Suricata Suricata - IDS on AsusWRT Merlin

[ugandy]

try disabling QoS.

disabled QoS completely.
but I still get:
May 8 08:47:11 RT-AX88U-8158 cromo: Started suricata from .
May 8 08:47:12 RT-AX88U-8158 kernel: device eth0 entered promiscuous mode
May 8 08:47:35 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0

May 8 08:55:05 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:55:35 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:56:06 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:56:36 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:57:06 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:57:36 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:58:06 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:58:36 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 09:02:53 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev br0
May 8 09:03:05 RT-AX88U-8158 kernel: net_ratelimit: 12 callbacks suppressed
May 8 09:03:05 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0

 

[rgnldo]

disabled QoS completely.
but I still get:
May 8 08:47:11 RT-AX88U-8158 cromo: Started suricata from .
May 8 08:47:12 RT-AX88U-8158 kernel: device eth0 entered promiscuous mode
May 8 08:47:35 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0

May 8 08:55:05 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:55:35 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:56:06 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:56:36 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:57:06 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:57:36 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:58:06 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:58:36 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:59:05 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 08:59:35 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 09:00:05 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0
May 8 09:00:35 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev eth0

weird. Trend Micro is disabled? With QoS disabled, reboot

get new suricata.yaml on repository

 

[visortgw]

try disabling QoS.

Apparently, both adaptive QOS enabled and QOS disabled cause the issue -- enabling traditional QOS suppresses the "buggy" messages. TrendMicro still enabled.

 

[ugandy]

weird. Trend Micro is disabled? With QoS disabled, reboot

get new suricata.yaml on repository

after the reboot, i don't see the buggy protocol message anymore.
I turned QoS off and also the turned the app analysis button off.

by the way, the new suricata.yaml file enabled dns.log and unified log too. do i want to keep that?
are these logs limited in size or can they fill the disk space to 100%?

 

[ugandy]

I spoke too soon.
suricata died, and upon restart i get:

May 8 09:17:11 RT-AX88U-8158 S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
May 8 09:17:11 RT-AX88U-8158 cromo: Started suricata from .
May 8 09:17:12 RT-AX88U-8158 kernel: device eth0 entered promiscuous mode
May 8 09:23:05 RT-AX88U-8158 kernel: device eth0 left promiscuous mode
May 8 09:29:05 RT-AX88U-8158 S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
May 8 09:29:05 RT-AX88U-8158 cromo: Started suricata from .
May 8 09:29:06 RT-AX88U-8158 kernel: device eth0 entered promiscuous mode
May 8 09:29:06 RT-AX88U-8158 kernel: protocol 0800 is buggy, dev br0


this is with QoS off, after a reboot

in any case, the rate of buggy protocol messages is lower. only 1 so far

 

[rgnldo]

TrendMicro still enabled.

AiProtection Trend Micro must be disabled if I was with Suricata

by the way, the new suricata.yaml file enabled dns.log and unified log too. do i want to keep that?

if desired, leave it disabled.

this is with QoS off, after a reboot

in any case, the rate of buggy protocol messages is lower. only 1 so far

weird

 

[ugandy]

@rgnldo can i ask: using the configuration and set of rules you provided us, if Suricata is detecting/reporting only, or is it also dropping bad packets?

 

[rgnldo]

dropping bad packets?

the rules are read by the Suricata engine guided by the classification.config file

 

[ttgapers]

I can confirm with Adaptive QoS disabled that the buggy errors are gone.

My setup also includes 2x OpenVPN site to site spokes to my hub (which is running Suricata). It's mapped to eth0 and no issues finally. I am also running Diversion, Skynet, Unbound with dnsmasq.

My question is around the testing of functionality. I have used the tests included in this thread to http://testmyids.com/ as well as http://testmyids.ca/ and I get no hits and the browser shows the results.

Any ideas? This is some GREAT work here bro! bom dia!

 

[ugandy]

the rules are read by the Suricata engine guided by the classification.config file

I read the file classification.config and recognize a list of event types, but i can't tell what will happen for each one of them. just report, or also block? look like it is just reporting?
is it configured for IDS only, or does it do IPS too?
thx

 

[rgnldo]

My question is around the testing of functionality. I have used the tests included in this thread to http://testmyids.com/ as well as http://testmyids.ca/ and I get no hits and the browser shows the results.

The tests I performed were those recommended by the community. See the first posts.
You can check the operation by enabling http.log

 

[vdemarco]

I can confirm with Adaptive QoS disabled that the buggy errors are gone.

My setup also includes 2x OpenVPN site to site spokes to my hub (which is running Suricata). It's mapped to eth0 and no issues finally. I am also running Diversion, Skynet, Unbound with dnsmasq.

My question is around the testing of functionality. I have used the tests included in this thread to http://testmyids.com/ as well as http://testmyids.ca/ and I get no hits and the browser shows the results.

Any ideas? This is some GREAT work here bro! bom dia!

The rule would be triggered by this is turned off. once again i can't remember which rule it was.

 

[rgnldo]

I read the file classification.config and recognize a list of event types, but i can't tell what will happen for each one of them. just report, or also block? look like it is just reporting?

classification.config and suricata.yaml

configured for IDS only, or does it do IPS too?

both

 

[rgnldo]

once again i can't remember which rule it

just create a rule that simulates an intrusion.

 

[rgnldo]

bom dia!

boa tarde

 

[ugandy]

must be something in my setup. i still get multiple "protocol buggy" messages with qos disabled (after reboot).

 

[ugandy]

must be something in my setup. i still get multiple "protocol buggy" messages with qos disabled (after reboot).

disabled "traffic analyzer" too, and now the message is gone. i guess these QoS features are not compatible with suricata. that's unfortunate.

 

[vdemarco]

just create a rule that simulates an intrusion.

I understand, but to be honest i just wanted to know its working, so i turned on the event json log file, could see it filling up, so its definitely looking at stuff. I then turned the log back to the way it was. i am satisfied that its all working to be honest.

 

[rgnldo]

I know that it is not easy to use an IDS system without a graphical interface. But understand that Suricata will do the service.

 

[Smokey613]

I could not resist. I disabled all the TM stuff, no QoS, no AiProtect... nothing. Still running Skynet though. Decided to jump on this suricata thing and so far it is up and running. I guess time will tell if it's working properly.