Posted: Mon Oct 25, 2021 19:22 Post subject: IPS system
Hi, I've running dd-wrt on Linksys EA6300 and I'm looking forward to get more from it. I'd like to have better firewall/IPS system. Is there any way, how to run SNORT or any intrusion prevention system on DD-WRT? Or maybe run something in docker and have it connected to DD-WRT router?
Thanks _________________ In DD-WRT for over 10 years.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Oct 25, 2021 19:43 Post subject:
it will kill your router...its too heavy...and via Entware they don't have the last version...better run it on a PC or x86 /64 DDWRT box...if so...
As well, running it on a PC you can run v3.1.xxx witch is more robust its Multithreaded and has lots of other vital functional updates...but, you must also have a broad knowledge in networks and snort itself... if its just paranoia, its not worth it ... just use iptables/ipset on router level _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Wed Nov 24, 2021 10:31; edited 1 time in total
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Wed Nov 24, 2021 6:53 Post subject: Re: IPS system
liv wrote:
Or maybe run something in docker and have it connected to DD-WRT router
I sure hope you are actually hosting the docker instances yourself properly secured/configured, because having intrusion detection running on a docker instance hosted by some random 3rd party, is almost as bad as leaving your front door keys under the pot of flowers or under the mat with a post-it stuck on the front door indicating where keys are.
But yes, You can run anything you like outside of DD-WRT in this respect. However I would probably do this setup type.
WAN <-> SNORT-DOCKER <-> ROUTER <-> LAN (Caveat emptor)
Preferably WAN <-> SNORT in ROUTER (x86/x64) <-> LAN
Because WHY would anyone increase the attack surface by adding external DOCKER instance for the purpose of Intrusion detection is poor network security design and ill advised to begin with.
If you do want to however, I would suggest you would compile the latest SNORT release into a Entware package which you can learn how-to on more specialized communities, since most packages are not up-to-date and may contain bugs/security issues.
Sorry I dont have more specific how-tos, my suggestion is run SNORT on a x86/x64 box maybe running dd-wrt itself since it has such x86/x64 images available and then see if you can get latest SNORT in there natively.
Joined: 14 Dec 2015 Posts: 774 Location: 127.0.0.1
Posted: Sat Nov 27, 2021 7:34 Post subject:
Just putting this out there.
I have 1Gbs service, going to a 3200ACM (No wireless), onto a Cisco switch that mirrors all packets to a "monitor" network card in Security Onion.
That is running in a virtual box on a AMD 8-core 1700x,32GB RAM, running windows 10, with a raid 5 enterprise drives.
I give 7 cores to the virtual box, and sometimes it is asking for up to 40 cores while starting... So that may be overkill for you, as it is not on an IPS configuration, it is IDS.
If in IPS it would be even more taxing.
Back when we had 200mbps, it worked great. Also, depends on hoe many devices you have (here there about 130 to 140) more traffic, more analyzing. _________________ Tutorial for flashing WRT series WRT Installation,Upgrade & Basic Setup–Cliff Notes
r52242: WRT3200ACM, WRT1200ACv1 & 1 Velop in bridge mode(IoT subnet), r52242 WRT1900ACv1 AP
Velop:2 WHW0101, RE6500, RE9000(AP)
Spectrum - 1000/50
SysLog Watcher 5, New security Onion box coming soon, Fingboxes, PiHoles, NEMS, Cacti, rpisurv