Suricata or bro as IDS?

Looking at the heat map generated from my firewall logs I seem to live in a busy part of the Internet:

I would like to see more, what is going on. Is there any way to install Bro or Suricata IDS on the Turris Omnia? I could not find them among the available packages.

You could install them into a LXC instance on the Omnia, depending on how much resources they take up.

That was also my first thought, but can an application running in an LXC instance listen to the external interface?

I haven’t tried it specifically on the Omnia, but you might be able to listen to the bridge if you tweak the network settings in the lxc config file for the container. Scroll down to Network on the lxc man page:

Possibly veth or phys is what you want.

Or, if you have a spare Raspberry Pi laying around, install BriarIDS on it and mirror traffic from your Turris Omnia to it.

1 Like

BriariIDS looks interesting, but it needs packets mirrored to it from the Omnia. iptables-mod-tee isn’t available. Anyone know of a good way to substitute this functionality?

I played with Turris, LXC and Suricata for 2 days and finally I have found and described something that works:


1 Like

Did you write a tutorial regarding a setup which would create heatmaps as shown in your link?

That blog is the tutorial. There is probably one piece of information missing, the config on the Turris side:

destination d_tcp{tcp("" port(1234));};
log {source(kernel); destination(d_tcp); };

Place the above config in a file with .conf extension in the /etc/syslog-ng.d directory on your Turris. Of course, you need to replace the IP address and port number to point it to the syslog-ng instance with the KV parser and Elasticsearch destination.

Of topic; FYI looking at the commits of the test branch, it looks like the Turris team is fixing up a suricata package. Let’s hope it’s ready for the next big release.

Updated to the master branch:

News announcements

• foris: new plugin for easy OpenVPN management
• suricata: new package for IDS
• kernel: support for CPUFreq, w1-gpio-cust and EC25-E LTE module on Omnia
• updates to various packages, especially DNS resolvers

But can’t find package for suricata.

I’ve installed the suricata package in 3.6, but there doesn’t seem to be an easy way to view the results. I was also hoping for some web interface to see what it produces.

I’m reading through the suricata howtos/tutorials out there, so I’m not really done with my investigations, but maybe a front end running in a container would be best.

I am trying to run suricata with the following command after I located the necessary files (yaml and rules):

suricata -c /etc/suricata/suricata.yaml -s /tmp/signatures.rules -i eth0

Console then prints:

2/3/2017 – 23:16:34 - - Including configuration file /tmp/suricata-rules/suricata-include.yaml.
12/3/2017 – 23:16:34 - - This is Suricata version 3.2 RELEASE

Has anyone gotten further then this?

You can start Suricata as:

/etc/init.d/suricata start

Then you will see results in var/log/suricata/eve.log

I use for JSON:
grep event_type...alert /var/log/suricata/eve.json

Yes, I was looking through that. And, while somewhat readable:

{“timestamp”:“2017-03-12T14:26:09.932995-0400”,“flow_id”:219174642738041,“in_iface”:“br-lan”,“event_type”:“alert”,“src_ip”:“”,“src_port”:49296,“dest_ip”:“”,“dest_port”:80,“proto”:“TCP”,“tx_id”:81,“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:2013504,“rev”:5,“signature”:“ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management”,“category”:“Not Suspicious Traffic”,“severity”:3},“http”:{“hostname”:“”,“url”:“/daniel.pavel/solaar/ubuntu/dists/trusty/main/i18n/Translation-en.lzma”,“http_user_agent”:“Debian APT-HTTP/1.3 (1.0.1ubuntu2)”,“http_content_type”:“text/html”,“http_method”:“GET”,“protocol”:“HTTP/1.1”,“status”:404,“length”:267}}

It’s a little daunting to read through thousands of them. I’m just hoping there was a better summary available somewhere.

Starting Suricata with:

/etc/init.d/suricata start -v

Prints it updating it’s signatures but afterwards nothing. My TO doesn’t have an “eve.json” but it does have a “suricata.log” located at “/var/log/suricata/”. The “suricata.log” is empty except for the following line: “13/3/2017 – 15:54:32 - - This is Suricata version 3.2 RELEASE”

So it looks to me it is not working. Looking through the logs I see it starting and downloading signatures. Only strange thing I notice is the following line:

2017-03-13T14:51:05+01:00 info /usr/sbin/cron[6355]: (system) BAD FILE MODE (/etc/cron.d/suricata)
Which is weird because the file contains the following:
15 * * * * root /usr/bin/

Looking into the /usr/bin/ folder I see three suricata scripts which all have the correct permissions. Running (./suricata…sh) works just fine and doesn’t give any other clues.

Any ideas why it doesn’t work?

I suspect the “BAD FILE MODE” means /etc/cron.d/suricata has 664 permissions rather than something more like 644 which other files in /etc/cron.d are.

I ran suricata and was able to get lots of data, but it died after a while for unknown reasons. I’m still investigating it.

I’m also interested in maybe installing scirius, but it has many dependencies that I’m not entirely comfortable installing on my router.

Doh, didn’t notice that. Chmodded /etc/cron.d/suricata and then the “BAD FILE MODE” log entry disappears. Mostly cosmetic but I like clean logs :wink:
How did you install suricata? I installed it via LuCI and afterwards force reinstalled it + dependencies with opkg, but still no dice.

Running suricata with:“suricata -c /tmp/suricata-rules/suricata-include.yaml -s /tmp/signatures.rules -i eth0” prints:

13/3/2017 – 17:06:39 - - This is Suricata version 3.2 RELEASE
13/3/2017 – 17:06:39 - - CPUs/cores online: 2
13/3/2017 – 17:06:39 - - [ERRCODE: SC_ERR_DNS_CONFIG(240)] - no DNS UDP config found, enabling DNS detection on port 53.
13/3/2017 – 17:06:39 - - [ERRCODE: SC_ERR_DNS_CONFIG(240)] - no DNS TCP config found, enabling DNS detection on port 53.
13/3/2017 – 17:06:39 - - Found an MTU of 1500 for ‘eth0’
13/3/2017 – 17:06:39 - - No ‘host-mode’: suricata is in IDS mode, using default setting ‘sniffer-only’

So, one step closer but still nothing.

I installed it from the command line.

Ever since 3.6, I’ve had trouble using the web interface to install packages. I should probably make that an issue of some sort, but it isn’t a big thing for me.

I ended up editing /etc/suricata/suricata.yaml and changing the HOME_NET line for my local subnet. I also changed the default-log-dir to point to local flash drive.

Is eth0 your WAN link? Otherwise it will only look at traffic on eth0. On my router eth0 doesn’t have an IP which might be an issue. That interface should be included in br-lan.

Also, you have “-c /tmp/suricata-rules/suricata-include.yaml” which is only a partial config file that’s included from /etc/suricata/suricata.yaml. The included init file (/etc/init.d/suricata) runs the following command:

/usr/bin/suricata -c /etc/suricata/suricata.yaml -i br-lan --init-errors-fatal --pidfile /var/run/suricata/

Thank you for your help!
I sort of installed it from the command line as well. I asked because suricata won’t start for me by running: “/etc/init.d/suricata start”. So I figured it had to do something with how I installed it.

HOME_NET variable is correctly set for my setup. Eth0 is my WAN link so setting it as the interface should be fine, right?

Just trying stuff to make it work. I used that command because it gave more output.
Running: "/usr/bin/suricata -c /etc/suricata/suricata.yaml -i br-lan --init-errors-fatal --pidfile /var/run/suricata/’ also doesn’t work on my TO. Running it prints another: “13/3/2017 – 18:49:33 - - This is Suricata version 3.2 RELEASE” line to the suricata.log. That’s it, no other output. Also no output in the system log.
Is there a switch I can add for more verbosity or for debugging?

Edit: According to the documentation running suricata with the “-T” flag tests the configuration. If I run: “suricata -T”, it prints:

13/3/2017 – 19:00:10 - - Running suricata under test mode
13/3/2017 – 19:00:10 - - Including configuration file /tmp/suricata-rules/suricata-include.yaml.
13/3/2017 – 19:00:10 - - This is Suricata version 3.2 RELEASE

If you run “suricata -T” what output do you get?