Send all traffic from input and forward chain to Snort
Code: Select all
#/ip firewall calea print
/ip firewall calea add action=sniff chain=forward sniff-target=192.168.0.2 sniff-target-port=37008
/ip firewall calea add action=sniff chain=input sniff-target=192.168.0.2 sniff-target-port=37008
Get trafr
Code: Select all
wget http://www.mikrotik.com/download/trafr.tgz
Code: Select all
tar -zvxf trafr.tgz
Code: Select all
# CentOS 6.2 x64
yum install glibc.i686
# Ubuntu x64
sudo apt-get install libc6-i386
# ArcLinux x64
pacman -S lib32-glibc
Code: Select all
#iptables -L --line-numbers
iptables -I INPUT 13 -p udp --dport 37008 -j ACCEPT -m comment --comment "Accept Sniffed traffic from RouterBoard"
Code: Select all
./trafr -s | tcpdump -r - -n
Code: Select all
./trafr -s | snort -r -
Code: Select all
cp trafr /usr/local/bin/
How start trafr and snort at start-up
Install screen
Code: Select all
yum install screen
Code: Select all
# attach trafr to screen:
screen -dmS mytrafr /usr/local/bin/trafr
#
# list started screens
screen -list
#
# connect to screen
screen -r mytrafr
#
# destroy screen session
Ctrl+D
I dont know how to start Snort as daemon with trafr. Does someone know how to do this ?trafr -s | snort -D -r -
Related topics
Streaming Server with Snort
Cloning traffic for monitoring
Snort IDS ?
Snort IDS and Mitrotik
anybody got trafr to run on os x?
trafr binary for *bsd?
trafr doesn't work
New trafr
Using Packet Sniffer with streaming-server
Mirror all traffic from one user to server
CALEA and Remote Log Server
CALEA compliance? Will the packet sniffer tool work?
Post subject: Packet Sniffing with Streaming Goes crazy
Port Mirroring ?
Help dissecting TZSP protocol
interface wireless sniffing
wireless sniffer
IDS snort
Wiki Posts
CALEA
System independent trafr script
Other Resources
MUM_CALEA.pdf