Suricata Suricata - IDS on AsusWRT Merlin

[Smokey613]

Does this look normal for Suricata as far as processes, memory and cpu usage?

 

[Smokey613]

Do these errors indicate a misconfiguration?

 

[rgnldo]

I formatted the generation of eve.log.
There will only be alerts and drops. This avoids wasting resources.

  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve-%Y-%m-%d-%H:%M.json

      types:
        - alert:
          tagged-packets: yes
          app-layer: true
          flow: true
          rule: true
          metadata: true
          raw: false

        - drop:
          alerts: yes
          flows: all

 

[rgnldo]

Does this look normal for Suricata as far as processes, memory and cpu usage?

Use the essentials in router + Suricata.
It's working well here.

 

[Smokey613]

Use the essentials in router + Suricata.
It's working well here.

Just the clarify, my RT-AC86U is not having any problems, I was just wondering if multiple processes was normal for Suricata ? Also, do I need to keep the dns.log enabled? It is currently at 8m and growing.

 

[Smokey613]

I formatted the generation of eve.log.
There will only be alerts and drops. This avoids wasting resources.

  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve-%Y-%m-%d-%H:%M.json

      types:
        - alert:
          tagged-packets: yes
          app-layer: true
          flow: true
          rule: true
          metadata: true
          raw: false

        - drop:
          alerts: yes
          flows: all

Do I need to edit this section in my suricata.yaml file?

Here is that section in my current suricata.yaml

 

[rgnldo]

Also, do I need to keep the dns.log enabled? It is currently at 8m and growing.

get new suricata.yaml. After, stop and start Suricata

 

[rgnldo]

I was just wondering if multiple processes was normal for Suricata ?

It is not normal. I checked here. With one process. It's normal. Try rebooting.

 

[Smokey613]

get new suricata.yaml. After, stop and start Suricata

I just updated to your latest suricata.yaml and restarted Suricata. No more errors on the log. I will reboot as soon as my wife is off her iPad.

 

[Smokey613]

Here is my syslog

 

[Smokey613]

Closer screenshot showing Suricata info. Notice the entry about all 5 packet processing threads.

I will reboot as soon as I am able.

 

[Smokey613]

Do I need to make any changes in this section?


# Suricata is multi-threaded. Here the threading can be influenced.
threading:
set-cpu-affinity: no
detect-thread-ratio: 1.5

 

[ugandy]

Is Suricata's incompatibility with QoS something that can be fixed, or is this something that can't be addressed, due to the nature of these features, and we must chose to use one or the other?
thanks

 

[rgnldo]

Do I need to make any changes in this section?

https://suricata.readthedocs.io/en/suricata-4.1.3/configuration/suricata-yaml.html

threading:
set-cpu-affinity: no

is in non multi thread mode

 

[rgnldo]

due to the nature of these features, and we must chose to use one or the other?

For now, it seems to be incompatible. You need to know the firmware environment well. Maybe someone here on the forum with FW Merlin knowledge and using Suricata will help. It's waiting.

 

[ttgapers]

W

I formatted the generation of eve.log.
There will only be alerts and drops. This avoids wasting resources.

  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve-%Y-%m-%d-%H:%M.json

      types:
        - alert:
          tagged-packets: yes
          app-layer: true
          flow: true
          rule: true
          metadata: true
          raw: false

        - drop:
          alerts: yes
          flows: all

Will advise if I see hits. Getting used to Suricata!

 

[ugandy]

W


Will advise if I see hits. Getting used to Suricata!

is there a recommended viewer type for this json log, other than regular text editor?

 

[Smokey613]

Rebooted router, same results. I decided to play with the detect-thread-ratio: 1.5 and changed it to detect-thread-ratio: 3 to see the results. Interesting, it went from 6 instances to 8. The 86U is still rocking along! I may leave it at this config and just see what happens.

Default detect-thread-ratio: 1.5 setting

New detect-thread-ratio: 3

 

[Smokey613]

My syslog reporting:

RT-AC86U suricata: 9/5/2020 -- 09:17:47 - <Notice> - all 8 packet processing threads, 0 management

 

[visortgw]

A couple of DoS attempts averted here:

05/09/2020-04:22:58.266843 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} xxx.xxx.xxx.xxx:51063 -> yyy.yyy.yyy.yyy:123

05/09/2020-12:22:19.157834 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} zzz.zzz.zzz.zzz:33601 -> yyy.yyy.yyy.yyy:123​