Ludus package - security research project invitation

Software
21

When will be Ludus available for MOX?

22

Some problem by me … after instaling is status “stoped” … and in the command
/etc/init.d/ludus start come error

Important information-the system I have installed on an SSD mSATA

root@turris:~# /etc/init.d/ludus start
Warning /tmp/suricata/rules not found ! Suricata-emergingthreats-rules is probably not running.
Trying to run suricata_update_rules.sh
Public IP autodetection IP=93.91.50.207
Copying normal suricata rules.
root@turris:~# ^C

root@turris:~# opkg install suricata-emergingthreats-rules
Installing suricata-emergingthreats-rules (6) to root...
Downloading https://repo.turris.cz/omnia/packages//turrispackages/suricata-emergingthreats-rules_6_mvebu.ipk
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2533  100  2533    0     0  11781      0 --:--:-- --:--:-- --:--:-- 27236
Collected errors:
 * check_data_file_clashes: Package suricata-emergingthreats-rules wants to install file /etc/logrotate.d/suricata-alert
        But that file is already provided by package  * suricata-emergingthreats-rules-ludus
 * check_data_file_clashes: Package suricata-emergingthreats-rules wants to install file /etc/cron.d/suricata
        But that file is already provided by package  * suricata-emergingthreats-rules-ludus
 * check_data_file_clashes: Package suricata-emergingthreats-rules wants to install file /usr/bin/suricata_update_rules.sh
        But that file is already provided by package  * suricata-emergingthreats-rules-ludus
 * opkg_install_cmd: Cannot install package suricata-emergingthreats-rules.
root@turris:~# opkg install suricata-emergingthreats-rules-ludus
Package suricata-emergingthreats-rules-ludus (6) installed in root is up to date.
root@turris:~# ^C

root@turris:~# /etc/init.d/ludus start
Warning /tmp/suricata/rules not found ! Suricata-emergingthreats-rules is probably not running.
Trying to run suricata_update_rules.sh
Public IP autodetection IP=93.91.50.207
Copying normal suricata rules.
root@turris:~#
23

And in syslog

2019-10-15 17:51:11 debug kernel[]: [   62.469105] ucollect-fake-open-inet: IN=eth1 OUT= MAC=d8:58:d7:00:35:50:cc:2d:e0:26:3f:54:08:00 SRC=179.97.248.76 DST=10.109.54.199 LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=40191 PROTO=TCP SPT=25075 DPT=80 WINDOW=9388 RES=0x00 SYN URGP=0 MARK=0x80000 
2019-10-15 17:51:14 emerg kresd[8370]: Warning /tmp/suricata/rules not found ! Suricata-emergingthreats-rules is probably not running.
2019-10-15 17:51:14 notice ludus[]: Warning /tmp/suricata/rules not found ! Suricata-emergingthreats-rules is probably not running.
2019-10-15 17:51:14 emerg kresd[8370]: Trying to run suricata_update_rules.sh
2019-10-15 17:51:14 notice ludus[]: Trying to run suricata_update_rules.sh
2019-10-15 17:51:14 info kernel[]: [   65.493233] device br-guest_turris entered promiscuous mode
2019-10-15 17:51:15 emerg kresd[8370]: Public IP autodetection IP=93.91.50.207
2019-10-15 17:51:15 notice ludus[]: Public IP autodetection IP=93.91.50.207
2019-10-15 17:51:15 notice firewall[]: Reloading firewall due to ifup of wan (eth1)
2019-10-15 17:51:15 emerg kresd[8370]: Copying normal suricata rules.
2019-10-15 17:51:15 notice ludus[]: Copying normal suricata rules.
2019-10-15 17:51:15 info turris-firewall-rules[]: (v63) IPv4 WAN interface used - 'eth1'
2019-10-15 17:51:15 info turris-firewall-rules[]: (v63) IPv6 WAN interface used - 'lo'
2019-10-15 17:51:16 emerg turris[]: Router Turris successfully started.
2019-10-15 17:51:16 info procd[]: - init complete -
2019-10-15 17:51:16 err ludus.py[8625]: netstat: showing only processes with your user ID
2019-10-15 17:51:17 err ludus.py[4284]: Last message 'netstat: showing onl' repeated 6 times, suppressed by syslog-ng on turris
2019-10-15 17:51:17 info ludus.py[8625]: 2323
2019-10-15 17:51:17 info ludus.py[8625]: 23
2019-10-15 17:51:17 info ludus.py[8625]: 3128
2019-10-15 17:51:17 info ludus.py[8625]: 8080
2019-10-15 17:51:17 info ludus.py[8625]: 80
2019-10-15 17:51:17 info ludus.py[8625]: 8123
2019-10-15 17:51:17 info ludus.py[8625]: 53
2019-10-15 17:51:17 err ludus.py[8625]: Traceback (most recent call last):
2019-10-15 17:51:17 err ludus.py[8625]:   File "/usr/share/ludus/ludus.py", line 369, in <module>
2019-10-15 17:51:17 err ludus.py[8625]:     ludus.start()
2019-10-15 17:51:17 err ludus.py[8625]:   File "/usr/share/ludus/ludus.py", line 330, in start
2019-10-15 17:51:17 err ludus.py[8625]:     (self.production_ports, self.active_honeypots)=get_ports_information()
2019-10-15 17:51:17 err ludus.py[8625]:   File "/usr/share/ludus/ludus.py", line 127, in get_ports_information
2019-10-15 17:51:17 err ludus.py[8625]:     data = IPTablesAnalyzer.iptables_analyzer.get_output()
2019-10-15 17:51:17 err ludus.py[8625]:   File "/usr/share/ludus/IPTablesAnalyzer/iptables_analyzer.py", line 189, in get_output
2019-10-15 17:51:17 err ludus.py[8625]:     for port,protocol in process_honeypots(verbose):
2019-10-15 17:51:17 err ludus.py[8625]:   File "/usr/share/ludus/IPTablesAnalyzer/iptables_analyzer.py", line 47, in process_honeypots
2019-10-15 17:51:17 err ludus.py[8625]:     data = parse_from_line(subprocess.Popen('iptables -vnL -t mangle| grep -w '+ rule[9], shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE).communicate()[0].decode("utf-8"))
2019-10-15 17:51:17 err ludus.py[8625]:   File "/usr/share/ludus/IPTablesAnalyzer/iptables_analyzer.py", line 20, in parse_from_line
2019-10-15 17:51:17 err ludus.py[8625]:     return (output[0], output[1])
2019-10-15 17:51:17 err ludus.py[8625]: IndexError: list index out of range
24

Important information-the system I have installed on an SSD mSATA

root@turris:~# /tmp/log/ludus/ludus.log
-ash: /tmp/log/ludus/ludus.log: Permission denied
root@turris:~#
25

From the output, you are trying to run log file and you got permission denied, which is correct. If you would like to see that log/edit it, you need to have there some command before the path to the file/folder.

For example:

cat /tmp/log/ludus/ludus.log
26

Sorry, :frowning: only wrong copy of command from …see above

root@turris:~# ^C
root@turris:~# cat /tmp/log/ludus/ludus.log
[2019/10/16 13:45:55.204569]    Ludus system started.
[2019/10/16 13:52:43.481238]    Ludus system started.
root@turris:~#
27

After installing is status “stopped” … and in the command
/etc/init.d/ludus start

28

Got the same result after install.

29

By me come problem with too big ludus data in /tmp folder and the following actions for kill process

/tmp/log/ludus … 356 501 k
file eve.json … 356 812 k

When ludus gui is “Stopped” … ludus work or no ?

root@turris:~# /etc/init.d/ludus start
Warning /tmp/suricata/rules not found ! Suricata-emergingthreats-rules is probably not running.
Trying to run suricata_update_rules.sh
Public IP autodetection IP=93.91.50.207
Copying normal suricata rules.
root@turris:~#

So far there is nothing new to make the Ludus GUI operational ?

30

In this time It is not possible to install ludus-gui and ludus and suricata-emergingthreats-rules-ludus

Example:

root@turris:~# opkg install ludus
Installing ludus (0.8-3) to root...
Downloading https://repo.turris.cz/omnia/packages//turrispackages/ludus_0.8-3_mvebu.ipk
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 59513  100 59513    0     0   190k      0 --:--:-- --:--:-- --:--:--  480k
Installing suricata-emergingthreats-rules-ludus (6) to root...
Downloading https://repo.turris.cz/omnia/packages//turrispackages/suricata-emergingthreats-rules-ludus_6_mvebu.ipk
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1630  100  1630    0     0  17526      0 --:--:-- --:--:-- --:--:-- 17717
Collected errors:
 * check_data_file_clashes: Package suricata-emergingthreats-rules-ludus wants to install file /etc/logrotate.d/suricata-alert
        But that file is already provided by package  * suricata-emergingthreats-rules
 * check_data_file_clashes: Package suricata-emergingthreats-rules-ludus wants to install file /etc/cron.d/suricata
        But that file is already provided by package  * suricata-emergingthreats-rules
 * check_data_file_clashes: Package suricata-emergingthreats-rules-ludus wants to install file /usr/bin/suricata_update_rules.sh
        But that file is already provided by package  * suricata-emergingthreats-rules
 * opkg_install_cmd: Cannot install package ludus.
root@turris:~#

Although suricata-emergingthreats-rules is instalated but no in the processes…

31

I just installed it using Luci on foris version: 100.5 without any problem it was enabled right after installation. For interested webui looks like this. I have firewall, ssh honeypot and data collection enabled.

Screenshot_2019-11-02%20Ludus%20-%20Dashboard
Screenshot_2019-11-02%20Ludus%20-%20Dashboard1668×2498 304 KB

1 Like
32

Fantastic! I had activated everything like you on Omnia and Turris OS 3.11.8. But the connection so castrated strongly. From 900 Mb/s in download now it’s at 300 Mb/s at the most. It is due to the process ‘suricata’ (called by Ludus), which in case of high data traffic brings the CPUs to 100% load, drastically limiting the bandwidth. Perhaps at speeds below 300 Mb there is no difference.

33

Can the project coordinator Ludus give some information about the current projekt status and his outlook for the short future? No Ludus can be installed at this moment opkg_install_cmd: Cannot install package ludus (in the past, the Web interface was turned off after installation)

root@turris:~# opkg update
.
.
.
root@turris:~# opkg install ludus
Installing ludus (0.8-3) to root...
Downloading https://repo.turris.cz/omnia/packages//turrispackages/ludus_0.8-3_mvebu.ipk
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 59513  100 59513    0     0   450k      0 --:--:-- --:--:-- --:--:--  454k
Installing suricata-emergingthreats-rules-ludus (6) to root...
Downloading https://repo.turris.cz/omnia/packages//turrispackages/suricata-emergingthreats-rules-ludus_6_mvebu.ipk
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1630  100  1630    0     0  18314      0 --:--:-- --:--:-- --:--:-- 18522
Collected errors:
 * check_data_file_clashes: Package suricata-emergingthreats-rules-ludus wants to install file /etc/logrotate.d/suricata-alert
        But that file is already provided by package  * suricata-emergingthreats-rules
 * check_data_file_clashes: Package suricata-emergingthreats-rules-ludus wants to install file /etc/cron.d/suricata
        But that file is already provided by package  * suricata-emergingthreats-rules
 * check_data_file_clashes: Package suricata-emergingthreats-rules-ludus wants to install file /usr/bin/suricata_update_rules.sh
        But that file is already provided by package  * suricata-emergingthreats-rules
 * opkg_install_cmd: Cannot install package ludus.
root@turris:~# ^C
root@turris:~#
34

A presentation about Ludus was at OpenAlt conference yesterday. Its video would appear on YouTube (OpenAlt’s channel) in the near future but I can’t guarantee it.

35

My ludus status is stopped, I’ve tried to restart it with CLI:

root@turris:~# /etc/init.d/ludus start
Warning /tmp/suricata/rules not found ! Suricata-emergingthreats-rules is probably not running.
Trying to run suricata_update_rules.sh
Public IP autodetection IP=XX.XX.XX.XX
Copying normal suricata rules.

Still the ludus status is stopped

36

I wait too for some ludus repair

2 Likes
37

… it was a while, so some notes. It was fine for some time, till TOS update kicked in, now i have to check and fix it again. That warning is false alarm (very possibly you have rules and md5 files at place )

notes

I’ve noticed, there are two set of rules for emergingthreats (one for Pakon(IDS) and second for Ludus) both using “suricata”.
Regarding the “Warning /tmp/suricata/rules not found ! Suricata-emergingthreats-rules is probably not running.” As I posted some time ago in this thread, i think that update script has fuzzy-logic on related part and it shows the warning all the time no matter if you have/have not the rules installed.
I do not why, but sometimes i see the data/graphs in ludus dashboard, but most of the time it is empty (but saying it is running, data are seems to be collected …).

I am wondering why the ludus is not having option to be installed in “/srv” or at least log files, are those even log-rotated ?

Is there some list of packages needed for pakon/ludus/device-detection services running in standalone and in combine modes. I think maybe the package lists for pakon/ludus/device.detection in foris are causing updater to install/uninstall/skip some essential packages (or maybe some are in collision?).

1 Like
38

I still have (even in version 3.11.9) the impossibility of installing Ludus … see above.

39

Just feeling … i am really not sure if that is “solution”.

I fidle a bit with Ludus later. (in the way like removing ludus and such manually ; pakon, ids, device detection packages via Foris). After updater finished removing i make manual install of Ludus (gui and depending package and that rules-package Ludus was complaining about). Once done i check-in pakon,ids and device detection in Foris. Wait for updater again. And since that time i have Ludus dashboard with data and in log there was info about all ports-honeypots.
Seems like Ludus “rules” have to be installed before pakon/ids ones.

40

I have tried on Turris 4.0.2, but could not install either gui nor ludus.

I guess i’ll have to wait for update.