[FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
Locked 240 messages Options
1 ... 6789101112
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
I'm not sure what Itus had in mind, since I don't see a need for even the Bridge mode.  I can't see picking the transparent bridge over the router configuration but my use cases are pretty straight forward.

I've gotten success in starting to setup the individual modes.  Right now, I want to set it up so that everything is self-contained in a single image and sets itself up based on the slot it is put into.  It beats having to try and keep up across three repos.  Once I get it shaken out, I'll put up a router image for those who want to test.  I'll also be sending out an email to the forums registered users asking for test subjects :D.
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Turrican
Sign me up please :)
Running v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
Turrican, I sent you an invite through Google Hangouts.
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
Gnomad,

I finally got Snort 3 to compile and install, but the current /etc/snort/rules/snort.rules error badly.  Any idea if there are changes between the 2.x and 3 rule defines?
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Gnomad
Yeah, looks like the syntax has changed.

There's separate v2 and v3 downloads available here https://www.snort.org/downloads/#rule-downloads for "community-rules".
But if we want to include the additional emerging threats I can only find reference to v2.9 https://rules.emergingthreats.net/open/ (snort-edge is also 2.9 based)

We can keep an eye out for changes, but I'd say v2.9 is working well enough for now.

Sorry for my radio silence too - super-busy period with work..



On Fri, 1 Nov 2019 at 14:14, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote:
Gnomad,

I finally got Snort 3 to compile and install, but the current /etc/snort/rules/snort.rules error badly.  Any idea if there are changes between the 2.x and 3 rule defines?
Running Itus Shield v2 Firmware



If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1915.html
To unsubscribe from [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*, click here.
NAML
OpenWrt SNAPSHOT, r10391-3d8d528939
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
Well, see, thing is... Snort 2 kinda stopped working. They changed something that'll require me building snort without appid. One of the appid modules calls library calls that aren't available under musl (the toolchain), just x86.  So on one hand, 2.9.x can be made to work (probably) but without appid.

Or, go to 3 beta and get started early on the stuff. It has appid working.  If we can decide this, I can put the call for testing out and we can see if anyone answers. Maybe someone good at snort configs will show up. 3 should also offer a greater ability to set rules. Dunno.  Comments?

On Fri, Nov 1, 2019, 3:44 AM Gnomad [via Itus Networks Owners Forum] <[hidden email]> wrote:
Yeah, looks like the syntax has changed.

There's separate v2 and v3 downloads available here https://www.snort.org/downloads/#rule-downloads for "community-rules".
But if we want to include the additional emerging threats I can only find reference to v2.9 https://rules.emergingthreats.net/open/ (snort-edge is also 2.9 based)

We can keep an eye out for changes, but I'd say v2.9 is working well enough for now.

Sorry for my radio silence too - super-busy period with work..



On Fri, 1 Nov 2019 at 14:14, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote:
Gnomad,

I finally got Snort 3 to compile and install, but the current /etc/snort/rules/snort.rules error badly.  Any idea if there are changes between the 2.x and 3 rule defines?
Running Itus Shield v2 Firmware



If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1915.html
To unsubscribe from [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*, click here.
NAML
OpenWrt SNAPSHOT, r10391-3d8d528939



If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1916.html
To unsubscribe from [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*, click here.
NAML
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Gnomad
What's appid?  Benefits?

If we went to snort 3, I expect we'd be resigning ourselves to base community-rules for a while - I haven't seen any roadmap for emerging-threats to move to it anytime soon, and even if you can find snort-fluent Shield users I can't imagine any would have the bandwidth to maintain a 3.x equivalent set..

On Fri, 1 Nov 2019 at 15:55, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote:
Well, see, thing is... Snort 2 kinda stopped working. They changed something that'll require me building snort without appid. One of the appid modules calls library calls that aren't available under musl (the toolchain), just x86.  So on one hand, 2.9.x can be made to work (probably) but without appid.

Or, go to 3 beta and get started early on the stuff. It has appid working.  If we can decide this, I can put the call for testing out and we can see if anyone answers. Maybe someone good at snort configs will show up. 3 should also offer a greater ability to set rules. Dunno.  Comments?

On Fri, Nov 1, 2019, 3:44 AM Gnomad [via Itus Networks Owners Forum] <[hidden email]> wrote:
Yeah, looks like the syntax has changed.

There's separate v2 and v3 downloads available here https://www.snort.org/downloads/#rule-downloads for "community-rules".
But if we want to include the additional emerging threats I can only find reference to v2.9 https://rules.emergingthreats.net/open/ (snort-edge is also 2.9 based)

We can keep an eye out for changes, but I'd say v2.9 is working well enough for now.

Sorry for my radio silence too - super-busy period with work..



On Fri, 1 Nov 2019 at 14:14, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote:
Gnomad,

I finally got Snort 3 to compile and install, but the current /etc/snort/rules/snort.rules error badly.  Any idea if there are changes between the 2.x and 3 rule defines?
Running Itus Shield v2 Firmware



If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1915.html
To unsubscribe from [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*, click here.
NAML
OpenWrt SNAPSHOT, r10391-3d8d528939



If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1916.html
To unsubscribe from [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*, click here.
NAML
Running Itus Shield v2 Firmware



If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1917.html
To unsubscribe from [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*, click here.
NAML
OpenWrt SNAPSHOT, r10391-3d8d528939
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
Just a quick update - I'm still alive! Yay!

Actually, I spent some time in hospital for what seems no reason.  I'm hoping to pick this back up shortly.

AppID identifies the filetype (using Magic File) of inbound files, regardless of their extension.  So you could block file types with mismatched extensions.  Also should allow a whitelisting of specific file types so the Shield won't scan them.

I'm going to have to dive back into the repos and see what's new, as well.
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
Hey All!

So, I've done some updating, and of course it broke some things..  Every time the kernel updates, I have to repatch the source for the Marvell Octeon III PHY network drivers, and that's a pain sometimes.

But..

I've got it updated, I've got snort3 installing instead of 2.x.  I bit the bullet and did a source compile on my local machine for Snort3 so I could get to the snort2lua program.  Snort3 uses LUA based rule and configuration files, so I have to build all of this out and moved over.  Snort3, I think, is still kind of "new" when it comes to OpenWrt since it doesn't seem to move anything over in the compile that is actually needed (like the default .lua files, for example)

Also there now seems to be support for WireGuard.  This could be useful for those who want to monitor everything going thru the Shield in real time.

I am still building and testing, but for anyone who wants to test, I'll put up a version shortly assuming it doesn't break anything.
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
I'm going to put the driver patch file I put together (was based on 7 separate patch files) for the Octeon III network interface.  This was probably the single biggest issue I had getting anything to work.  It would compile fine, boot, etc, but the network showed 8 interfaces and nothing worked :D

The patch file might serve anyone else looking to make something with the Shield in some way, hopefully making it easier on them.  In theory, the box can run anything that has a mips64 version (I was looking into pfsense until I realized they don't, for example).  When whoever it is doesn't support the Shield, you can roll your own as everything else is bog-standard except the network.

700-Cavium_Octeon_iii_network_driver.patch
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Need Help testing.

Grommish
Administrator
First, in case you hadn't already heard:  CVE-2020-7982

While this really doesn't effect us (since MOST packages have to be cross-compiled from source) which makes MITM attacks less than likely.

But, I had a setback when i updated the codebase and things broke.  Since then, I've been working on finding ways to set the configs up based on the mode.

I believe I've got Router mode most of the way done.  Anyone actually use Bridge still? or Gateway (which was never finished, i know).

IF you use Bridge/Gateway mode as an actual mode, I need to use your configurations.

As for Router, I need tests and additions


I don't even have Snort running on this yet, but i do have ClamAV and dnsmasq doing their thing

Let me know if I should bother continuing to invest time?
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: Need Help testing.

Roadrunnere42
Hi Grommish
Hope your safe and well, since January this year I've been really busy and now been seconded to the police for 2 months collecting dead bodies who have died from the covid 19 virus ( not a nice job but someone has to do it).
As for the Shield it's been forgotten because of work but last time it was running the new version which seem to work ok, I would still like to try and test any new versions, as I said before I run in router mode.
Keep up the good work.

ruodrunneruk


On Wed, 8 Apr 2020 at 02:19, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote:
First, in case you hadn't already heard:  CVE-2020-7982

While this really doesn't effect us (since MOST packages have to be cross-compiled from source) which makes MITM attacks less than likely.

But, I had a setback when i updated the codebase and things broke.  Since then, I've been working on finding ways to set the configs up based on the mode.

I believe I've got Router mode most of the way done.  Anyone actually use Bridge still? or Gateway (which was never finished, i know).

IF you use Bridge/Gateway mode as an actual mode, I need to use your configurations.

As for Router, I need tests and additions


I don't even have Snort running on this yet, but i do have ClamAV and dnsmasq doing their thing

Let me know if I should bother continuing to invest time?
Running Itus Shield v2 Firmware



If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1932.html
To start a new topic under Technical Discussion, email [hidden email]
To unsubscribe from Itus Networks Owners Forum, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: Need Help testing.

Grommish
Administrator
I know France has been hit hard, be safe.

I have a few big issues to overcome.

1) Initial Setup - something changed in the way the boot process works, so my Firstboot script no longer functions.  I've gotten around this, mostly.
2) Snort3 - Snort3 compiles, but I have issues with the Config file, since the config file structure has changed.  For whatever reason, it's not also building the tool used to convert a config from Snort2 to Snort3 Lua.
3) Bridge and Gateway Configs - I may not worry about this unless i have someone specifically want to run it and can help with the config.
4) Update system - I'm still working on seeing how I can get the update system to work.

All in all, I think the router image is about ready.  I'm doing a fresh compile and build and will test it before I upload it.
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: Need Help testing.

Gnomad
Sorry Grommish, can't offer too much in the way of assistance at the moment.
Myself & my wife are both working from home now, so reliable connectivity is a priority - so much so that I've actually switched off our Shield for now due to its tendency to randomly flake out & take me 30+mins each time to sort out.  That might coincide with snort rule updates & reboots (?) but snort's the main reason I use it.  So whilst I appreciate that you've nearly got Snort3 working, that's a bit of a kicker for me ;-)  Let me know if you figure it out!

I've actually also recently backed this on Kickstarter:  https://www.kickstarter.com/projects/pangolinsecured/pangolin-simple-cybersecurity-for-home-and-small-business.  Not expecting it before July now, but I'm hoping it might be a bit more reliable. Unfortunately I don't have the time (or patience ;) to tinker as much as I used to..

On Fri, 10 Apr 2020 at 06:30, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote:
I know France has been hit hard, be safe.

I have a few big issues to overcome.

1) Initial Setup - something changed in the way the boot process works, so my Firstboot script no longer functions.  I've gotten around this, mostly.
2) Snort3 - Snort3 compiles, but I have issues with the Config file, since the config file structure has changed.  For whatever reason, it's not also building the tool used to convert a config from Snort2 to Snort3 Lua.
3) Bridge and Gateway Configs - I may not worry about this unless i have someone specifically want to run it and can help with the config.
4) Update system - I'm still working on seeing how I can get the update system to work.

All in all, I think the router image is about ready.  I'm doing a fresh compile and build and will test it before I upload it.
Running Itus Shield v2 Firmware



If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1936.html
To unsubscribe from [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*, click here.
NAML
OpenWrt SNAPSHOT, r10391-3d8d528939
Reply | Threaded
Open this post in threaded view
|

Re: Need Help testing.

Grommish
Administrator
Oh, I understand :)  Just remember me when you move on from the Shield :D

As for the firmware, I'm having a few issues, but nothing insurmountable yet.  The biggest issue I have is the fact the Shield uses a mips64 chip.  So it means having to fight with and cross-compile everything.  I DID get Snort3 working WITH the accompanying tools (including snort2lua!).  I had to get LuaJIT to work under mips64 (it won't without help) and then Snort3 itself - but it works.  See the pastes below..  During the run, i ran two simultaneous speedtests benchmarks.  One from speedtest.googlefiber.net and one from speedtest.net.  I never saw above a .50 load or less than 630MB RAM Free.

Now, this is running ONLY the very STOCK Snort config!  I do NOT know Firewall rules as well as I should, so, who wants to help? *beg*

root@OpenWrt:/etc/snort# snort --daq-dir /usr/lib/daq -c /etc/snort/snort.lua -i
 any -D
--------------------------------------------------
o")~   Snort++ 3.0.0-247
--------------------------------------------------
Loading /etc/snort/snort.lua:
        ips
        dce_http_proxy
        wizard
        pop
        ftp_server
        ssl
        stream_icmp
        ftp_data
        dnp3
        telnet
        latency
        dce_udp
        imap
        classifications
        references
        binder
        appid
        ftp_client
        smtp
        gtp_inspect
        port_scan
        back_orifice
        dce_tcp
        ssh
        rpc_decode
        stream_tcp
        normalizer
        modbus
        http2_inspect
        http_inspect
        arp_spoof
        stream_user
        stream_udp
        stream_ip
        stream_file
        stream
        dce_http_server
        dce_smb
        sip
        file_id
        dns
Finished /etc/snort/snort.lua.
--------------------------------------------------
pcap DAQ configured to passive.
initializing daemon mode
child process is 2347
Commencing packet processing
++ [0] any
root@OpenWrt:/etc/snort# ERROR: Unable to find a Codec with data link type 113


--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                 received: 2658325
                 analyzed: 1872001
                  dropped: 786322
              outstanding: 786324
                    allow: 1872001
                     idle: 1
                 rx_bytes: 1970544795
--------------------------------------------------
codec
                    total: 1872001      (100.000%)
                    other: 1872001      (100.000%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
                 analyzed: 1872001
--------------------------------------------------
latency
            total_packets: 1872001
              total_usecs: 7083213
                max_usecs: 8430
          packet_timeouts: 44
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
                  signals: 1
--------------------------------------------------
timing
                  runtime: 00:08:32
                  seconds: 512.525329
                  packets: 2658325
                 pkts/sec: 5192
o")~   Snort exiting

 
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: Need Help testing.

Roadrunnere42
Can't remember who on the site suggested the setting for snort, but he knew what he was doing, look at the attached files was his changes to speed thing up and things to delete.

Here are the modification that I made from his suggestions

snort file
output alert_fast: alert.fast 64k
# output log_tcpdump: tcpdump.log

include classification.config
include reference.config

include reference.config

var RULE_PATH /etc/snort/rules/
var PREPROC_RULE_PATH /etc/snort/rules/
var BLACK_LIST_PATH /etc/snort/rules/

include $RULE_PATH/local.rules
include $RULE_PATH/snort.rules
#include $PREPROC_RULE_PATH/preprocessor.rules
#include $PREPROC_RULE_PATH/decoder.rules
#include $PREPROC_RULE_PATH/sensitive-data.rules

include threshold.conf

ipvar HOME_NET 10.10.10.240
ipvar EXTERNAL_NET !$HOME_NET
ipvar DNS_SERVERS $HOME_NET
ipvar SMTP_SERVERS $HOME_NET
ipvar HTTP_SERVERS $HOME_NET
ipvar SQL_SERVERS [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
ipvar TELNET_SERVERS $HOME_NET
ipvar SSH_SERVERS $HOME_NET
ipvar FTP_SERVERS $HOME_NET
ipvar SIP_SERVERS $HOME_NET
portvar HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,1942,2231,2301,2381,2809,2980,3029,3037,3057,3128,3443,3702,4000,4343,4848,5000,5117,5250,5600,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7777,7778,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8333,8344,8500,8509,8800,8888,8899,8983,9000,9060,9080,9090,9091,9111,9290,9443,9999,10000,11371,12601,13014,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712]
portvar SHELLCODE_PORTS !0
portvar ORACLE_PORTS 1024:
portvar SSH_PORTS 22
portvar FTP_PORTS [21,2100,3535]
portvar SIP_PORTS [5060,5061,5600]
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
portvar GTP_PORTS [2123,2152,3386]

ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

config enable_decode_drops
config enable_tcpopt_experimental_drops
config enable_tcpopt_obsolete_drops
config enable_tcpopt_ttcp_drops
config enable_tcpopt_drops
config enable_ipopt_drops
config enable_decode_oversized_drops

config policy_mode:inline
config checksum_drop: all
#config checksum_mode: all
# config flowbits_size: 64
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53
# config response: eth0 attempts 2

config daq: nfq
config daq_dir: /usr/lib/daq/
config daq_mode: inline
config daq_var: queue=8
#config daq_var: proto=ip6
#config daq_var: queue_len=65535

# config set_gid:
# config set_uid:

# config snaplen:
# config bpf_file:

config logdir: /tmp/snort/


config pcre_match_limit: 5000
config pcre_match_limit_recursion: 2500
#config detection: search-method ac search-optimize max-pattern-len 20
config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 20 no_stream_inserts
config event_queue: max_queue 8 log 5 order_events content_length

# config enable_gtp

#config ppm: max-pkt-time 250, \
#   fastpath-expensive-packets, \
#   pkt-log

#config ppm: max-rule-time 200, \
#   threshold 3, \
#   suspend-expensive-rules, \
#   suspend-timeout 20, \
#   rule-log alert

#config profile_rules: print all, sort avg_ticks
#config profile_preprocs: print all, sort avg_ticks

config paf_max: 16000

dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
#dynamicdetection directory /usr/local/lib/snort_dynamicrules


# preprocessor gtp: ports { 2123 3386 2152 }

preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180

preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp yes, \
   max_tcp 10000, \
   max_udp 10000, \
   max_active_responses 2, \
   min_response_seconds 5, \
   prune_log_max 1120810

preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
   max_queued_bytes 1064720, \
    ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139 143 \
        161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 \
        7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
    ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 555 591 593 631 636 801 808 818 901 972 989 992 993 994 995 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7907 7000 7001 7071 7144 7145 7510 7802 7770 7777 7778 7779 \
        7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \
        7917 7918 7919 7920 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601 13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712
preprocessor stream5_udp: timeout 180

# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000

preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
    http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
    chunk_length 500000 \
    server_flow_depth 0 \
    client_flow_depth 0 \
    post_depth 65495 \
    oversize_dir_length 500 \
    max_header_length 750 \
    max_headers 100 \
    max_spaces 200 \
    small_chunk_length { 10 5 } \
    ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601 13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 } \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    enable_cookie \
    extended_response_inspection \
    inspect_gzip \
    normalize_utf \
    unlimited_decompress \
    normalize_javascript \
    apache_whitespace no \
    ascii no \
    bare_byte no \
    directory no \
    double_decode no \
    iis_backslash no \
    iis_delimiter no \
    iis_unicode no \
    multi_slash no \
    utf_8 no \
    u_encode yes \
    webroot no

preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete

preprocessor bo

preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted
preprocessor ftp_telnet_protocol: telnet \
    ayt_attack_thresh 20 \
    normalize ports { 23 } \
    detect_anomalies
preprocessor ftp_telnet_protocol: ftp server default \
    def_max_param_len 100 \
    ports { 21 2100 3535 } \
    telnet_cmds yes \
    ignore_telnet_erase_cmds yes \
    ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
    ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
    ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
    ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
    ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
    ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
    ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
    ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
    ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
    ftp_cmds { XSEN XSHA1 XSHA256 } \
    alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
    alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
    alt_max_param_len 256 { CWD RNTO } \
    alt_max_param_len 400 { PORT } \
    alt_max_param_len 512 { SIZE } \
    chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
    chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
    chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
    chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
    chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
    chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
    chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
    chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
    cmd_validity ALLO < int [ char R int ] > \    
    cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
    cmd_validity MACB < string > \
    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity PORT < host_port > \
    cmd_validity PROT < char CSEP > \
    cmd_validity STRU < char FRPO [ string ] > \    
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
preprocessor ftp_telnet_protocol: ftp client default \
    max_resp_len 256 \
    bounce yes \
    ignore_telnet_erase_cmds yes \
    telnet_cmds yes

#preprocessor smtp: ports { 25 465 587 691 } \
#   inspection_type stateful \
#    b64_decode_depth 0 \
#    qp_decode_depth 0 \
#    bitenc_decode_depth 0 \
#    uu_decode_depth 0 \
#    log_mailfrom \
#    log_rcptto \
#    log_filename \
#    log_email_hdrs \
#    normalize cmds \
#    normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
#    normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
#    normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
#    normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
#    max_command_line_len 512 \
#    max_header_line_len 1000 \
#    max_response_line_len 512 \
#    alt_max_command_line_len 260 { MAIL } \
#    alt_max_command_line_len 300 { RCPT } \
#    alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
#    alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
#    alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
#    valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
#    valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
#    valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
#    valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
#    xlink2state { enabled }

preprocessor sfportscan: proto  { all } memcap { 500000 } sense_level { medium }

# preprocessor arpspoof
# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

preprocessor ssh: server_ports { 22 } \
                  autodetect \
                  max_client_bytes 19600 \
                  max_encrypted_packets 20 \
                  max_server_version_len 100 \
                  enable_respoverflow enable_ssh1crc32 \
                  enable_srvoverflow enable_protomismatch

preprocessor dcerpc2: memcap 102400, events [co ]
preprocessor dcerpc2_server: default, policy WinXP, \
    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
    smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]

preprocessor dns: ports { 53 } enable_rdata_overflow

preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted

#preprocessor sensitive_data: alert_threshold 25

#preprocessor sip: max_sessions 1024, \
#   ports { 5060 5061 5600 }, \
#   methods { invite \
#             cancel \
#             ack \
#             bye \
#             register \
#             options \
#             refer \
#             subscribe \
#             update \
#             join \
#             info \
#             message \
#             notify \
#             benotify \
#             do \
#             qauth \
#             sprack \
#             publish \
#             service \
#             unsubscribe \
#             prack }, \
#   max_uri_len 512, \
#   max_call_id_len 80, \
#   max_requestName_len 20, \
#   max_from_len 256, \
#   max_to_len 256, \
#   max_via_len 1024, \
#   max_contact_len 512, \
#   max_content_len 2048

#preprocessor imap: \
#   ports { 143 } \
#   b64_decode_depth 0 \
#   qp_decode_depth 0 \
#   bitenc_decode_depth 0 \
#   uu_decode_depth 0

#preprocessor pop: \
#   ports { 110 } \
#   b64_decode_depth 0 \
#   qp_decode_depth 0 \
#   bitenc_decode_depth 0 \
#   uu_decode_depth 0

#preprocessor modbus: ports { 502 }

#preprocessor dnp3: ports { 20000 } \
#   memcap 131077 \
#   check_crc

#preprocessor reputation: \
#   memcap 100, \
#   priority whitelist, \
#   nested_ip inner, \
#   whitelist $WHITE_LIST_PATH/white_list.rules, \
#   blacklist $BLACK_LIST_PATH/L2.blacklist


# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp



On Sun, 12 Apr 2020 at 04:45, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote:
Oh, I understand :)  Just remember me when you move on from the Shield :D

As for the firmware, I'm having a few issues, but nothing insurmountable yet.  The biggest issue I have is the fact the Shield uses a mips64 chip.  So it means having to fight with and cross-compile everything.  I DID get Snort3 working WITH the accompanying tools (including snort2lua!).  I had to get LuaJIT to work under mips64 (it won't without help) and then Snort3 itself - but it works.  See the pastes below..  During the run, i ran two simultaneous speedtests benchmarks.  One from speedtest.googlefiber.net and one from speedtest.net.  I never saw above a .50 load or less than 630MB RAM Free.

Now, this is running ONLY the very STOCK Snort config!  I do NOT know Firewall rules as well as I should, so, who wants to help? *beg*

root@OpenWrt:/etc/snort# snort --daq-dir /usr/lib/daq -c /etc/snort/snort.lua -i
 any -D
--------------------------------------------------
o")~   Snort++ 3.0.0-247
--------------------------------------------------
Loading /etc/snort/snort.lua:
        ips
        dce_http_proxy
        wizard
        pop
        ftp_server
        ssl
        stream_icmp
        ftp_data
        dnp3
        telnet
        latency
        dce_udp
        imap
        classifications
        references
        binder
        appid
        ftp_client
        smtp
        gtp_inspect
        port_scan
        back_orifice
        dce_tcp
        ssh
        rpc_decode
        stream_tcp
        normalizer
        modbus
        http2_inspect
        http_inspect
        arp_spoof
        stream_user
        stream_udp
        stream_ip
        stream_file
        stream
        dce_http_server
        dce_smb
        sip
        file_id
        dns
Finished /etc/snort/snort.lua.
--------------------------------------------------
pcap DAQ configured to passive.
initializing daemon mode
child process is 2347
Commencing packet processing
++ [0] any
root@OpenWrt:/etc/snort# ERROR: Unable to find a Codec with data link type 113


--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                 received: 2658325
                 analyzed: 1872001
                  dropped: 786322
              outstanding: 786324
                    allow: 1872001
                     idle: 1
                 rx_bytes: 1970544795
--------------------------------------------------
codec
                    total: 1872001      (100.000%)
                    other: 1872001      (100.000%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
                 analyzed: 1872001
--------------------------------------------------
latency
            total_packets: 1872001
              total_usecs: 7083213
                max_usecs: 8430
          packet_timeouts: 44
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
                  signals: 1
--------------------------------------------------
timing
                  runtime: 00:08:32
                  seconds: 512.525329
                  packets: 2658325
                 pkts/sec: 5192
o")~   Snort exiting

 
Running Itus Shield v2 Firmware



If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1939.html
To start a new topic under Technical Discussion, email [hidden email]
To unsubscribe from Itus Networks Owners Forum, click here.
NAML

f_k8wwbjgg0 (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need Help testing.

Grommish
Administrator
Thanks!  I'll take a look.

I'm having to learn the new format, which is slowing me down.  This is the "new" Snort3 config format.  The entire system has changed and what it can or should do..  I'm going to get it stable and running on the vanilla configuration.  I'm then going to put up a test image that can go in the Gateway position, but act as a router...  That way, anyone who wants to test can do so without touching the production (router or bridge) setting...  Should make it easier for those who don't have a lot of time to play without having to worry about trashing what already works.

---------------------------------------------------------------------------
-- Snort++ configuration
---------------------------------------------------------------------------

-- there are over 200 modules available to tune your policy.
-- many can be used with defaults w/o any explicit configuration.
-- use this conf as a template for your specific configuration.

-- 1. configure environment
-- 2. configure defaults
-- 3. configure inspection
-- 4. configure bindings
-- 5. configure performance
-- 6. configure detection
-- 7. configure filters
-- 8. configure outputs
-- 9. configure tweaks

---------------------------------------------------------------------------
-- 1. configure environment
---------------------------------------------------------------------------

-- given:
-- export DIR=/install/path
-- configure --prefix=$DIR
-- make install

-- then:
-- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\;
-- export SNORT_LUA_PATH=$DIR/etc/snort

lua_path = os.getenv('LUA_PATH')
if ( not lua_path ) then
    package.path = '/usr/include/snort/lua/?.lua;?;'
end

-- this depends on LUA_PATH
-- used to load this conf into Snort
require('snort_config')

-- this depends on SNORT_LUA_PATH
-- where to find other config files
conf_dir = os.getenv('SNORT_LUA_PATH')

if ( not conf_dir ) then
    conf_dir = '/etc/snort'
end

---------------------------------------------------------------------------
-- 2. configure defaults
---------------------------------------------------------------------------

-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting
HOME_NET = 'any'

-- set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = 'any'

dofile(conf_dir .. '/snort_defaults.lua')
dofile(conf_dir .. '/file_magic.lua')

---------------------------------------------------------------------------
-- 3. configure inspection
---------------------------------------------------------------------------

-- mod = { } uses internal defaults
-- you can see them with snort --help-module mod

-- mod = default_mod uses external defaults
-- you can see them in snort_defaults.lua

-- the following are quite capable with defaults:

stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }
stream_user = { }
stream_file = { }

arp_spoof = { }
back_orifice = { }
dnp3 = { }
dns = { }
http_inspect = { }
http2_inspect = { }
imap = { }
modbus = { }
normalizer = { }
pop = { }
rpc_decode = { }
sip = { }
ssh = { }
ssl = { }
telnet = { }

dce_smb = { }
dce_tcp = { }
dce_udp = { }
dce_http_proxy = { }
dce_http_server = { }

-- see snort_defaults.lua for default_*
gtp_inspect = default_gtp
port_scan = default_med_port_scan
smtp = default_smtp

ftp_server = default_ftp_server
ftp_client = { }
ftp_data = { }

-- see file_magic.lua for file id rules
file_id = { file_rules = file_magic }

-- the following require additional configuration to be fully effective:

appid =
{
    -- appid requires this to use appids in rules
    --app_detector_dir = 'directory to load appid detectors from'
}

--[[
reputation =
{
    -- configure one or both of these, then uncomment reputation
    --blacklist = 'blacklist file name with ip lists'
    --whitelist = 'whitelist file name with ip lists'
}
--]]

---------------------------------------------------------------------------
-- 4. configure bindings
---------------------------------------------------------------------------

wizard = default_wizard

binder =
{
    -- port bindings required for protocols without wizard support
    { when = { proto = 'udp', ports = '53' },  use = { type = 'dns' } },
    { when = { proto = 'tcp', ports = '111' }, use = { type = 'rpc_decode' } },
    { when = { proto = 'tcp', ports = '502' }, use = { type = 'modbus' } },
    { when = { proto = 'tcp', ports = '2123 2152 3386' }, use = { type = 'gtp' } },

    { when = { proto = 'tcp', service = 'dcerpc' }, use = { type = 'dce_tcp' } },
    { when = { proto = 'udp', service = 'dcerpc' }, use = { type = 'dce_udp' } },

    { when = { service = 'netbios-ssn' },      use = { type = 'dce_smb' } },
    { when = { service = 'dce_http_server' },  use = { type = 'dce_http_server' } },
    { when = { service = 'dce_http_proxy' },   use = { type = 'dce_http_proxy' } },

    { when = { service = 'dnp3' },             use = { type = 'dnp3' } },
    { when = { service = 'dns' },              use = { type = 'dns' } },
    { when = { service = 'ftp' },              use = { type = 'ftp_server' } },
    { when = { service = 'ftp-data' },         use = { type = 'ftp_data' } },
    { when = { service = 'gtp' },              use = { type = 'gtp_inspect' } },
    { when = { service = 'imap' },             use = { type = 'imap' } },
    { when = { service = 'http' },             use = { type = 'http_inspect' } },
    { when = { service = 'http2' },            use = { type = 'http2_inspect' } },
    { when = { service = 'modbus' },           use = { type = 'modbus' } },
    { when = { service = 'pop3' },             use = { type = 'pop' } },
    { when = { service = 'ssh' },              use = { type = 'ssh' } },
    { when = { service = 'sip' },              use = { type = 'sip' } },
    { when = { service = 'smtp' },             use = { type = 'smtp' } },
    { when = { service = 'ssl' },              use = { type = 'ssl' } },
    { when = { service = 'sunrpc' },           use = { type = 'rpc_decode' } },
    { when = { service = 'telnet' },           use = { type = 'telnet' } },

    { use = { type = 'wizard' } }
}

---------------------------------------------------------------------------
-- 5. configure performance
---------------------------------------------------------------------------

-- use latency to monitor / enforce packet and rule thresholds
latency =
{
    packet = { max_time = 1500 },
    rule = { max_time = 200 },
}

-- use these to capture perf data for analysis and tuning
--profiler = { }
--perf_monitor = { }

---------------------------------------------------------------------------
-- 6. configure detection
---------------------------------------------------------------------------

references = default_references
classifications = default_classifications

ips =
{
    -- use this to enable decoder and inspector alerts
    --enable_builtin_rules = true,

    -- use include for rules files; be sure to set your path
    -- note that rules files can include other rules files
    --include = 'snort3-community.rules'
}

-- use these to configure additional rule actions
-- react = { }
-- reject = { }
-- rewrite = { }

---------------------------------------------------------------------------
-- 7. configure filters
---------------------------------------------------------------------------

-- below are examples of filters
-- each table is a list of records

--[[
suppress =
{
    -- don't want to any of see these
    { gid = 1, sid = 1 },

    -- don't want to see these for a given server
    { gid = 1, sid = 2, track = 'by_dst', ip = '1.2.3.4' },
}
--]]

--[[
event_filter =
{
    -- reduce the number of events logged for some rules
    { gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, seconds = 10 },
    { gid = 1, sid = 2, type = 'both',  track = 'by_dst', count = 5, seconds = 60 },
}
--]]

--[[
rate_filter =
{
    -- alert on connection attempts from clients in SOME_NET
    { gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1,
      new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' },

    -- alert on connections to servers over threshold
    { gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3,
      new_action = 'alert', timeout = 1 },
}
--]]

---------------------------------------------------------------------------
-- 8. configure outputs
---------------------------------------------------------------------------

-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
--alert_csv = { }
--alert_fast = { }
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }

-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = { }
--log_hext = { }
--log_pcap = { }

-- additional logs
--packet_capture = { }
--file_log = { }

---------------------------------------------------------------------------
-- 9. configure tweaks
---------------------------------------------------------------------------

if ( tweaks ~= nil ) then
    dofile(conf_dir .. '/' .. tweaks .. '.lua')
end
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: Need Help testing.

Grommish
Administrator
Ok, so..  I think I finally have a grip on this..  OpenWrt has MANY cool systems when you're building from scratch, but they are just a huge pain to find.

I found reference to the /etc/uci-defaults directory, which will run a file on the first boot, then delete it.  This allows me to do selective settings via the uci!

I have abandoned using ClamAV in the image.  It's huge and resource heavy, and not really useful given what would have to be given up for it (like.. Snort..or Adblock..)  ClamAV has an 800MB RAM footprint!  So.. Ah well.

# Common Settings between three modes
# Network Settings
uci set network.loopback=interface
uci set network.loopback.ifname="lo"
uci set network.loopback.proto="static"
uci set network.loopback.ipaddr="127.0.0.1"
uci set network.loopback.netmask="255.0.0.0"
uci set network.globals=globals
uci set network.globals.ula_prefix="fd18:0640:804c::/48"

# Setup networking defaults based on mode
case "${SHIELD_MODE}" in
        "Router" | "Gateway")
                # Network Setup
                uci set network.wan=interface
                uci set network.wan.ifname='eth0'
                uci set network.wan.proto='dhcp'

                uci set network.lan=interface
                uci set network.lan.ifname='eth1 eth2'
                uci set network.lan.force_link='1'
                uci set network.lan.proto='static'
                uci set network.lan.type='bridge'
                uci set network.lan.ipaddr='10.10.10.10'
                uci set network.lan.netmask='255.255.255.0'
                uci set network.lan.ip6assign='60'

                uci set network.wan6=interface
                uci set network.wan6.ifname='eth0'
                uci set network.wan6.proto='dhcpv6'
                uci commit network


                # DHCP/DNS Setup
                uci set dhcp.@dnsmasq[0]=dnsmasq
                uci set dhcp.@dnsmasq[0].domainneeded='1'
                uci set dhcp.@dnsmasq[0].boguspriv='1'
                uci set dhcp.@dnsmasq[0].filterwin2k='0'
                uci set dhcp.@dnsmasq[0].localise_queries='1'
                uci set dhcp.@dnsmasq[0].rebind_protection='1'
                uci set dhcp.@dnsmasq[0].rebind_localhost='1'
                uci set dhcp.@dnsmasq[0].local='/lan/'
                uci set dhcp.@dnsmasq[0].domain='lan'
                uci set dhcp.@dnsmasq[0].expandhosts='1'
                uci set dhcp.@dnsmasq[0].nonegcache='0'
                uci set dhcp.@dnsmasq[0].authoritative='1'
                uci set dhcp.@dnsmasq[0].readethers='1'
                uci set dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
                uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
                uci set dhcp.@dnsmasq[0].nonwildcard='1'
                uci set dhcp.@dnsmasq[0].localservice='1'

                uci set dhcp.lan=dhcp
                uci set dhcp.lan.interface='lan'
                uci set dhcp.lan.start='100'
                uci set dhcp.lan.limit='150'
                uci set dhcp.lan.leasetime='12h'
                uci set dhcp.lan.dhcpv6='server'
                uci set dhcp.lan.ra='server'
                uci set dhcp.lan.ra_slaac='1'
                uci set dhcp.lan.ra_flags='managed-config' 'other-config'

                uci set dhcp.wan=dhcp
                uci set dhcp.wan.interface='wan'
                uci set dhcp.wan.ignore='1'

                uci set dhcp.odhcpd=odhcpd
                uci set dhcp.odhcpd.maindhcp='0'
                uci set dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
                uci set dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
                uci set dhcp.odhcpd.loglevel='4'
                uci commit dhcp


                # Adblock Setup
                uci set adblock.global=adblock
                uci set adblock.global.adb_enabled='1'
                uci set adblock.global.adb_debug='0'
                uci set adblock.global.adb_forcedns='0'
                uci set adblock.global.adb_safesearch='0'
                uci set adblock.global.adb_mail='0'
                uci set adblock.global.adb_maxqueue='4'
                uci set adblock.global.adb_dns='dnsmasq'
                uci set adblock.global.adb_trigger='wan'
                uci set adblock.global.adb_report='1'
                uci set adblock.global.adb_repiface='br-lan'
                uci set adblock.global.adb_backup='0'
                uci set adblock.global.adb_dnsfilereset='1'
                uci set adblock.global.adb_dnsflush='1'
                uci add_list adblock.global.adb_sources='adaway'
                uci add_list adblock.global.adb_sources='adguard'
                uci add_list adblock.global.adb_sources='disconnect'
                uci add_list adblock.global.adb_sources='oisd_nl'
                uci add_list adblock.global.adb_sources='youtube'
                uci add_list adblock.global.adb_sources='yoyo'
                uci set adblock.global.adb_fetchutil='uclient-fetch'
                uci commit adblock

                # uhttpd Setup
                uci set uhttpd.main=uhttpd
                uci set uhttpd.main.listen_http='10.10.10.10:80'
                uci set uhttpd.main.listen_https='10.10.10.10:443'
                uci set uhttpd.main.redirect_https='1'
                uci set uhttpd.main.home='/www'
                uci set uhttpd.main.rfc1918_filter='1'
                uci set uhttpd.main.max_requests='3'
                uci set uhttpd.main.max_connections='100'
                uci set uhttpd.main.cert='/etc/uhttpd.crt'
                uci set uhttpd.main.key='/etc/uhttpd.key'
                uci set uhttpd.main.cgi_prefix='/cgi-bin'
                uci set uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
                uci set uhttpd.main.script_timeout='60'
                uci set uhttpd.main.network_timeout='30'
                uci set uhttpd.main.http_keepalive='20'
                uci set uhttpd.main.tcp_keepalive='1'
                uci set uhttpd.main.ubus_prefix='/ubus'
                uci set uhttpd.defaults=cert
                uci set uhttpd.defaults.days='730'
                uci set uhttpd.defaults.bits='2048'
                uci set uhttpd.defaults.country='ZZ'
                uci set uhttpd.defaults.state='Somewhere'
                uci set uhttpd.defaults.location='Unknown'
                uci set uhttpd.defaults.commonname='OpenWrt'
        ;;
        "Bridge")
        ;;
esac
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Itus Firmware v2

Grommish
Administrator
Itus Shield Firmware v2.0 (OpenWrt SNAPSHOT r11407+1525-54ba15f9fa) ALPHA
NOTE: This WILL erase ALL DATA in the GATEWAY slot!

Download ItusgatewayImage



Instructions to Flash:

Boot into the Shield in whatever mode that you normally use

If you have ssh/scp installed on your PC, you can use it directly.  MAKE SURE YOU ARE IN THE DIRECTORY YOU DOWNLOADED THE FILE INTO!

ssh -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@10.10.10.10 "mount /dev/mmcblk0p1 /overlay"
ssh -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@10.10.10.10 "cp /overlay/ItusgatewayImage /overlay/ItusgatewayImage-Rescue"
scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ./ItusgatewayImage root@10.10.10.10:/overlay
ssh -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@10.10.10.10 "touch /overlay/ItusgatewayImage"
ssh -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@10.10.10.10 "umount /overlay"

(the flags above just keep SSH/SCP from complaining about the SSH Key for your Shield if it changed.  This way, you don't have to remove the key and re-add a new one)

You MUST ensure that your Shield is in the GATEWAY (OUTER) Position, then reboot

First boot will take a few minutes. The M-LED on the Shield will turn ORANGE when the boot is complete.  

Open 10.10.10.10 and login (no password by default)

Troubleshooting:

If you boot into the new image and you have no IP on eth0:  This happens from time to time, and I'm not sure why.  Reboot the system and let it try again.

Requests:

Suggested changes to the "default" setup are welcome.. Packages, settings, etc.

Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: Need Help testing.

Roadrunnere42
In reply to this post by Grommish
Great work
can't wait for new build.


On Wed, 15 Apr 2020 at 06:46, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote:
Ok, so..  I think I finally have a grip on this..  OpenWrt has MANY cool systems when you're building from scratch, but they are just a huge pain to find.

I found reference to the /etc/uci-defaults directory, which will run a file on the first boot, then delete it.  This allows me to do selective settings via the uci!

I have abandoned using ClamAV in the image.  It's huge and resource heavy, and not really useful given what would have to be given up for it (like.. Snort..or Adblock..)  ClamAV has an 800MB RAM footprint!  So.. Ah well.

# Common Settings between three modes
# Network Settings
uci set network.loopback=interface
uci set network.loopback.ifname="lo"
uci set network.loopback.proto="static"
uci set network.loopback.ipaddr="127.0.0.1"
uci set network.loopback.netmask="255.0.0.0"
uci set network.globals=globals
uci set network.globals.ula_prefix="fd18:0640:804c::/48"

# Setup networking defaults based on mode
case "${SHIELD_MODE}" in
        "Router" | "Gateway")
                # Network Setup
                uci set network.wan=interface
                uci set network.wan.ifname='eth0'
                uci set network.wan.proto='dhcp'

                uci set network.lan=interface
                uci set network.lan.ifname='eth1 eth2'
                uci set network.lan.force_link='1'
                uci set network.lan.proto='static'
                uci set network.lan.type='bridge'
                uci set network.lan.ipaddr='10.10.10.10'
                uci set network.lan.netmask='255.255.255.0'
                uci set network.lan.ip6assign='60'

                uci set network.wan6=interface
                uci set network.wan6.ifname='eth0'
                uci set network.wan6.proto='dhcpv6'
                uci commit network


                # DHCP/DNS Setup
                uci set dhcp.@dnsmasq[0]=dnsmasq
                uci set dhcp.@dnsmasq[0].domainneeded='1'
                uci set dhcp.@dnsmasq[0].boguspriv='1'
                uci set dhcp.@dnsmasq[0].filterwin2k='0'
                uci set dhcp.@dnsmasq[0].localise_queries='1'
                uci set dhcp.@dnsmasq[0].rebind_protection='1'
                uci set dhcp.@dnsmasq[0].rebind_localhost='1'
                uci set dhcp.@dnsmasq[0].local='/lan/'
                uci set dhcp.@dnsmasq[0].domain='lan'
                uci set dhcp.@dnsmasq[0].expandhosts='1'
                uci set dhcp.@dnsmasq[0].nonegcache='0'
                uci set dhcp.@dnsmasq[0].authoritative='1'
                uci set dhcp.@dnsmasq[0].readethers='1'
                uci set dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
                uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
                uci set dhcp.@dnsmasq[0].nonwildcard='1'
                uci set dhcp.@dnsmasq[0].localservice='1'

                uci set dhcp.lan=dhcp
                uci set dhcp.lan.interface='lan'
                uci set dhcp.lan.start='100'
                uci set dhcp.lan.limit='150'
                uci set dhcp.lan.leasetime='12h'
                uci set dhcp.lan.dhcpv6='server'
                uci set dhcp.lan.ra='server'
                uci set dhcp.lan.ra_slaac='1'
                uci set dhcp.lan.ra_flags='managed-config' 'other-config'

                uci set dhcp.wan=dhcp
                uci set dhcp.wan.interface='wan'
                uci set dhcp.wan.ignore='1'

                uci set dhcp.odhcpd=odhcpd
                uci set dhcp.odhcpd.maindhcp='0'
                uci set dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
                uci set dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
                uci set dhcp.odhcpd.loglevel='4'
                uci commit dhcp


                # Adblock Setup
                uci set adblock.global=adblock
                uci set adblock.global.adb_enabled='1'
                uci set adblock.global.adb_debug='0'
                uci set adblock.global.adb_forcedns='0'
                uci set adblock.global.adb_safesearch='0'
                uci set adblock.global.adb_mail='0'
                uci set adblock.global.adb_maxqueue='4'
                uci set adblock.global.adb_dns='dnsmasq'
                uci set adblock.global.adb_trigger='wan'
                uci set adblock.global.adb_report='1'
                uci set adblock.global.adb_repiface='br-lan'
                uci set adblock.global.adb_backup='0'
                uci set adblock.global.adb_dnsfilereset='1'
                uci set adblock.global.adb_dnsflush='1'
                uci add_list adblock.global.adb_sources='adaway'
                uci add_list adblock.global.adb_sources='adguard'
                uci add_list adblock.global.adb_sources='disconnect'
                uci add_list adblock.global.adb_sources='oisd_nl'
                uci add_list adblock.global.adb_sources='youtube'
                uci add_list adblock.global.adb_sources='yoyo'
                uci set adblock.global.adb_fetchutil='uclient-fetch'
                uci commit adblock

                # uhttpd Setup
                uci set uhttpd.main=uhttpd
                uci set uhttpd.main.listen_http='10.10.10.10:80'
                uci set uhttpd.main.listen_https='10.10.10.10:443'
                uci set uhttpd.main.redirect_https='1'
                uci set uhttpd.main.home='/www'
                uci set uhttpd.main.rfc1918_filter='1'
                uci set uhttpd.main.max_requests='3'
                uci set uhttpd.main.max_connections='100'
                uci set uhttpd.main.cert='/etc/uhttpd.crt'
                uci set uhttpd.main.key='/etc/uhttpd.key'
                uci set uhttpd.main.cgi_prefix='/cgi-bin'
                uci set uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
                uci set uhttpd.main.script_timeout='60'
                uci set uhttpd.main.network_timeout='30'
                uci set uhttpd.main.http_keepalive='20'
                uci set uhttpd.main.tcp_keepalive='1'
                uci set uhttpd.main.ubus_prefix='/ubus'
                uci set uhttpd.defaults=cert
                uci set uhttpd.defaults.days='730'
                uci set uhttpd.defaults.bits='2048'
                uci set uhttpd.defaults.country='ZZ'
                uci set uhttpd.defaults.state='Somewhere'
                uci set uhttpd.defaults.location='Unknown'
                uci set uhttpd.defaults.commonname='OpenWrt'
        ;;
        "Bridge")
        ;;
esac
Running Itus Shield v2 Firmware



If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1942.html
To start a new topic under Technical Discussion, email [hidden email]
To unsubscribe from Itus Networks Owners Forum, click here.
NAML
1 ... 6789101112