What's new

Suricata - IDS on AsusWRT Merlin

ttgapers

Senior Member
is there a recommended viewer type for this json log, other than regular text editor?
For now using text editor...

Got one hit:

Code:
05/09/2020-16:42:00.633825  [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 213.202.208.198:39459 -> xxx.xxx.xxx.xxx:123
 

joe scian

Senior Member
I have 10 of those DDOS NTP Port 123 attacks in last 2 weeks. All but 1 of those IP Addresses were already blocked by SKYNET. I banned that 1 remaining IP using SKYNET Ban IP.
 

rgnldo

Very Senior Member
The Suricata is doing its job. There is no need for other procedures. It will be dropped by Suricata. Engine is powerful and smart.
 

mike37

Regular Contributor
For now using text editor...

Got one hit:

Code:
05/09/2020-16:42:00.633825  [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 213.202.208.198:39459 -> xxx.xxx.xxx.xxx:123
Which log and/or json did you find this in?
 

mike37

Regular Contributor
I have 10 of those DDOS NTP Port 123 attacks in last 2 weeks. All but 1 of those IP Addresses were already blocked by SKYNET. I banned that 1 remaining IP using SKYNET Ban IP.
Joe, Which log and/or json did you find this in?
 

mike37

Regular Contributor
The Suricata is doing its job. There is no need for other procedures. It will be dropped by Suricata. Engine is powerful and smart.
rgnldo, does this mean that the originating address is now on some sort of "blacklist"? If so, where is the blacklist and for how long is it on it?
 

joe scian

Senior Member

vdemarco

Senior Member
Hey i got the same thing

05/09/2020-10:49:27.386401 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 193.228.91.107:37993 -> XX.XX.XX.XX:123

Sweet its all working now.
 

Ozymandias

Occasional Visitor
Yes, but how do I override Suricata to enable access to a site even if deemed suspicious by Suricata?
 

netware5

Very Senior Member
I believe you did not understand the logic of Suricata. The actions are to prevent intrusion, some dangerous action to the network's customers.
In any case a good IDS/IPS shall have an option to whitelist.
 

mike37

Regular Contributor
Hey i got the same thing

05/09/2020-10:49:27.386401 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 193.228.91.107:37993 -> XX.XX.XX.XX:123

Sweet its all working now.
Ditto; I got one (.json and fast.log) last night:

{"timestamp":"1969-12-31T19:00:00.002026-0500","flow_id":1630532794320874,"in_iface":"eth0","event_type":"alert","src_ip":"193.228.91.106","src_port":42708,"dest_ip":"xx.xxx.xx.xx","dest_port":123,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2017919,"rev":2,"signature":"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03","category":"Attempted Denial of Service","severity":2,"metadata":{"updated_at":["2014_01_02"],"created_at":["2014_01_02"]}},"app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":234,"bytes_toclient":0,"start":"1969-12-31T19:00:00.002026-0500"}}

The recent, multiple sources of this thing seem consistent with earlier speculation about an old Trojan: https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/page-5#post-580324

IIUC, this probe was NOT blocked
("action":"allowed") https://suricata.readthedocs.io/en/latest/output/eve/eve-json-format.html

To block it would require the rule to use "drop" action and Suricata to be configured in the IPS mode.

Nifty Stuff! :)
 
Last edited:

mike37

Regular Contributor
I am impressed. This is the first thing that would make me recommend an ASUS router to a friend.
Heh....ISTM Rgnldo is the impressive component with suricata (and he has other routers under "development").

But it is the whole Merlin-ASUS infrastructure/contributions from others here that is most profoundly impressive and makes supported ASUS modems the first choice IMHO
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top