I would like to see more, what is going on. Is there any way to install Bro or Suricata IDS on the Turris Omnia? I could not find them among the available packages.
I havenât tried it specifically on the Omnia, but you might be able to listen to the bridge if you tweak the network settings in the lxc config file for the container. Scroll down to Network on the lxc man page:
BriariIDS looks interesting, but it needs packets mirrored to it from the Omnia. iptables-mod-tee isnât available. Anyone know of a good way to substitute this functionality?
Place the above config in a file with .conf extension in the /etc/syslog-ng.d directory on your Turris. Of course, you need to replace the IP address and port number to point it to the syslog-ng instance with the KV parser and Elasticsearch destination.
Of topic; FYI looking at the commits of the test branch, it looks like the Turris team is fixing up a suricata package. Letâs hope itâs ready for the next big release.
⢠foris: new plugin for easy OpenVPN management
⢠suricata: new package for IDS
⢠kernel: support for CPUFreq, w1-gpio-cust and EC25-E LTE module on Omnia
⢠updates to various packages, especially DNS resolvers
Iâve installed the suricata package in 3.6, but there doesnât seem to be an easy way to view the results. I was also hoping for some web interface to see what it produces.
Iâm reading through the suricata howtos/tutorials out there, so Iâm not really done with my investigations, but maybe a front end running in a container would be best.
Prints it updating itâs signatures but afterwards nothing. My TO doesnât have an âeve.jsonâ but it does have a âsuricata.logâ located at â/var/log/suricata/â. The âsuricata.logâ is empty except for the following line: â13/3/2017 â 15:54:32 - - This is Suricata version 3.2 RELEASEâ
So it looks to me it is not working. Looking through the logs I see it starting and downloading signatures. Only strange thing I notice is the following line:
2017-03-13T14:51:05+01:00 info /usr/sbin/cron[6355]: (system) BAD FILE MODE (/etc/cron.d/suricata)
Which is weird because the file contains the following:
15 * * * * root /usr/bin/suricata_update_rules.sh
Looking into the /usr/bin/ folder I see three suricata scripts which all have the correct permissions. Running suricata_update_rules.sh (./suricataâŚsh) works just fine and doesnât give any other clues.
I suspect the âBAD FILE MODEâ means /etc/cron.d/suricata has 664 permissions rather than something more like 644 which other files in /etc/cron.d are.
I ran suricata and was able to get lots of data, but it died after a while for unknown reasons. Iâm still investigating it.
Iâm also interested in maybe installing scirius, but it has many dependencies that Iâm not entirely comfortable installing on my router.
Doh, didnât notice that. Chmodded /etc/cron.d/suricata and then the âBAD FILE MODEâ log entry disappears. Mostly cosmetic but I like clean logs
How did you install suricata? I installed it via LuCI and afterwards force reinstalled it + dependencies with opkg, but still no dice.
13/3/2017 â 17:06:39 - - This is Suricata version 3.2 RELEASE
13/3/2017 â 17:06:39 - - CPUs/cores online: 2
13/3/2017 â 17:06:39 - - [ERRCODE: SC_ERR_DNS_CONFIG(240)] - no DNS UDP config found, enabling DNS detection on port 53.
13/3/2017 â 17:06:39 - - [ERRCODE: SC_ERR_DNS_CONFIG(240)] - no DNS TCP config found, enabling DNS detection on port 53.
13/3/2017 â 17:06:39 - - Found an MTU of 1500 for âeth0â
13/3/2017 â 17:06:39 - - No âhost-modeâ: suricata is in IDS mode, using default setting âsniffer-onlyâ
Aborted
Ever since 3.6, Iâve had trouble using the web interface to install packages. I should probably make that an issue of some sort, but it isnât a big thing for me.
I ended up editing /etc/suricata/suricata.yaml and changing the HOME_NET line for my local subnet. I also changed the default-log-dir to point to local flash drive.
Is eth0 your WAN link? Otherwise it will only look at traffic on eth0. On my router eth0 doesnât have an IP which might be an issue. That interface should be included in br-lan.
Also, you have â-c /tmp/suricata-rules/suricata-include.yamlâ which is only a partial config file thatâs included from /etc/suricata/suricata.yaml. The included init file (/etc/init.d/suricata) runs the following command:
Thank you for your help!
I sort of installed it from the command line as well. I asked because suricata wonât start for me by running: â/etc/init.d/suricata startâ. So I figured it had to do something with how I installed it.
HOME_NET variable is correctly set for my setup. Eth0 is my WAN link so setting it as the interface should be fine, right?
Just trying stuff to make it work. I used that command because it gave more output.
Running: "/usr/bin/suricata -c /etc/suricata/suricata.yaml -i br-lan --init-errors-fatal --pidfile /var/run/suricata/suricata.pidâ also doesnât work on my TO. Running it prints another: â13/3/2017 â 18:49:33 - - This is Suricata version 3.2 RELEASEâ line to the suricata.log. Thatâs it, no other output. Also no output in the system log.
Is there a switch I can add for more verbosity or for debugging?
Edit: According to the documentation running suricata with the â-Tâ flag tests the configuration. If I run: âsuricata -Tâ, it prints:
13/3/2017 â 19:00:10 - - Running suricata under test mode
13/3/2017 â 19:00:10 - - Including configuration file /tmp/suricata-rules/suricata-include.yaml.
13/3/2017 â 19:00:10 - - This is Suricata version 3.2 RELEASE
Aborted
If you run âsuricata -Tâ what output do you get?