This project provides a robust, automated solution for managing Suricata on Route10. It is specifically optimized for the Route10's 1GB RAM and offers flexible operation modes, including a custom high-performance Vectorscan runtime.
- Aggressive ET rule pruning: Optimized for constrained hardware.
- Automatic switching: Seamlessly toggles between
IDS + reactive blockingandinline IPS. - Custom high-performance runtime: Packaged under
vectorscan-runtime.tar.xzwith:Suricata 8.0.4Vectorscan 5.4.12nDPI 5.0
runner.shCLI: A canonical interface for all operations (setup, status, updates).- Flexible Operation Modes:
- Pure CLI Mode (Recommended): Run Suricata independently with the Web UI Disabled for maximum stability.
- Optimized UI Mode: Keep Suricata Enabled in the Web UI while benefiting from memory optimizations and rule pruning.
- Automated Updates: Daily automated script and rule updates via GitHub with atomic rollback protection. Schedule is configurable in
ips-policy.conf. - UCI Version Validation: System-level tracking of Runner, Suricata, Vectorscan, and nDPI versions via OpenWrt's UCI database.
- Runtime Hardening: Disables crash-prone and memory-heavy Suricata outputs like
file-storeandpcap-log. - Boot Integration: Seamlessly integrates with the router's boot process via
/cfg/post-cfg.sh(Enabled by default).
Upload the entire root folder of this repository to your router (e.g., to /cfg/suricata-runner/).
cd /cfg/suricata-runner
chmod 700 *.sh scripts/*.sh 2>/dev/null || chmod 700 *.sh/bin/ash setup.shThis will:
- Extract
vectorscan-runtime.tar.xzinto/a/suricata-vectorscan. - Patch system scripts to fix memory spike bugs (if running older firmware).
- Install/update the managed startup hook in
/cfg/post-cfg.sh(Enabled by default). - Canonicalize nightly Suricata and Runner update cron entries.
- Initialize local
.rulesfiles from.templateif they don't already exist. - Synchronize all version info (Runner, Suricata, nDPI, Vectorscan) to UCI.
- Trigger the initial rule pruning and start Suricata.
The rule management system is designed to protect your local customizations while providing a stable, versioned baseline:
-
Initialization Options:
- Automatic (Recommended): Running
setup.shwill automatically detect any missing.rulesfiles in therules/directory and create them from the corresponding.rules.templatereference. - Manual: You can manually copy any
rules/*.rules.templatetorules/*.rulesif you wish to seed them before the initial setup.
- Automatic (Recommended): Running
-
Custom Rules: Once the
.rulesfile exists, you should perform all your custom rule additions directly in that file. Use standard Suricata rule syntax. -
Update Safety: Since these files aren't in the project repo, a
runner.sh updatewill never overwrite your custom rule definitions. The update package only contains the.templatereferences.
Tip
To reset a specific rule set (e.g., nDPI bypass) to its original factory state, simply delete the .rules file and run setup.sh again to re-seed it from the template.
To revert all system changes and stop Suricata:
/bin/ash scripts/uninstall.shThis script will:
- Stop Suricata and the IPS daemon.
- Restore original system scripts and rule policy handlers.
- Remove project cron jobs and the boot persistence hook.
- Clean up custom firewall rules and UCI configuration.
- Delete the Vectorscan runtime at
/a/suricata-vectorscan.
Upgrading from v1.x.x to v2.0.0 introduces the Rule Template system and UCI Version Tracking.
-
Backup Config: Save a copy of your current
ips-policy.conf. -
Replace Files: Overwrite all project files.
- Note: Existing
.rulesfiles in therules/directory are preserved bysetup.sh. You will be responsible for setting your own rules.
- Note: Existing
-
Execute Setup:
/bin/ash setup.sh
-
Merge Config: Compare your backed-up
ips-policy.confwith the new one and adjust accordingly. -
Verify: Run
runner.sh statusto ensure all versions are synced to UCI.
runner.sh is the primary interface for managing the system.
/bin/ash runner.sh apply # Re-read policy and restart Suricata
/bin/ash runner.sh status # View operational summary and version sync
/bin/ash runner.sh update # Manually check for GitHub updates
/bin/ash runner.sh update --force # Force re-installation of the latest version
/bin/ash runner.sh version # Show detailed version informationConfiguration is managed in ips-policy.conf.
IPS_ENABLED=1: Default is 1. Global toggle.IPS_INLINE=0: Reactive Blocking (IDS mode - recommended for speed).IPS_INLINE=1: Default. Inline NFQUEUE mode.IPS_INLINE_BLOCK=1: Default. Convert active kept inlinealertrules todropfor real-time blocking.IPS_INLINE_BLOCK=0: Keep inline NFQUEUE inspection active, but leave active rules asalertonly.
ENABLE_NDPI=1: Default is 1. Loads the nDPI application-aware plugin.ENABLE_WEBSOCKET=1: Default is 1. Enables the WebSocket app-layer parser.ENABLE_AUTO_UPDATE=0: Default is disabled. Set this to 1 to enable daily automated updates from GitHub.RUNNER_UPDATE_CRON="30 4 * * *": Cron schedule forrunner.sh updatewhen auto-update is enabled.SURICATA_UPDATE_CRON="30 3 * * *": Cron schedule for nightlysuricata-update.POST_UPDATE_PRUNE_CRON="32 3 * * *": Cron schedule for the post-update prune pass.
- Rule Reduction: The
ips-policy.confallows configuring specific threat categories to load. Activating only a few critical categories can drastically reduce the active ruleset, saving significant memory rather than loading all ~65,000 rules from the Emerging Threats (ET) ruleset. - Memory Stability: Disabling heavy logging features prevents OOM (Out Of Memory) crashes on 1GB routers. (On older firmware, also patches a redundant update bug that caused ~800MB RAM spikes).
- Performance: Custom Vectorscan integration provides high-speed pattern matching.
Check the system status to verify your active mode and version sync:
/bin/ash runner.sh statusIt reports:
- Current project directory.
- Version status (with UCI sync validation).
- Process status (Suricata, IPS daemon).
- Active Matcher (e.g.,
mpm-hs active). - Plugin and Parser states.
- Cron job wiring and Boot Hook status.
MIT License