Question Setting up Suricata IDS/IPS with an OpenWrt router ?

[bedouinbro]

i want to set up IDS/IPS systems, total begginer with this kind of thing, but need the extra security. so i have a TP-Link TL-MR3420 Router just gathering dust and recently flashed with OpenWrt from this URL: https://downloads.openwrt.org/releases/17.01.7/targets/ar71xx/generic/

The main working router with the connection from ONU is a Tenda.
I tried setting up Suricata and all its prerequisites, dependecies, docker etc in Windows, but it didn't really work and it seems very resource heavy with docker running all the time.

I'm thinking if it's possible to add the Suricata filter lists/rules in the OpenWrt TP-Link Router, and connect it to the desktop and the main wifi/optical connection remaining with the Tenda.
So basically, { onu>tenda(wifi)>tp link(desktop) } is that possible ?

 

[cruisetung]

If your tp-link is https://wikidevi.wi-cat.ru/TP-LINK_TL-MR3420_v2 then it has only 32MB RAM

don't think it has much power running what you want.

Running suricata plugin in a pfsense/openwrt x86 VM ( VMware/VBox/Hyper-V ) on a PC might be better choice.

 

[bedouinbro]

If your tp-link is https://wikidevi.wi-cat.ru/TP-LINK_TL-MR3420_v2 then it has only 32MB RAM

don't think it has much power running what you want.

Running suricata plugin in a pfsense/openwrt x86 VM ( VMware/VBox/Hyper-V ) on a PC might be better choice.

How resource heavy do you think it will be ? Using i5 4570 and16gb ram, will it be able run all the time? I tried setting up docker image couldn't get it to work, is there any easier way to set it up? Using windows btw

 

[cruisetung]

I don't really need a firewall in the house but I tried several times running pfsense x86 in VMware in the past for home lab testing. I guess running suricata plugin with pfsense probably won't be over 2GB ram, but it's just my wild guess.

32MB RAM on tplink is just way too low.

Don't know how you setup docker on your Windows PC? Using Hyper-V? I don't see running openwrt or pfsense VM on a PC will be resource heavy. Your Intel 4th gen 16GB PC definitely has enough power to run a pfsense/openwrt VM

Hyper-V in my opinion just sucks, use VMware workstation instead.

Don't know if you are still using HDD for you PC, better use SSD drive nowadays.

==

Well, after searching the internet, a minimum of 4GB RAM is recommended for suricata. Whether your PC can handle your daily job and a suricata VM at the same time really depends on what you do with your PC everyday.

My question however is why do you need suricata in the first place?

 

[bedouinbro]

I don't really need a firewall in the house but I tried several times running pfsense x86 in VMware in the past for home lab testing. I guess running suricata plugin with pfsense probably won't be over 2GB ram, but it's just my wild guess.

32MB RAM on tplink is just way too low.

Don't know how you setup docker on your Windows PC? Using Hyper-V? I don't see running openwrt or pfsense VM on a PC will be resource heavy. Your Intel 4th gen 16GB PC definitely has enough power to run a pfsense/openwrt VM

Hyper-V in my opinion just sucks, use VMware workstation instead.

Don't know if you are still using HDD for you PC, better use SSD drive nowadays.

==

Well, after searching the internet, a minimum of 4GB RAM is recommended for suricata. Whether your PC can handle your daily job and a suricata VM really depends on what you do with your PC everyday.

My question however is why do you need suricata in the first place?

I tried VMware/ virtualized os long time ago, it was not very fluid for working, are you suggesting installing os on vmware and then set up the ips/ids ? Won't that be even more resource heavy? Or just the ips/ids- dependencies, on the vmware? Btw aren't both hyper v/docker/ and vmware uses intel virtualization? So same resource usage?


(Ssd is on warranty claim, will get it in a few days)

 

[cruisetung]

You did not answer the question regarding the necessity of suricata.

You also did not answer how you run the docker? I guess Docker desktop on Windows has been deprecated by Microsoft? Did you run docker through Hyper-V VM or through WSL 2?

Hyper-V / WSL2 / VMware / VBox all uses AMD/Intel virtual technology, i don't see big difference here.

You run router / firewall VM in the background most of the time. I never installed suricata before so I can't tell you how resource heavy it is. But this is what I found on Reddit https://www.reddit.com/r/PFSENSE/comments/f8x2lc/memory_recommendation_for_pfblockertld_suricata/

HDD is slow so that might be what you are experiencing now. Once you get SSD back, you will feel much better,

 

[bill001g]

You have one huge issue with your plan even if you find a way to get software loaded on a old router.

Currently the way even the cheapest router does NAT is to use a hardware accelerator function that bypasses the cpu. This is how a cheap router can pass 1gbit of traffic wan/lan. If you turn off that feature all the traffic must now pass through the cpu chip and you only get maybe 200-300mbps on the fastest router cpu chips. Many run much less, many well under 100mbps.

Although some versions of open source router software have the driver need to access part of this accelerator function it does not solve the problem when you are running a firewall. When you run a firewall the cpu chip must see the packets so you can not use this bypass feature even if it is supported. This means just turning on the firewall with no rules at all will greatly drop the performance because the cpu is now doing NAT. When you start running firewall rules it increases the cpu load and decreases your total throughput.

If this is something to learn and play with this type of software I guess it is a option. There really is no need for any kind of firewall or IDS in a home network.

The NAT function alone is the same as a firewall rule that says deny all incoming traffic from a unkown source. This alone protect all your internal machines from any direct attacks. The only time you really would need a firewall is if you were running some kind of server where you need to allow traffic from unkown source to talk to the machine. Key here though even if you have a firewall the security on the server itself is far more important. Pretty much it is not cost effective to run your own server. Everyone is now using cloud based virtual servers and these have firewall function as part of the package.

 

[BFG-9000]

If you are interested in security, then why choose a deprecated firmware from 2019? A more modern build would have installable packages for all the host file, firewall or adblocking software that you could want, but if you actually want active intrusion and detection it's going to require a lot more CPU power, as in the mentioned PC (with multiple NICs) as the wired router. You could then repurpose your present routers as APs.

As with Snort, Suricata is primarily made to run on Linux and the Windows side gets less attention.

 

[Ralston18]

Also:

Many folks simply have to work with what they have....

However, based on the posted image, I will add the suggestion that there should be some cable management and cleaning.

For setups small or big.

Just as a matter of the proverbial "best practices" and keeping thing neat and orderly.

Not "working" is sometimes simply a result of devices, connectors, cables, etc. being all astray and askew.

Also makes any work prone confusion and mistakes.

Which, in turn, may cause all sorts of issues.

Take a few minutes to re-organize it all. Check everthing for signs of damage, kinks, pinches, bent pins, and so forth.

Eliminate potential problem sources beforehand.

 

[bedouinbro]

You did not answer the question regarding the necessity of suricata.

You also did not answer how you run the docker? I guess Docker desktop on Windows has been deprecated by Microsoft? Did you run docker through Hyper-V VM or through WSL 2?

Hyper-V / WSL2 / VMware / VBox all uses AMD/Intel virtual technology, i don't see big difference here.

You run router / firewall VM in the background most of the time. I never installed suricata before so I can't tell you how resource heavy it is. But this is what I found on Reddit https://www.reddit.com/r/PFSENSE/comments/f8x2lc/memory_recommendation_for_pfblockertld_suricata/

HDD is slow so that might be what you are experiencing now. Once you get SSD back, you will feel much better,

need the extra security thats all. ( there are lot of reasons but i rather not say what they are )

i think i ran the docker through wsl2 also i tried following this guide https://letsdefend.io/blog/how-to-install-and-configure-suricata-on-windows but couldnt get it to work and for the docker image, i tried evebox/suricata/elastisearch/- and all its dependecies , heres the link https://github.com/jasonish/evebox also couldnt get it to work, but it did took up almost 5-10gb of space on the ssd, i coudnt find any detailed tutorial about setting this up on windows and from the searches it appears surucata/snort are not very windows friendly

 

[cruisetung]

If you really need Suricata, I would say just buy a mini PC with 2 LAN ports and 16GB RAM and then install pfsense and install the Suricata plugin is more practical than running it inside your i5 4570 (either a Windows process or a VM/docker etc.)

pfsense seems doesn't have very good realtek NIC support though, better find pc that comes with Intel NICs

https://www.youtube.com/results?search_query=pfsense+suricata

But yet again, I don't really see that you need Suricata.

 

[bedouinbro]

You have one huge issue with your plan even if you find a way to get software loaded on a old router.

Currently the way even the cheapest router does NAT is to use a hardware accelerator function that bypasses the cpu. This is how a cheap router can pass 1gbit of traffic wan/lan. If you turn off that feature all the traffic must now pass through the cpu chip and you only get maybe 200-300mbps on the fastest router cpu chips. Many run much less, many well under 100mbps.

Although some versions of open source router software have the driver need to access part of this accelerator function it does not solve the problem when you are running a firewall. When you run a firewall the cpu chip must see the packets so you can not use this bypass feature even if it is supported. This means just turning on the firewall with no rules at all will greatly drop the performance because the cpu is now doing NAT. When you start running firewall rules it increases the cpu load and decreases your total throughput.

If this is something to learn and play with this type of software I guess it is a option. There really is no need for any kind of firewall or IDS in a home network.

The NAT function alone is the same as a firewall rule that says deny all incoming traffic from a unkown source. This alone protect all your internal machines from any direct attacks. The only time you really would need a firewall is if you were running some kind of server where you need to allow traffic from unkown source to talk to the machine. Key here though even if you have a firewall the security on the server itself is far more important. Pretty much it is not cost effective to run your own server. Everyone is now using cloud based virtual servers and these have firewall function as part of the package.

this is all settings available in the current tenda f6 300 router im using, the tplink mr3420 already had more options and after flashing it with openwrt i guess it probably has more than before, im using 1mbps internet connection, so if i understood what you said correctly then my internet speed will get serious bottleneck or the tplink router wont be able to handle all the traffic ( even though its just 1mbps connection )

i will try to connect the tplink with desktop and see if it gets the connection, havent used openwrt before so it might getting some used to if the tenda>tplink>desktop connection works. i will post some updates about this if it works from the tplink connection

about the NAT function is it the windows firewall setting or from routers setting option ? ( as you can see these are all the available options on the Tenda F6 300 router, let me know

 

[bill001g]

You do not know what NAT is and you are talking about setting up IDS ?. It is extremely important that you understand this concept because you have to understand if a firewall is being applied before or after the NAT function.

Although firewalls use menu setups you really have to understand what is being generated. It is more of a tool to help someone who knows what they are doing to be more efficient. When you don't really know what you are doing you can get stuff that look right but it doesn't really function. Many of these firewall images are just creating IPTABLES filters. If you can generate the IPTABLES yourself then you really understand firewall filters. IPTABLES is a massive confusing mess, I think it was designed to be confusing so the developer could sit back and laugh at people he felt where inferior to him. You quickly though understand how complex firewalls are and how traffic can bypass your rules if you are not very careful.

If your internet speed is really only 1mbps then I suspect you will have no issues using a router. Not sure how usable that is, with all the embedded advertising and tracking garbage it will take minutes for web pages to load.

 

[bedouinbro]

If you are interested in security, then why choose a deprecated firmware from 2019? A more modern build would have installable packages for all the host file, firewall or adblocking software that you could want, but if you actually want active intrusion and detection it's going to require a lot more CPU power, as in the mentioned PC (with multiple NICs) as the wired router. You could then repurpose your present routers as APs.

As with Snort, Suricata is primarily made to run on Linux and the Windows side gets less attention.

i found openwrt 17 to be the latest and last supported for tplink mr3420. a lot more cpu meaning i5 4570 isnt cut out for this kind proccessing power ? so what are my options ? any other ids/ips solutions ?

 

[cruisetung]

Router's CPU and PC's CPU are on completely different level.

Your i5 will be at least 10 times more powerful than MR3420's CPU

And as suggested, your 1Mbps internet will take forever to load a page in today's world, why do you need Suricata after all? Hackers will not even thinking about attacking a site that's so slow.

 

[bedouinbro]

You do not know what NAT is and you are talking about setting up IDS ?. It is extremely important that you understand this concept because you have to understand if a firewall is being applied before or after the NAT function.

Although firewalls use menu setups you really have to understand what is being generated. It is more of a tool to help someone who knows what they are doing to be more efficient. When you don't really know what you are doing you can get stuff that look right but it doesn't really function. Many of these firewall images are just creating IPTABLES filters. If you can generate the IPTABLES yourself then you really understand firewall filters. IPTABLES is a massive confusing mess, I think it was designed to be confusing so the developer could sit back and laugh at people he felt where inferior to him. You quickly though understand how complex firewalls are and how traffic can bypass your rules if you are not very careful.

If your internet speed is really only 1mbps then I suspect you will have no issues using a router. Not sure how usable that is, with all the embedded advertising and tracking garbage it will take minutes for web pages to load.

i kind of understand NAT from searching about it (not an epert btw). the isp provided me with a dynamic ip, and the internet package is called 1mbps connection, heres a ookla test.

about the iptables filters and emerging threat, and from spending decent amount of time trying to set up the suricata/evebox/elastisearch. i figured it would be trial and error, but the thing is im having trouble setting it up and since there isnt really any easy solution for ips/ids, but if the setting up is successful then i could check the necessary incoming connections

 

[cruisetung]

Apparently your subscription speed should be 100Mbps up/down.

You can't even use the unit correctly. My last post.

 

[bedouinbro]

Router's CPU and PC's CPU are on completely different level.

Your i5 will be at least 10 times more powerful than MR3420's CPU

And as suggested, your 1Mbps internet will take forever to load a page in today's world, why do you need Suricata after all? Hackers will not even thinking about attacking a site that's so slow.

how much will it be reduced after the ips/ids, browsing speed for me varies through site to site, for example youtube 1080p without any buffaring

 

[bedouinbro]

Apparently your subscription speed should be 100Mbps up/down.

You can't even use the unit correctly. My last post.

lol money and location problem, cant do anything about it

 

[BFG-9000]

i found openwrt 17 to be the latest and last supported for tplink mr3420.

Suricata has an extremely steep learning curve so will require research. If you can't figure out that 19.07.10 from 2022 was the last officially supported build for 4MB flash devices, or there are later stripped-down 21.02 community builds available that throw everything such as USB support out just to make room for basic functionality, then it's not looking good because in comparison OpenWRT is very well documented.

Needless to say you aren't going to be installing many software packages into 4MB of flash either.

How does money and location affect your ability to notice 100Mb is two orders of magnitude larger than 1Mb? Even a failure in capitalization confusing bits and Bytes would only be one.

 

[bedouinbro]

Suricata has an extremely steep learning curve so will require research. If you can't figure out that 19.07.10 from 2022 was the last officially supported build for 4MB flash devices, or there are later stripped-down 21.02 community builds available that throw everything such as USB support out just to make room for basic functionality, then it's not looking good because in comparison OpenWRT is very well documented.

Needless to say you aren't going to be installing many software packages into 4MB of flash either.

How does money and location affect your ability to notice 100Mb is two orders of magnitude larger than 1Mb? Even a failure in capitalization confusing bits and Bytes would only be one.

its all trial and error for me, i did say im not an expert on openwrt or suricata. i could try adding some adblock filters on that 4mb if possible

where did 100Mb and 1Mb confusion coming from ? i didnt say anything about these, i did say im using 1mb connection and provided a ookla speed test, thats very clarifying isnt it ? also about youtube buffering, these things should clarify any confusion about the internet speed