaptive qos off and error message off! Trend micro problem!

 

[rgnldo]

adaptive qos off and error message off

With QoS enabled to generate the error, is that it?

 

[ugandy]

adaptive qos off and error message off! Trend micro problem!

i also have adaptive qos enabled

 

[glehel]

With QoS enabled to generate the error, is that it?

yes, only adaptive qos traditional ok!

 

[rgnldo]

i also have adaptive qos enabled

try disabling QoS.