What's new

Suricata Suricata - IDS on AsusWRT Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Does this look normal for Suricata as far as processes, memory and cpu usage?

B35DDF7D-DB82-4D09-AB86-87764B3F1FDC.png
 
Do these errors indicate a misconfiguration?

0E6B39C7-1E18-4433-A862-A0DE55D84461.png
 
I formatted the generation of eve.log.
There will only be alerts and drops. This avoids wasting resources.
Code:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve-%Y-%m-%d-%H:%M.json

      types:
        - alert:
          tagged-packets: yes
          app-layer: true
          flow: true
          rule: true
          metadata: true
          raw: false

        - drop:
          alerts: yes
          flows: all
 
Does this look normal for Suricata as far as processes, memory and cpu usage?
Use the essentials in router + Suricata.
It's working well here.
 
Use the essentials in router + Suricata.
It's working well here.

Just the clarify, my RT-AC86U is not having any problems, I was just wondering if multiple processes was normal for Suricata ? Also, do I need to keep the dns.log enabled? It is currently at 8m and growing.
 
I formatted the generation of eve.log.
There will only be alerts and drops. This avoids wasting resources.
Code:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve-%Y-%m-%d-%H:%M.json

      types:
        - alert:
          tagged-packets: yes
          app-layer: true
          flow: true
          rule: true
          metadata: true
          raw: false

        - drop:
          alerts: yes
          flows: all

Do I need to edit this section in my suricata.yaml file?

Here is that section in my current suricata.yaml

1DEBA5CB-47B2-42EE-AB42-DD251BE12AD7.jpeg
 
get new suricata.yaml. After, stop and start Suricata

I just updated to your latest suricata.yaml and restarted Suricata. No more errors on the log. I will reboot as soon as my wife is off her iPad. :)
 
Here is my syslog

AB886E0D-42BF-4F90-AF30-3258C482FDCE.png
 
Closer screenshot showing Suricata info. Notice the entry about all 5 packet processing threads.

I will reboot as soon as I am able.


524A50E8-FE0E-4243-86B0-D405AAD611A3.jpeg


D1E44721-29D2-4AE0-A434-F1E08529A4BD.png
 
Do I need to make any changes in this section?


# Suricata is multi-threaded. Here the threading can be influenced.
threading:
set-cpu-affinity: no
detect-thread-ratio: 1.5
 
Is Suricata's incompatibility with QoS something that can be fixed, or is this something that can't be addressed, due to the nature of these features, and we must chose to use one or the other?
thanks
 
due to the nature of these features, and we must chose to use one or the other?
For now, it seems to be incompatible. You need to know the firmware environment well. Maybe someone here on the forum with FW Merlin knowledge and using Suricata will help. It's waiting.
 
W
I formatted the generation of eve.log.
There will only be alerts and drops. This avoids wasting resources.
Code:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve-%Y-%m-%d-%H:%M.json

      types:
        - alert:
          tagged-packets: yes
          app-layer: true
          flow: true
          rule: true
          metadata: true
          raw: false

        - drop:
          alerts: yes
          flows: all

Will advise if I see hits. Getting used to Suricata!
 
W


Will advise if I see hits. Getting used to Suricata!

is there a recommended viewer type for this json log, other than regular text editor?
 
Last edited:
Rebooted router, same results. I decided to play with the detect-thread-ratio: 1.5 and changed it to detect-thread-ratio: 3 to see the results. Interesting, it went from 6 instances to 8. :) The 86U is still rocking along! I may leave it at this config and just see what happens.

Default detect-thread-ratio: 1.5 setting

C2FF2FAC-8FED-42A2-83F0-1EBD5B15BF70.jpeg


New detect-thread-ratio: 3

9EF5DFB4-8146-4A03-AC94-BCC118396619.jpeg
 
My syslog reporting:

RT-AC86U suricata: 9/5/2020 -- 09:17:47 - <Notice> - all 8 packet processing threads, 0 management

FE20A10F-2780-49CE-8DEE-23044ED0963A.jpeg
 
A couple of DoS attempts averted here:

05/09/2020-04:22:58.266843 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} xxx.xxx.xxx.xxx:51063 -> yyy.yyy.yyy.yyy:123

05/09/2020-12:22:19.157834 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} zzz.zzz.zzz.zzz:33601 -> yyy.yyy.yyy.yyy:123​
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top