What's new

Suricata Suricata - IDS on AsusWRT Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

is there a recommended viewer type for this json log, other than regular text editor?
For now using text editor...

Got one hit:

Code:
05/09/2020-16:42:00.633825  [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 213.202.208.198:39459 -> xxx.xxx.xxx.xxx:123
 
I have 10 of those DDOS NTP Port 123 attacks in last 2 weeks. All but 1 of those IP Addresses were already blocked by SKYNET. I banned that 1 remaining IP using SKYNET Ban IP.
 
The Suricata is doing its job. There is no need for other procedures. It will be dropped by Suricata. Engine is powerful and smart.
 
For now using text editor...

Got one hit:

Code:
05/09/2020-16:42:00.633825  [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 213.202.208.198:39459 -> xxx.xxx.xxx.xxx:123

Which log and/or json did you find this in?
 
I have 10 of those DDOS NTP Port 123 attacks in last 2 weeks. All but 1 of those IP Addresses were already blocked by SKYNET. I banned that 1 remaining IP using SKYNET Ban IP.

Joe, Which log and/or json did you find this in?
 
The Suricata is doing its job. There is no need for other procedures. It will be dropped by Suricata. Engine is powerful and smart.

rgnldo, does this mean that the originating address is now on some sort of "blacklist"? If so, where is the blacklist and for how long is it on it?
 
Hey i got the same thing

05/09/2020-10:49:27.386401 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 193.228.91.107:37993 -> XX.XX.XX.XX:123

Sweet its all working now.
 
What is the best way to whitelist sites?
The rules of Suricata are signed. There are some rules with compiling domains that are proven to be suspicious. Most of the rules correspond to the analysis of behaviors that characterize intrusion.
 
Yes, but how do I override Suricata to enable access to a site even if deemed suspicious by Suricata?
 
Yes, but how do I override Suricata to enable access to a site even if deemed suspicious by Suricata?
I believe you did not understand the logic of Suricata. The actions are to prevent intrusion, some dangerous action to the network's customers.
 
I believe you did not understand the logic of Suricata. The actions are to prevent intrusion, some dangerous action to the network's customers.

In any case a good IDS/IPS shall have an option to whitelist.
 
Hey i got the same thing

05/09/2020-10:49:27.386401 [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 193.228.91.107:37993 -> XX.XX.XX.XX:123

Sweet its all working now.

Ditto; I got one (.json and fast.log) last night:

{"timestamp":"1969-12-31T19:00:00.002026-0500","flow_id":1630532794320874,"in_iface":"eth0","event_type":"alert","src_ip":"193.228.91.106","src_port":42708,"dest_ip":"xx.xxx.xx.xx","dest_port":123,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2017919,"rev":2,"signature":"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03","category":"Attempted Denial of Service","severity":2,"metadata":{"updated_at":["2014_01_02"],"created_at":["2014_01_02"]}},"app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":234,"bytes_toclient":0,"start":"1969-12-31T19:00:00.002026-0500"}}

The recent, multiple sources of this thing seem consistent with earlier speculation about an old Trojan: https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/page-5#post-580324

IIUC, this probe was NOT blocked
("action":"allowed") https://suricata.readthedocs.io/en/latest/output/eve/eve-json-format.html

To block it would require the rule to use "drop" action and Suricata to be configured in the IPS mode.

Nifty Stuff! :)
 
Last edited:
I am impressed. This is the first thing that would make me recommend an ASUS router to a friend.

Heh....ISTM Rgnldo is the impressive component with suricata (and he has other routers under "development").

But it is the whole Merlin-ASUS infrastructure/contributions from others here that is most profoundly impressive and makes supported ASUS modems the first choice IMHO
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top