Looking at the heat map generated from my firewall logs I seem to live in a busy part of the Internet: https://www.balabit.com/blog/how-to-create-heat-maps-to-show-whos-trying-to-connect-your-router/
I would like to see more, what is going on. Is there any way to install Bro or Suricata IDS on the Turris Omnia? I could not find them among the available packages.
You could install them into a LXC instance on the Omnia, depending on how much resources they take up.
That was also my first thought, but can an application running in an LXC instance listen to the external interface?
I havenât tried it specifically on the Omnia, but you might be able to listen to the bridge if you tweak the network settings in the lxc config file for the container. Scroll down to Network on the lxc man page:
http://manpages.ubuntu.com/manpages/precise/man5/lxc.conf.5.html
Possibly veth or phys is what you want.
Or, if you have a spare Raspberry Pi laying around, install BriarIDS on it and mirror traffic from your Turris Omnia to it.
BriariIDS looks interesting, but it needs packets mirrored to it from the Omnia. iptables-mod-tee isnât available. Anyone know of a good way to substitute this functionality?
I played with Turris, LXC and Suricata for 2 days and finally I have found and described something that works:
Jan
@czanik
Did you write a tutorial regarding a setup which would create heatmaps as shown in your link?
That blog is the tutorial. There is probably one piece of information missing, the config on the Turris side:
destination d_tcp{tcp("1.2.3.4" port(1234));};
log {source(kernel); destination(d_tcp); };
Place the above config in a file with .conf extension in the /etc/syslog-ng.d directory on your Turris. Of course, you need to replace the IP address and port number to point it to the syslog-ng instance with the KV parser and Elasticsearch destination.
Of topic; FYI looking at the commits of the test branch, it looks like the Turris team is fixing up a suricata package. Letâs hope itâs ready for the next big release.
Updated to the master branch:
⢠foris: new plugin for easy OpenVPN management
⢠suricata: new package for IDS
⢠kernel: support for CPUFreq, w1-gpio-cust and EC25-E LTE module on Omnia
⢠updates to various packages, especially DNS resolvers
But canât find package for suricata.
Iâve installed the suricata package in 3.6, but there doesnât seem to be an easy way to view the results. I was also hoping for some web interface to see what it produces.
Iâm reading through the suricata howtos/tutorials out there, so Iâm not really done with my investigations, but maybe a front end running in a container would be best.
I am trying to run suricata with the following command after I located the necessary files (yaml and rules):
suricata -c /etc/suricata/suricata.yaml -s /tmp/signatures.rules -i eth0
Console then prints:
2/3/2017 â 23:16:34 - - Including configuration file /tmp/suricata-rules/suricata-include.yaml.
12/3/2017 â 23:16:34 - - This is Suricata version 3.2 RELEASE
Aborted
Has anyone gotten further then this?
You can start Suricata as:
/etc/init.d/suricata start
Then you will see results in var/log/suricata/eve.log
I use for JSON:
grep event_type...alert /var/log/suricata/eve.json
Yes, I was looking through that. And, while somewhat readable:
{âtimestampâ:â2017-03-12T14:26:09.932995-0400â,âflow_idâ:219174642738041,âin_ifaceâ:âbr-lanâ,âevent_typeâ:âalertâ,âsrc_ipâ:â192.168.4.247â,âsrc_portâ:49296,âdest_ipâ:â91.189.95.83â,âdest_portâ:80,âprotoâ:âTCPâ,âtx_idâ:81,âalertâ:{âactionâ:âallowedâ,âgidâ:1,âsignature_idâ:2013504,ârevâ:5,âsignatureâ:âET POLICY GNU/Linux APT User-Agent Outbound likely related to package managementâ,âcategoryâ:âNot Suspicious Trafficâ,âseverityâ:3},âhttpâ:{âhostnameâ:âppa.launchpad.netâ,âurlâ:â/daniel.pavel/solaar/ubuntu/dists/trusty/main/i18n/Translation-en.lzmaâ,âhttp_user_agentâ:âDebian APT-HTTP/1.3 (1.0.1ubuntu2)â,âhttp_content_typeâ:âtext/htmlâ,âhttp_methodâ:âGETâ,âprotocolâ:âHTTP/1.1â,âstatusâ:404,âlengthâ:267}}
Itâs a little daunting to read through thousands of them. Iâm just hoping there was a better summary available somewhere.
Starting Suricata with:
/etc/init.d/suricata start -v
Prints it updating itâs signatures but afterwards nothing. My TO doesnât have an âeve.jsonâ but it does have a âsuricata.logâ located at â/var/log/suricata/â. The âsuricata.logâ is empty except for the following line: â13/3/2017 â 15:54:32 - - This is Suricata version 3.2 RELEASEâ
So it looks to me it is not working. Looking through the logs I see it starting and downloading signatures. Only strange thing I notice is the following line:
2017-03-13T14:51:05+01:00 info /usr/sbin/cron[6355]: (system) BAD FILE MODE (/etc/cron.d/suricata)
Which is weird because the file contains the following:
15 * * * * root /usr/bin/suricata_update_rules.sh
Looking into the /usr/bin/ folder I see three suricata scripts which all have the correct permissions. Running suricata_update_rules.sh (./suricataâŚsh) works just fine and doesnât give any other clues.
Any ideas why it doesnât work?
I suspect the âBAD FILE MODEâ means /etc/cron.d/suricata has 664 permissions rather than something more like 644 which other files in /etc/cron.d are.
I ran suricata and was able to get lots of data, but it died after a while for unknown reasons. Iâm still investigating it.
Iâm also interested in maybe installing scirius, but it has many dependencies that Iâm not entirely comfortable installing on my router.
Doh, didnât notice that. Chmodded /etc/cron.d/suricata and then the âBAD FILE MODEâ log entry disappears. Mostly cosmetic but I like clean logs 
How did you install suricata? I installed it via LuCI and afterwards force reinstalled it + dependencies with opkg, but still no dice.
Running suricata with:âsuricata -c /tmp/suricata-rules/suricata-include.yaml -s /tmp/signatures.rules -i eth0â prints:
13/3/2017 â 17:06:39 - - This is Suricata version 3.2 RELEASE
13/3/2017 â 17:06:39 - - CPUs/cores online: 2
13/3/2017 â 17:06:39 - - [ERRCODE: SC_ERR_DNS_CONFIG(240)] - no DNS UDP config found, enabling DNS detection on port 53.
13/3/2017 â 17:06:39 - - [ERRCODE: SC_ERR_DNS_CONFIG(240)] - no DNS TCP config found, enabling DNS detection on port 53.
13/3/2017 â 17:06:39 - - Found an MTU of 1500 for âeth0â
13/3/2017 â 17:06:39 - - No âhost-modeâ: suricata is in IDS mode, using default setting âsniffer-onlyâ
Aborted
So, one step closer but still nothing.
I installed it from the command line.
Ever since 3.6, Iâve had trouble using the web interface to install packages. I should probably make that an issue of some sort, but it isnât a big thing for me.
I ended up editing /etc/suricata/suricata.yaml and changing the HOME_NET line for my local subnet. I also changed the default-log-dir to point to local flash drive.
Is eth0 your WAN link? Otherwise it will only look at traffic on eth0. On my router eth0 doesnât have an IP which might be an issue. That interface should be included in br-lan.
Also, you have â-c /tmp/suricata-rules/suricata-include.yamlâ which is only a partial config file thatâs included from /etc/suricata/suricata.yaml. The included init file (/etc/init.d/suricata) runs the following command:
/usr/bin/suricata -c /etc/suricata/suricata.yaml -i br-lan --init-errors-fatal --pidfile /var/run/suricata/suricata.pid
Thank you for your help!
I sort of installed it from the command line as well. I asked because suricata wonât start for me by running: â/etc/init.d/suricata startâ. So I figured it had to do something with how I installed it.
HOME_NET variable is correctly set for my setup. Eth0 is my WAN link so setting it as the interface should be fine, right?
Just trying stuff to make it work. I used that command because it gave more output.
Running: "/usr/bin/suricata -c /etc/suricata/suricata.yaml -i br-lan --init-errors-fatal --pidfile /var/run/suricata/suricata.pidâ also doesnât work on my TO. Running it prints another: â13/3/2017 â 18:49:33 - - This is Suricata version 3.2 RELEASEâ line to the suricata.log. Thatâs it, no other output. Also no output in the system log.
Is there a switch I can add for more verbosity or for debugging?
Edit: According to the documentation running suricata with the â-Tâ flag tests the configuration. If I run: âsuricata -Tâ, it prints:
13/3/2017 â 19:00:10 - - Running suricata under test mode
13/3/2017 â 19:00:10 - - Including configuration file /tmp/suricata-rules/suricata-include.yaml.
13/3/2017 â 19:00:10 - - This is Suricata version 3.2 RELEASE
Aborted
If you run âsuricata -Tâ what output do you get?