Strange that looks like the rules were not loaded did you run snort-update? Is openappid installed? Wget-ssl installed? This could explain why the rules were not loaded, you would have to add a dependency to avoid this.
I did not have them when I installed it. You might want to add them as DEPENDS
I keep I keep coming back to the fact that if I block icmp traffic with the following, it works (pings stop). That tells me snort is working at least with that simple rule.
alert icmp any any <> any any (msg:"TEST ALERT"; icode:0; itype:8; sid:10000010; rev:001;)
Further, if I add that rule to the end of my large snort.rules all 40,000 of them load AND ping is blocked. Very confusing.
EDIT: when I stop snort here is what is captured. It shows traffic.
^C** caught int signal
== stopping
-- [1] 5
-- [0] 4
-- [2] 6
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 3222
analyzed: 3222
allow: 3222
idle: 100
rx_bytes: 2917376
--------------------------------------------------
codec
total: 3222 (100.000%)
icmp4: 20 ( 0.621%)
icmp4_ip: 20 ( 0.621%)
ipv4: 3222 (100.000%)
raw: 3222 (100.000%)
tcp: 2699 ( 83.768%)
udp: 503 ( 15.611%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
appid
packets: 3222
processed_packets: 2902
ignored_packets: 320
total_sessions: 276
service_cache_adds: 22
bytes_in_use: 3696
items_in_use: 22
--------------------------------------------------
back_orifice
packets: 503
--------------------------------------------------
binder
raw_packets: 320
new_flows: 275
service_changes: 4
inspects: 595
--------------------------------------------------
detection
analyzed: 3222
hard_evals: 4518
raw_searches: 4531
cooked_searches: 239
pkt_searches: 4770
--------------------------------------------------
dns
packets: 180
requests: 90
responses: 90
--------------------------------------------------
hyperscan
searches: 4927
matches: 32218
bytes: 6937479
--------------------------------------------------
normalizer
tcp_trim_win: 189
test_tcp_block: 358
--------------------------------------------------
port_scan
packets: 3222
trackers: 66
--------------------------------------------------
search_engine
max_queued: 60
total_flushed: 31214
total_inserts: 31214
total_unique: 31214
non_qualified_events: 35732
--------------------------------------------------
ssl
packets: 4
decoded: 4
client_hello: 4
max_concurrent_sessions: 2
--------------------------------------------------
stream
flows: 275
total_prunes: 21
idle_prunes_proto_timeout: 21
tcp_timeout_prunes: 21
--------------------------------------------------
stream_icmp
sessions: 1
max: 1
created: 1
released: 1
--------------------------------------------------
stream_tcp
sessions: 154
max: 135
created: 154
released: 153
instantiated: 154
setups: 154
restarts: 4
discards_skipped: 358
invalid_seq_num: 189
invalid_ack: 247
events: 111
syn_trackers: 38
data_trackers: 115
segs_queued: 1455
segs_released: 1455
segs_used: 1
rebuilt_packets: 118
rebuilt_bytes: 940787
gaps: 39
client_cleanups: 112
server_cleanups: 2
syns: 42
syn_acks: 37
resets: 248
fins: 18
max_segs: 99
max_bytes: 143352
zero_win_probes: 1
flush_on_asymmetric_flow: 2
asymmetric_flows: 2
--------------------------------------------------
stream_udp
sessions: 120
max: 97
created: 121
released: 121
timeouts: 1
total_bytes: 159527
--------------------------------------------------
wizard
tcp_scans: 10
tcp_hits: 4
udp_scans: 30
udp_misses: 30
--------------------------------------------------
Appid Statistics
--------------------------------------------------
detected apps and services
Application: Services Clients Users Payloads Misc Referred
unknown: 230 93 0 0 0 0
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
signals: 1
--------------------------------------------------
timing
runtime: 00:00:52
seconds: 52.264991
pkts/sec: 62
o")~ Snort exiting
snort -c /etc/snort/snort.lua --tweaks local 28.72s user 0.61s system 38% cpu 1:15.59 total
root@r2max /etc/snort #
Yes, I have already extended the Makefile with the depency. If you still have my version on it, undo the changes you made, install wget-ssl and openappid and run snort-update with oinkcode entered in /etc/config/snort-config.conf. This will load the rules and restart Snort. What makes me wonder why you have Invalid ack packages, have you activated the ack bypass rule in the snort-table script?
I did not modify snort-table at all
I thought so because in the current version of the snort-table script a bypass of Icmp is activated, because for some reason Snort does not forward the Icmp packets from the local network, so the Icmp test rule should not work at all. Obviously parts of the old and the new installation got mixed up. Uninstall Snort, delete the snort folder with rm -r /etc/snort and remove these entries in /etc/config/firewall
config include
option enabled '1'
option type 'script'
option path '/etc/snort/snort-table.sh'
option fw4_compatible '1'
After cleaning up, first install wget-ssl and then your self-built Snort3 apk. During the installation, the community rules are downloaded first and when an oinkcode is entered in /etc/config/snort-config.conf and snort-update is executed, the complete rule set is downloaded. The start script automatically recognizes the absence or presence of the Oinkcode and loads the corresponding prepared include files.
I made a modified snort3 package based on your code. Please see: https://github.com/graysky2/packages/tree/my-snort3/net/snort3
The only two files I have that are not standard in that git repo are:
/etc/snort/homenet.lua
HOME_NET = [[ 10.9.8.0/24 10.9.7.0/24 10.9.6.0/24 10.9.5.0/24 ]]
EXTERNAL_NET = "!$HOME_NET"
/etc/snort/local.lua
snort = {
['-Q'] = true,
['--max-packet-threads'] = 3,
}
ips = {
mode = inline,
variables = default_variables,
action_override = 'drop',
include = RULE_PATH .. '/snort.rules',
--include = RULE_PATH .. '/test.rules',
}
suppress = {
-- this kills stuff in lxc
{
gid = 1, sid = 650, track = 'by_dst', ip = '10.9.8.101'
},
}
network = {
checksum_eval = 'none',
}
daq = {
module_dirs = { '/usr/lib/daq' },
inputs = { '4', '5', '6' },
snaplen = 65531,
modules = {
{
name = 'nfq',
mode = 'inline',
variables = {
'queue_maxlen=8192',
'fail_open',
'device=eth1'
}
}
}
}
output.logdir = '/mnt/data'
alert_fast = {
file = true,
packet = false,
}
file_policy = {
enable_type = true,
enable_signature = true,
rules = {
use = {
verdict = 'log', enable_file_type = true, enable_file_signature = true
}
}
}
search_engine = {
search_method = "hyperscan",
offload_search_method ="hyperscan",
detect_raw_tcp = true,
}
detection = {
hyperscan_literals = true,
pcre_to_regex = true,
}
Somehow this is not much different from the original Openwrt repo so it does not work because the updater and the config file is missing the scripts are all based on the snort-config.conf file. My version works differently than the one from efahl the init file starts the script snort-start which for example checks the presence of the rules in the /tmp folder and delays the start if they are not there or checks the presence of the oinkcode etc.. The most important variables are passed as parameters, so the snort.lua is minimized.
Correct, I use a different init.d script (more simple). I adapted your snort-table script for the firewall.
But whether I use your package or my package, I never get CPU usage for snort to go above 1% when downloading/maxing out connection. Why is the question.
Here is another sample stopping snort written to logread... anything in there give any clues?
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: ** caught term signal
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: == stopping
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: -- [0] 4
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: -- [2] 6
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: -- [1] 5
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: Packet Statistics
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: daq
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: received: 62883
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: analyzed: 62883
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: allow: 62796
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: replace: 1
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: whitelist: 86
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: idle: 3362
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: rx_bytes: 32353703
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: expected_flows: 1
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: codec
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: total: 62883 (100.000%)
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: icmp4: 64 ( 0.102%)
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: icmp4_ip: 64 ( 0.102%)
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: ipv4: 62883 (100.000%)
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: raw: 62883 (100.000%)
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: tcp: 35516 ( 56.479%)
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: udp: 27303 ( 43.419%)
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: Module Statistics
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: appid
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: packets: 62883
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: processed_packets: 60013
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: ignored_packets: 2870
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: total_sessions: 3275
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: service_cache_adds: 225
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: bytes_in_use: 37800
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: items_in_use: 225
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: back_orifice
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: packets: 27301
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: binder
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: raw_packets: 2870
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: new_flows: 3240
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: service_changes: 175
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: inspects: 6110
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: detection
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: analyzed: 62883
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: hard_evals: 108873
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: raw_searches: 86299
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: cooked_searches: 2028
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: pkt_searches: 88327
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: dns
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: packets: 2680
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: requests: 1359
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: responses: 1321
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: max_concurrent_sessions: 3
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: hyperscan
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: searches: 90696
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: matches: 556353
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: bytes: 71662931
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: normalizer
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: test_tcp_trim_syn: 2
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: test_tcp_trim_win: 1
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: tcp_ips_data: 2
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: test_tcp_block: 21374
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: port_scan
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: packets: 62883
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: trackers: 810
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: search_engine
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: max_queued: 61
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: total_flushed: 514706
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: total_inserts: 514706
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: total_unique: 514706
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: non_qualified_events: 623578
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: ssl
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: packets: 532
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: decoded: 532
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: client_hello: 160
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: server_hello: 24
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: change_cipher: 35
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: client_application: 23
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: server_application: 329
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: unrecognized_records: 4
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: sessions_ignored: 2
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: max_concurrent_sessions: 44
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: stream
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: flows: 3240
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: total_prunes: 549
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: idle_prunes_proto_timeout: 549
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: expected_flows: 1
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: tcp_timeout_prunes: 2
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: udp_timeout_prunes: 532
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: icmp_timeout_prunes: 15
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: stream_icmp
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: sessions: 17
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: max: 7
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: created: 17
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: released: 17
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: stream_tcp
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: sessions: 1329
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: max: 520
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: created: 1329
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: released: 1329
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: timeouts: 27
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: instantiated: 1307
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: setups: 1329
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: restarts: 175
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: discards_skipped: 21374
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: invalid_ack: 20874
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: events: 502
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: syn_trackers: 1112
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: data_trackers: 217
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: segs_queued: 5959
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: segs_released: 5959
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: segs_used: 1004
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: rebuilt_packets: 759
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: rebuilt_bytes: 3189582
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: overlaps: 2
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: gaps: 53
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: payload_fully_trimmed: 1
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: client_cleanups: 184
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: server_cleanups: 36
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: established: 11
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: syns: 1277
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: syn_acks: 1186
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: resets: 1077
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: fins: 116
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: partial_fallbacks: 1
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: max_segs: 476
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: max_bytes: 689284
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: zero_win_probes: 20
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: keep_alive_probes: 4
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: full_retransmits: 145
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: flush_on_asymmetric_flow: 14
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: asymmetric_flows: 15
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: stream_udp
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: sessions: 1894
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: max: 1439
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: created: 1923
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: released: 1923
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: timeouts: 29
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: total_bytes: 16687078
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: wizard
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: tcp_scans: 274
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: tcp_hits: 175
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: tcp_misses: 1
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: udp_scans: 554
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: udp_misses: 554
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: Appid Statistics
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: detected apps and services
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: Application: Services Clients Users Payloads Misc Referred
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: unknown: 2556 1350 0 24 0 0
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: Summary Statistics
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: process
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: signals: 1
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: --------------------------------------------------
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: timing
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: runtime: 00:28:05
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: seconds: 1685.129563
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: pkts/sec: 37
Sat Jul 19 13:45:55 2025 daemon.info snort[16057]: o")~ Snort exiting
Yes, the fact that he reports a lot of invalid ack is suspicious, i.e. he doesn't see them. Therefore the ack bypass in the firewall should still be active. Did you also use the rules that are intended for Snort 3.9.x.x? Because Efahl's updater still loads the rules for the older Snort versions.
//edit/ Do you use Wireguard and if so, what is the name of your Wireguard interface?
The one script that manages the firewall is adapted from your script:
#!/bin/sh
verbose=false
if [ -z "$wan_device" ]; then
wan_device=$(uci get network.wan.device)
fi
nft list ruleset | grep -q 'IPS' && nft delete chain inet fw4 IPS_output && nft delete chain inet fw4 IPS_input
nft -f - <<TABLE
table inet fw4 {
chain IPS_output {
type filter hook postrouting priority 95; policy accept;
oifname { $wan_device,wg0 } ip protocol icmp counter accept
oifname { $wan_device } udp dport 51820 ct state established counter accept
oifname { $wan_device,wg0 } tcp dport 465 counter accept
oifname { $wan_device,wg0 } counter queue flags bypass to 4-6
oifname { $wan_device,wg1 } ip protocol icmp counter accept
oifname { $wan_device } udp dport 41820 ct state established counter accept
oifname { $wan_device,wg1 } tcp dport 465 counter accept
oifname { $wan_device,wg1 } counter queue flags bypass to 4-6
}
chain IPS_input {
type filter hook prerouting priority 300; policy accept;
iifname { $wan_device,wg0 } ip protocol icmp ct state established counter accept
iifname { $wan_device } udp sport 51820 ct state established counter accept
iifname { $wan_device,wg0 } tcp sport 465 counter accept
iifname { $wan_device,wg0 } counter queue flags bypass to 4-6
iifname { $wan_device,wg1 } ip protocol icmp ct state established counter accept
iifname { $wan_device } udp sport 41820 ct state established counter accept
iifname { $wan_device,wg1 } tcp sport 465 counter accept
iifname { $wan_device,wg1 } counter queue flags bypass to 4-6
}
}
TABLE
$verbose
exit 0
I have two wireguard interfaces, wg0 and wg1.
This is much too complicated, you can add the wireguard in the same rule or switch off the automatic detection by entering the interfaces. That's why I asked because I saw that I had not yet extended the script to other possible wireguard interfaces. So the wireguard script would be suitable for you:
#!/bin/sh
# config
wan_device="" #setting a device between the quotation marks disable auto detection, "" autotection
#you can set more then one interface with a comma between the device names for example "eth0,eth1"
#config
verbose=false
if [ -z "$wan_device" ]; then
wan_device=$(uci get network.wan.device)
fi
nft list ruleset | grep -q 'IPS' && nft delete chain inet fw4 IPS_output && nft delete chain inet fw4 IPS_input
nft -f - <<TABLE
table inet fw4 {
chain IPS_output {
type filter hook postrouting priority 95; policy accept;
#oifname { $wan_device,Wg0,Wg1,Wg2,Wg3,Wg4,Wg5,Wg6,Wg7,Wg8,Wg9 } tcp flags ack ct state established counter accept
oifname { $wan_device,Wg0,Wg1,Wg2,Wg3,Wg4,Wg5,Wg6,Wg7,Wg8,Wg9 } ip protocol icmp counter accept
oifname { $wan_device } udp dport 51820 ct state established counter accept
oifname { $wan_device,Wg0,Wg1,Wg2,Wg3,Wg4,Wg5,Wg6,Wg7,Wg8,Wg9 } tcp dport 465 counter accept
oifname { $wan_device,Wg0,Wg1,Wg2,Wg3,Wg4,Wg5,Wg6,Wg7,Wg8,Wg9 } counter queue flags bypass to 4-6
}
chain IPS_input {
type filter hook prerouting priority 300; policy accept;
iifname { $wan_device,Wg0,Wg1,Wg2,Wg3,Wg4,Wg5,Wg6,Wg7,Wg8,Wg9 } ip protocol icmp ct state established counter accept
iifname { $wan_device } udp sport 51820 ct state established counter accept
iifname { $wan_device,Wg0,Wg1,Wg2,Wg3,Wg4,Wg5,Wg6,Wg7,Wg8,Wg9 } tcp sport 465 counter accept
iifname { $wan_device,Wg0,Wg1,Wg2,Wg3,Wg4,Wg5,Wg6,Wg7,Wg8,Wg9 } counter queue flags bypass to 4-6
}
}
TABLE
$verbose
exit 0
This would also cover all future Wireguard interfaces. As I said, you can't simply take the script from the Snort test build because the variables are taken from an external file (snort-config.conf), which is the central point of contact for all scripts that I use in the build.
Oh... does the wg1 interface HAVE to be defined at all? What if it is not, does that mean it will not go through snort? I am OK with that.
If it is not included in the nftables rules of the snort-table script, Wg1 itself is not monitored because Snort theoretically only sees the encrypted UDP traffic on the Wan interface. In our case, however, this is not the case because we use the accept rule for udp sport 51820 to route the encrypted traffic past Snort, provided of course that the Wireguard server uses this UDP port.
Do you think the reason snort is not seeing the traffic is due to my /usr/bin/snort-table being incorrect? If so, how should it be modified to work correctly?
Yes, that's a guess, but check how the Wireguard interface is written Linux distinguishes between upper and lower case. If it is written differently, for example wg0 instead of Wg0, you can also enter the interfaces manually in the version of the snort-table script I posted above with a comma in between, for example wan_device="eth0, wg0". I had added this because another user had renamed his Wan interface so the automatic recognition no longer worked.
On my system, I have all lower case for them, so eth1 and wg0 not Wg0.
This is my /usr/bin/snort-table but snort uses ~1% CPU with it on a download test:
#!/bin/sh
wan_device="eth1"
verbose=false
nft list ruleset | grep -q 'IPS' && nft delete chain inet fw4 IPS_output && nft delete chain inet fw4 IPS_input
nft -f - <<TABLE
table inet fw4 {
chain IPS_output {
type filter hook postrouting priority 95; policy accept;
oifname { $wan_device,wg0 } ip protocol icmp counter accept
oifname { $wan_device } udp dport 51820 ct state established counter accept
oifname { $wan_device,wg0 } tcp dport 465 counter accept
oifname { $wan_device,wg0 } counter queue flags bypass to 4-6
}
chain IPS_input {
type filter hook prerouting priority 300; policy accept;
iifname { $wan_device,wg0 } ip protocol icmp ct state established counter accept
iifname { $wan_device } udp sport 51820 ct state established counter accept
iifname { $wan_device,wg0 } tcp sport 465 counter accept
iifname { $wan_device,wg0 } counter queue flags bypass to 4-6
}
}
TABLE
$verbose
exit 0
And it looks right:
# nft list ruleset
...
chain IPS_output {
type filter hook postrouting priority srcnat - 5; policy accept;
oifname { "wg0", "eth1" } ip protocol icmp counter packets 1 bytes 284 accept
oifname "eth1" udp dport 51820 ct state established counter packets 0 bytes 0 accept
oifname { "wg0", "eth1" } tcp dport 465 counter packets 0 bytes 0 accept
oifname { "wg0", "eth1" } counter packets 579 bytes 108012 queue flags bypass to 4-6
}
chain IPS_input {
type filter hook prerouting priority 300; policy accept;
iifname { "wg0", "eth1" } ip protocol icmp ct state established counter packets 0 bytes 0 accept
iifname "eth1" udp sport 51820 ct state established counter packets 0 bytes 0 accept
iifname { "wg0", "eth1" } tcp sport 465 counter packets 0 bytes 0 accept
iifname { "wg0", "eth1" } counter packets 508 bytes 1413067 queue flags bypass to 4-6
}
}
Strangely, it always created the Wireguard interface with capital letters at the beginning, please post ifconfig.
Output of `ifconfig`
br-lan Link encap:Ethernet HWaddr 00:E2:59:01:D2:9A
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:451217 errors:0 dropped:0 overruns:0 frame:0
TX packets:1273694 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:131233530 (125.1 MiB) TX bytes:1596486441 (1.4 GiB)
br-lan.10 Link encap:Ethernet HWaddr 00:E2:59:01:D2:9A
inet addr:10.9.8.1 Bcast:10.9.8.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:433819 errors:0 dropped:0 overruns:0 frame:0
TX packets:470254 errors:0 dropped:8 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:118065094 (112.5 MiB) TX bytes:1544032642 (1.4 GiB)
br-lan.3 Link encap:Ethernet HWaddr 00:E2:59:01:D2:9A
inet addr:10.9.7.1 Bcast:10.9.7.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1379 errors:0 dropped:0 overruns:0 frame:0
TX packets:1210 errors:0 dropped:7 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:228432 (223.0 KiB) TX bytes:274549 (268.1 KiB)
br-lan.4 Link encap:Ethernet HWaddr 00:E2:59:01:D2:9A
inet addr:10.9.6.1 Bcast:10.9.6.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:278 errors:0 dropped:0 overruns:0 frame:0
TX packets:432 errors:0 dropped:7 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26534 (25.9 KiB) TX bytes:139830 (136.5 KiB)
br-lan.5 Link encap:Ethernet HWaddr 00:E2:59:01:D2:9A
inet addr:10.9.5.1 Bcast:10.9.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14002 errors:0 dropped:0 overruns:0 frame:0
TX packets:9910 errors:0 dropped:7 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12332508 (11.7 MiB) TX bytes:865747 (845.4 KiB)
br-lan.6 Link encap:Ethernet HWaddr 00:E2:59:01:D2:9A
inet addr:10.9.4.1 Bcast:10.9.4.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1739 errors:0 dropped:0 overruns:0 frame:0
TX packets:889 errors:0 dropped:7 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:580962 (567.3 KiB) TX bytes:262467 (256.3 KiB)
eth0 Link encap:Ethernet HWaddr 00:E2:59:01:D2:9A
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:39119 errors:0 dropped:2 overruns:0 frame:0
TX packets:64953 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18202316 (17.3 MiB) TX bytes:60679649 (57.8 MiB)
Memory:81600000-816fffff
eth1 Link encap:Ethernet HWaddr 00:E2:59:01:D2:9B
inet addr:xxx.xxx.xxx.xxx Bcast:yyy.yyy.yyy.yyy Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1250571 errors:0 dropped:0 overruns:0 frame:0
TX packets:426083 errors:0 dropped:10 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1584065062 (1.4 GiB) TX bytes:123508724 (117.7 MiB)
Memory:81300000-813fffff
eth2 Link encap:Ethernet HWaddr 00:E2:59:01:D2:9C
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth3 Link encap:Ethernet HWaddr 00:E2:59:01:D2:9D
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:148573 errors:0 dropped:0 overruns:0 frame:0
TX packets:988953 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12522438 (11.9 MiB) TX bytes:1490038402 (1.3 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:280 errors:0 dropped:0 overruns:0 frame:0
TX packets:280 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:74154 (72.4 KiB) TX bytes:74154 (72.4 KiB)
lxcbr0 Link encap:Ethernet HWaddr FE:E6:D4:AE:5F:8A
inet addr:10.0.4.1 Bcast:10.0.4.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1612 errors:0 dropped:0 overruns:0 frame:0
TX packets:1816 errors:0 dropped:12 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:264298 (258.1 KiB) TX bytes:367517 (358.9 KiB)
veth0g6BrB Link encap:Ethernet HWaddr FE:95:E8:B7:F8:BB
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:59 errors:0 dropped:0 overruns:0 frame:0
TX packets:384 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:30711 (29.9 KiB) TX bytes:107118 (104.6 KiB)
veth1 Link encap:Ethernet HWaddr A2:C4:5E:91:9B:22
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
veth6KIbPb Link encap:Ethernet HWaddr FE:E6:D4:AE:5F:8A
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1612 errors:0 dropped:0 overruns:0 frame:0
TX packets:1816 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:286866 (280.1 KiB) TX bytes:367517 (358.9 KiB)
vethCrun09 Link encap:Ethernet HWaddr FE:1A:70:C6:0B:50
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:267002 errors:0 dropped:0 overruns:0 frame:0
TX packets:220727 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:107014484 (102.0 MiB) TX bytes:46073095 (43.9 MiB)
wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.9.200.200 P-t-P:10.9.200.200 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wg1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.100.100.104 P-t-P:10.100.100.104 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:566 errors:0 dropped:0 overruns:0 frame:0
TX packets:618 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:198756 (194.0 KiB) TX bytes:110828 (108.2 KiB)
You are right, the interface names are written in lower case, but it doesn't matter because the traffic does not go via the Wireguard interfaces but directly via the Wan port eth1. Maybe a display error from htop? At least in the screenshot you posted, the order is correct Snort is at the top of the load.
//edit/ What I just realized is how many snort threads the htop shows because on your screenshot I only see one.