CALEA and Remote Log Server
RouterOS general discussion

15 posts   •   Page 1 of 1
believewireless
Member Candidate
Member Candidate
 
Posts: 231
Joined: Wed Jul 06, 2005 6:30 pm

CALEA and Remote Log Server

by believewireless » Thu Aug 02, 2007 5:41 am

All of our Mikrotik router use flash drives so there is no place to dump the logs. Since we can specify another server IP, what do we need to run on a Linux or Windows box to store the data?

User avatar
sergejs
MikroTik Support
MikroTik Support
 
Posts: 6224
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia

Re: CALEA and Remote Log Server

by sergejs » Thu Aug 02, 2007 7:43 am

I'm not sure you can accept this data on remote Linux/Windows server.

User avatar
omega-00
Forum Guru
Forum Guru
 
Posts: 1125
Joined: Sat Jun 06, 2009 4:54 am
Location: Brisbane, Australia

Re: CALEA and Remote Log Server

by omega-00 » Thu Aug 02, 2007 6:04 pm

what about if you were to get another mikrotik that did use a hard drive and use it for primarily for logging believewireless?
Hardware should even need that much grunt.

User avatar
sergejs
MikroTik Support
MikroTik Support
 
Posts: 6224
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia

Re: CALEA and Remote Log Server

by sergejs » Thu Aug 09, 2007 4:27 pm

Some clarification,
'ip firewall calea' provides action,
'sniff - generates a tzsp stream that can be directed to any Wireshark (Ethereal) server'.
http://wiki.mikrotik.com/wiki/Calea#Int ... acket_Flow
That should be the answer to this question.

maxfava
Member Candidate
Member Candidate
 
Posts: 213
Joined: Mon Oct 17, 2005 12:30 am

Re: CALEA and Remote Log Server

by maxfava » Fri Oct 12, 2007 4:37 pm

'sniff - generates a tzsp stream that can be directed to any Wireshark (Ethereal) server'


what you suggest as Wireshark (Ethereal) server ?
If I am not wrong since Wireshark is only analize tool.

ciao
Max

User avatar
sergejs
MikroTik Support
MikroTik Support
 
Posts: 6224
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia

Re: CALEA and Remote Log Server

by sergejs » Mon Oct 15, 2007 2:24 pm

Any OS, that Wireshark supports,
http://www.wireshark.org/about.html

User avatar
Letni
Member
Member
 
Posts: 373
Joined: Tue Dec 05, 2006 6:16 am
Location: South Carolina

Re: CALEA and Remote Log Server

by Letni » Mon Oct 15, 2007 3:38 pm

Using wireshark/ethereal is fine if you just need to capture or search for stuff. However, If you are doing an actual tap for a LEA, they would like it chunked up and hashed, which to my knowledge you can not do with wireshark... and if you could the LEA would not appreciate you looking at there data.

The simplest solution in my case is to create a Virtual machine with routerOS demo license and use that as the server.

-Louis

maxfava
Member Candidate
Member Candidate
 
Posts: 213
Joined: Mon Oct 17, 2005 12:30 am

Re: CALEA and Remote Log Server

by maxfava » Wed Oct 17, 2007 12:27 am

The simplest solution in my case is to create a Virtual machine with routerOS demo license and use that as the server.


:D same for me.
thanks

burek
just joined
 
Posts: 22
Joined: Sun Dec 09, 2007 9:42 pm

Re: CALEA and Remote Log Server

by burek » Sun Dec 09, 2007 9:53 pm

Hi everybody,

In the documentation version 1.5 which applies to v2.9 of RouterOS, at this link: http://www.mikrotik.com/testdocs/ros/2. ... niffer.php there is a part regarding packet sniffer settings, which says:

Not only Ethernal (http://www.ethereal.com) and Packetyzer (http://www.packetyzer.com) can receive the sniffer's stream but also MikroTik's program trafr (http://www.mikrotik.com/download.html) that runs on any IA32 Linux computer and saves received packets libpcap file format.

also
streaming-server (IP address; default: 0.0.0.0) - Tazmen Sniffer Protocol (TZSP) stream receiver


I've installed the Wireshark (Ethereal) and I just cand find any option (not even a mention of that option in its help files) to start it as a listening server for incoming TZSP stream.

Has anyone ever tried this in a real life? To start the sniffer at the AP and to establish a stream to the remote server that will log this sniffed traffic?

Any help is more then welcome..
Thanks.

User avatar
gmsmstr
Forum Veteran
Forum Veteran
 
Posts: 925
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO

Re: CALEA and Remote Log Server

by gmsmstr » Mon Dec 10, 2007 5:08 am

Just install a RouterOS server, on a HD etc. Run a demo license for 24 hours or if you need it more, install a license (not expensive). Then you will have a CALEA server for the future as well. Also, it has been suggested to allow writing this to a secondary, non system drive.
Dennis Burgess, CCNA, A+, N+, MCP, Mikrotik Certified Consultant / Trainer
Need Mikrotik Support: http://www.linktechs.net -- Link Technologies, Inc.
--- Author of "Learn RouterOS: Second Edition" -- routerosbook.com ---

burek
just joined
 
Posts: 22
Joined: Sun Dec 09, 2007 9:42 pm

Re: CALEA and Remote Log Server

by burek » Mon Dec 10, 2007 11:30 am

Sorry, but I'm not interested in solving a problem by avoiding to solve it.. Is there any chance to make it work, like it says in the documentation, with the Ethereal?

User avatar
sergejs
MikroTik Support
MikroTik Support
 
Posts: 6224
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia

Re: CALEA and Remote Log Server

by sergejs » Mon Dec 10, 2007 11:49 am

It is working with Ethereal (it should work), but you have to ensure that correct configuration is used on computer with streaming server. Make sure you have followed this requirements,

1. configure sniffer to stream to device running wireshark:
/tool sniffer set streaming-enabled=yes streaming-server=ip.of.wireshark.box
/tool sniffer start

2. make sure you accept UDP in wireshark (as TZSP uses UDP to transport data)

3. if you are streaming wireless sniffer captures (interface wireless
sniffer), make sure you have newest
wireshark and newest routeros

4. you may need to disable WCCP protocol in wireshark (Analyze/Enabled
Protocols), as that collides with TZSP and by default frames may be
considered WCCP, not TZSP.

burek
just joined
 
Posts: 22
Joined: Sun Dec 09, 2007 9:42 pm

Re: CALEA and Remote Log Server

by burek » Mon Dec 10, 2007 12:07 pm

so, all I need to do is start Ethereal (Wireshark), set filters to capture 'udp only'? And of course to set the analyzer to interpret those udp packets as TZSP packets, to get it all right, is that correct?

(I had got a feeling that some kind of listening server should be started, or something, but if I'm correct, wireshark is only used to intercept those udp packets and that's it)

gkoufoud
just joined
 
Posts: 10
Joined: Tue Apr 15, 2008 11:22 pm

Re: CALEA and Remote Log Server

by gkoufoud » Wed Nov 28, 2012 1:50 pm

Hi,
I have developed an IDS/IPS system for RouterOS.
It is here : http://sourceforge.net/projects/mt-fw-attack/

You need a linux machine to compile and run it.
It collects syslog messages from your's routeros device (there are instructions on how to use it) and adds the attackers on an address list which you can use to block them.
:-)

User avatar
otgooneo
Member
Member
 
Posts: 488
Joined: Tue Dec 01, 2009 4:24 am
Location: Mongolia

Re: CALEA and Remote Log Server

by otgooneo » Fri Jan 10, 2014 12:29 pm

gkoufoud wrote:Hi,
I have developed an IDS/IPS system for RouterOS.
It is here : http://sourceforge.net/projects/mt-fw-attack/

You need a linux machine to compile and run it.
It collects syslog messages from your's routeros device (there are instructions on how to use it) and adds the attackers on an address list which you can use to block them.
:-)


Sounds cool. How does it work in background. How does it determine that this IP is attacker?
----------------------------
Want to learn more and more...

15 posts   •   Page 1 of 1

Who is online

Users browsing this forum: Exabot [Bot], Google [Bot], omidkosari, sakirozkan and 57 guests

It is currently Thu Nov 27, 2014 11:08 am