Do I lack many things to install suricata in LAN setup? (Laptop with windows os, Tplink ax12 router, and a modem from ISP provider)

Hello, good day! I badly needed your help/suggestion. I’m really into suricata 'coz I’ve been targeted by someone for some time now, and i found out after several times of resetting all of our devices (but not the ones my inlaws were using) that they might hacked or intrude our network through dns or arp spoofing. I tried installing and understanding bout suricata but i thought my knowledge bout it still not enough to run it efficiently. I only had a laptop dedicated for intrusion detection system apps (suricata or more) with windows os, Tplink ax12 router, and a modem from our ISP router.

Do I lack many things to install suricata in LAN setup? or these were enough to run suricata in our small home network?

Thank you so mucch ahead, for your help! Very much appreciated. God bless you

Hello there, and wanted to say initially, that sounds like a pretty tough time and detail to work through and sorry you are having to deal with it.

TLDR;
No, you might have enough to setup a listener, but it would appear you do not have enough to run the network path across that listener and use the internet at the same time.

The Long;
The response direction you are seeking while challenging, and possibly not going to get you what you want, can be had but likely with more hardware and some fairly complex configuration.

In short, if you have those components, and are not sure if you can do it - you will likely have a pretty step climb to be able to inspect your traffic. Not impossible, just a step climb.

About what you thoughts on being targeted, for someone to pull off DNS/ARP spoofing, they would have to have local access to your network OR devices. The would either need to control your DNS (either by changing settings on your hosts, or some level of reconfig/rootkit that is modifying how your actual router works) or have a device that is on your network messing up your router. These are not easy things to do, at all. In most any problem, the simplest solution/cause, is most likely. To this end, there is a good chance a buggy device/setting is causing the issue or someone browsing/using some ‘not legit’ software (hacked game/ISO-mounting software w/keygens or something) and you actually have a virus on your network.

In this some cheap/ISP routers are full of CVEs (vulnerabilities) and easily hack-able from ‘outside’ of the router. It is usually nation-states/APTs doing this, and they have scripts that crawl the internet trying to ‘make more bots’ for their bot army. Usually these guys do not ‘break the bots’ user neighbor’ as that usually means the user (in this case, you) figures out something is up and eventually kills their bot (replaces hardware/router etc.), but, not all script kiddies act alike. Simply getting a new/upgraded router w/proper hardening on its settings (care on the port forwarding and the like) can do wonders. Also, getting some proper Anti-Virus can be very wise.

That all said, I did a quick search on how to setup an IDS at home because there are so many elements in the mix, where you are watching from (inspecting packets from), what you are watching (http/https/dns/etc.), and the rules you use to do the detection. I would recommend you attempt to explain your intent to inspect your network and understand when encryption might prevent you from seeing something unknown, before you have to realize that most of the traffic on a network is encrypted and likely going to prevent you easily finding a culprit if one exists in the first place.

Yes it is Snort, but they work about the same way (Suricata vs Snort) and the logic about where you put it and how it listens is exactly the same

This video discusses using OPNSense (or your could deploy a PfSense) as your router so you get your IDS at the main point of your network. If your ISP lets you BYOR (Bring Your Own Router) then you are in luck, this is probably the easiest way to get Suricata/IDS at a place that can have an impact.

You can build your own Suricata, but again, the first hurdle is to be able to watch a network path that matters, and generally for a home network that is all the devices and a simple laptop will not have the network adapters to pull this off.

This router btw does not support OpenWRT nor other OSes/Distros that you might be able to get Suricata/IDS setup on. It would also be unable to mirror packets, and likely you could only do that with a Smart Switch and if even if you had a Smart Switch, you would still be outside of all of the Wifi/Client traffic unless you had that go across the Smart Switch in the first place (and I didn’t see you mention having back-hauled Wifi APs, so likely your Tplink is your router+AP).

Also, no hate to Tp-link, but, generally they are especially bad when it comes to CVEs, and updating their router against them. Doing a BYOR (Bring Your Own Router) and building your own will give you a rather massive level of complete control. Just know that encryption exists and IDS cannot see inside of it unless you do your own CA and deploy it, and that is no joke to accomplish - I have still not done it. Very very steep climb.

Again, best of luck, I hope this has helped you out!! Look into setting up a Homelab but know that you will be doing a lot of learning on your road to hopefully realize what has been happening.

Hello Jonny, good day! Thank you so much for your time and effort to help me understand what I’m dealing rn. I felt heard and seen today. It’s a relief, especially since I’m going through post partum period and there’s also someone who wants me to go through this strugles and pain. This is Very much appreciated Now I know that I still have a lot more to learn about how to use snort/suricata or to set-up our network to it’s safest stat. for this provides me insights of where to start, what to learn, or what way to do. Thank you so much once again. May God bless you