[FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Yay!  So, It's update time..

Fixed in this version:
Octeon III Network Driver (partial)
Snort service
Adblock Service
Bridge services

I did also manage to get a "Gateway" style config working unintentionally, so I can explore that more later.  This image acts in ROUTER mode, as always!

If you are current using a version of my firmware

Once you copy the file over, you MUST remove the /.norwits file in your SYSTEM ROOT before you reboot!  If you don't, you won't update your Shield.

ItusgatewayImage

Go ham.  At this point, it should be CONFIGURATION stuff rather than firmware.  If you change things, note what you change and I can bake it into an update for everyone.

Known Issues:

I cannot seem to get Snort to log.  It appears to be doing SOMETHING, but I can't get it to drop a file.  If you manage to get it work, please tell me how.

Additional Notes:
On running services..  There will be a few new ones that you are not used to seeing:

/usr/sbin/tcpdump -nn -s0 -l -i br-lan port 53 -C1 -W5 -w /tmp/adb_report.pcap

bin/sh /etc/adblock/adblock.monitor 4.0.4

and possible ones that begin with: awk

First one (tcpdump) is used by adblock to monitor DNS logs.  It's used in luCi for the DNS logs

Second is the adbock monitor service.  In addition to this, you may see processes that begin "awk", these are tied to adblock doing list maintenance.

Any questions or problems, hit me up.

brillaint stuff Gromish, thank you.

Whats the recommended way to update?

Cheers

1) Download the ItusgatewayImage file and transfer it to the Shield
1a) For Original Itus Firmware users:
   mount /dev/mmcblk0p1 /overlay
   ssh -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ItusgatewayImage root@10.10.10.10:/overlay
   umount /overlay
   Ensure the front-switch is set to the Outer (Gateway) mode and reboot -f
1b) For users who are already on my firmware:
   mount /dev/mmcblk1p1 /overlay
   ssh -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ItusgatewayImage root@10.10.10.10:/overlay
   umount /overlay
   rm /.norwits
   Ensure the front-switch is set to the Outer (Gateway) mode and reboot

(The front switch is only read at boot time, so you can switch it as much as you want after it boots without issue - It only tells the bootloader which image files to pick)

I have ID'ed a small bug in which the system seems to be stuck in that Gateway mode I mentioned.  This SHOULD be a configuration issue, so you can still feel free to play and test.

Right now, the Shield is forwarding DHCP requests out through the WAN rather than servicing them itself (https://forum.openwrt.org/t/dhcp-relaying-instead-of-serving/62583/4)

The negative side is that you CANNOT get to luCi/ssh at the moment..  I'm working on it, but everything can still be done via console.  If this is daunting, I'd wait to upgrade until I get more settled out.  Keep in mind, this does not alter any of the other images (bridge or router) on the device, so you can always just switch back and forth.



 

Bug Update:

This is a snort issue..

If you disable snort and reboot (service snort disable) it'll pickup the correct DHCP and issue a 10.10.10.x IP...

Now, we can dig into the snort settings and see what's causing the issue..

The issue is with snort..

Easiest fix for now is to install the image and then put this file on it.

Put this in /etc/init.d/snort and reboot.  That seems to fix the issue.  If it doesn't, let me know.

Updated Image file

ItusgatewayImage

This update includes:

Fixed Snort 3 init.d scripts to work correctly
Fixed ability to use the Firmware upgrade/update utilities
Added iperf3

Important Notes!

Snort3 can take 2 or 3 minutes to fully load.

If for some reason you experience DNS errors, disconnect and then reconnect the connection to eth0/eth1.  I don't know at this point if the single DNS issue I've seen is due to snort not being started yet.

If you're watching the console, you'll see a final

[  135.579483] device eth0 entered promiscuous mode

This is snort finalizing and starting.   Again, I'm not sure if the single issue I saw was my fault or snorts.

if I can get you all (Turrican, Road, Gnomad) all successfully tested, then I'm going to send out a mass email to the registered accounts here and see if anyone is interested in continuing the use the Shield or not.

I know we talked about needing a Snort luCi page. The one we had won't work at all with Snort3.  The good news is, with the updates, the ability to use more things in making it might help..  For example, not only does it use LUA, but we can use .js pages as well.  If you're interested, check out the Adblock pages under /www/luci-static/resources/view/adblock

Well, I've not really resolved the network issue, just part of it.   I found a combination of driver patches that work - mostly?

I put the patch file I'm using here just to preserve it.

Here are the issues I'm facing, and they are going to be software issues..

Right now, the image is working in a bastardized gateway mode.  This seems to be an issue with the network configuration AND snort3.

If you boot the Shield with the 'WAN' being eth0 and "br-lan" being eth1/2, then connect to eth1/2, your system will be assigned a 10.10.10.x IP via DHCP.. yay!  However, no DNS..  I can ping 1.1.1.1 without issue, but can't do a resolve from 10.10.10.10..

Now..  Here's the issue, and I don't know if this was just a coincidence or something more..

Snort3's IDS settings as I have them creates a transparent bridge across the eth0 and br-lan interfaces..  Except, this also passes through DHCP responses from the "WAN" interface..

Example:  My home network:

Internet -> Edge-router (192.168.1.x) -> Dlink stub-router (192.168.5.1, DNS @ 192.168.5.2) -> Shield (10.10.10.10) -> Laptop (set via DHCP)

Snort has always had minute or two between when it starts and when it becomes active.  You'll see a console message of "device eth0 entered promiscuous mode" after it's booted.  This means Snort is now running.

With Snort not running OR before being Active, a DHCP request from the Laptop will receive a 10.10.10.200 IP

enp7s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.200  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fd18:640:804c:0:9ce:f97e:dc6f:753d  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::5ac2:4118:9a97:7ccb  prefixlen 64  scopeid 0x20<link>
        inet6 fd18:640:804c:0:5f9d:bd6b:93fe:db02  prefixlen 64  scopeid 0x0<global>
        ether d4:be:d9:35:ec:ae  txqueuelen 1000  (Ethernet)
        RX packets 4099651  bytes 4079566489 (4.0 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2683211  bytes 649962002 (649.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 101  collisions 0

DNS refuses to work on the Shield (Firewall? Port not open? I dunno).  There is Internet, but not DNS (ping 1.1.1.1 returns alive, but ping google.com gives a DNS resolve error).  Setting a DNS Server manually on the laptop restores connectivity.

With Snort3 running AND Active, the DHCP request from the laptop is passed out eth0 (WAN) and serviced by my DHCP/DNS server (192.168.5.2) and assigned a 192.168.5.x IP)...

If I can figure out why DNS on the Shield isn't working, I can then go back to snort dev list and  see what they can tell me.

Ok.. Few things..

I rebuilt some things and it seems to have resolved the issues with the DNS and with Snort3.

I put up a new version of the image.

Just copy it over as normal, remove your /.norwits file.

Also, as I stated before, the update system appears to be working now as well.  With this update, you are much better taking the whole image because the update is snort, the supporting libs, the core, etc.

I wonder if I can/should put the build directory files on Github (the ipk's and tarball for the system update)..  I'm not sure how to handle that since I doubt OpenWrt will ever officially support the device.

Gnomad - Snort3 is running many, many rules..  So many, we broke OpenWrt (Check it here) .  Whether we want/need to keep them in the long run, it's just for testing.

Grommish wrote

root@OpenWrt:/etc/snort/rules# ls
VRT-License.txt                     snort3-os-windows.rules
sid-msg.map                         snort3-policy-multimedia.rules
snort3-app-detect.rules             snort3-policy-other.rules
snort3-browser-chrome.rules         snort3-policy-social.rules
snort3-browser-firefox.rules        snort3-policy-spam.rules
snort3-browser-ie.rules             snort3-protocol-dns.rules
snort3-browser-other.rules          snort3-protocol-finger.rules
snort3-browser-plugins.rules        snort3-protocol-ftp.rules
snort3-browser-webkit.rules         snort3-protocol-icmp.rules
snort3-community.rules              snort3-protocol-imap.rules
snort3-content-replace.rules        snort3-protocol-nntp.rules
snort3-deleted.rules                snort3-protocol-other.rules
snort3-exploit-kit.rules            snort3-protocol-pop.rules
snort3-file-executable.rules        snort3-protocol-rpc.rules
snort3-file-flash.rules             snort3-protocol-scada.rules
snort3-file-identify.rules          snort3-protocol-services.rules
snort3-file-image.rules             snort3-protocol-snmp.rules
snort3-file-java.rules              snort3-protocol-telnet.rules
snort3-file-multimedia.rules        snort3-protocol-tftp.rules
snort3-file-office.rules            snort3-protocol-voip.rules
snort3-file-other.rules             snort3-pua-adware.rules
snort3-file-pdf.rules               snort3-pua-other.rules
snort3-indicator-compromise.rules   snort3-pua-p2p.rules
snort3-indicator-obfuscation.rules  snort3-pua-toolbars.rules
snort3-indicator-scan.rules         snort3-server-apache.rules
snort3-indicator-shellcode.rules    snort3-server-iis.rules
snort3-malware-backdoor.rules       snort3-server-mail.rules
snort3-malware-cnc.rules            snort3-server-mssql.rules
snort3-malware-other.rules          snort3-server-mysql.rules
snort3-malware-tools.rules          snort3-server-oracle.rules
snort3-netbios.rules                snort3-server-other.rules
snort3-os-linux.rules               snort3-server-samba.rules
snort3-os-mobile.rules              snort3-server-webapp.rules
snort3-os-other.rules               snort3-sql.rules
snort3-os-solaris.rules             snort3-x11.rules

This is very promising..

Grommish wrote

grommish@norwits:~/openwrt/feeds/packages/net/snort3$ iperf -p 5201 -c 10.10.10.10
write failed: Connection reset by peer
------------------------------------------------------------
Client connecting to 10.10.10.10, TCP port 5201
TCP window size:  144 KByte (default)
------------------------------------------------------------
[  3] local 10.10.10.200 port 42970 connected with 10.10.10.10 port 5201
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 0.0 sec   201 KBytes  1.05 Gbits/sec

Now, just to find a way to actually test Snort.. and, make it log..

Hi Gromish,

Thanks for the update.  I managed to update both my Shields to the new image.  Seems I still can't get a DHCP address on Eth0 until I issue a 'reboot' command, regardless of the order I connect cables to Eth 0 and Eth 1/2.  Is this still an expected behaviour?

All the best
-T

This is part of the Snort issue I was describing, I think.

If you haven't tried the newest image, go ahead and try that.

I promise updates in the future should be easier, assuming I can figure out what the system upgrade system actually updates :x

Turrican, you get to play first tester for this, if you want :D

This is the update tarball.
openwrt-octeon-itus-squashfs-sysupgrade.tar

Snort+/DAQ:
libdaq_2.ipk
snort3_3.ipk

Get to 10.10.10.10, go to System | Backup/Flash Firmware, upload the tarball, uncheck "Keep settings and retain the current configuration", and Continue..  It'll reboot the device.

Get to 10.10.10.10, go to System | Software | Upload Packages, install the libdaq and snort3 ipks.

Reboot, and see what happens

Appreciate it!

So, next question, anyone have javascript experience?  I'd like to create a Snort+ luCi hook, but I'd rather have someone who knows javascript, before I try and fumble thru it myself.

Started a new thread and will close this one.

http://itus.accessinnov.com/FIRMWARE-Itus-Shield-v2-td2014.html