Community discussions

MikroTik App
 
User avatar
stmx38
Long time Member
Long time Member
Topic Author
Posts: 617
Joined: Thu Feb 14, 2008 4:03 pm
Location: Moldova, Chisinau

Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Wed Feb 01, 2012 4:41 pm

How to send traffic from Mikrotik to Snort

Send all traffic from input and forward chain to Snort
#/ip firewall calea print
/ip firewall calea add action=sniff chain=forward sniff-target=192.168.0.2 sniff-target-port=37008
/ip firewall calea add action=sniff chain=input sniff-target=192.168.0.2 sniff-target-port=37008
How to capture sent traffic
Get trafr
wget http://www.mikrotik.com/download/trafr.tgz
Unpack trafr
tar -zvxf trafr.tgz
On x64 Linux system install additionaly package
# CentOS 6.2 x64
yum install glibc.i686
# Ubuntu x64
sudo apt-get install libc6-i386
# ArcLinux x64
pacman -S lib32-glibc
Create on Linux iptables rule to accept traffic from RouterBoard
#iptables -L --line-numbers
iptables -I INPUT 13 -p udp --dport 37008 -j ACCEPT -m comment --comment "Accept Sniffed traffic from RouterBoard"
Test if trafr receiving data
./trafr -s | tcpdump -r - -n
Test if Snort receiving data
./trafr -s | snort -r -
Copy trafr to appropiate location
cp trafr /usr/local/bin/

How start trafr and snort at start-up
Install screen
yum install screen
# attach trafr to screen:
screen -dmS mytrafr /usr/local/bin/trafr
#
# list started screens
screen -list
#
# connect to screen
screen -r mytrafr
#
# destroy screen session
Ctrl+D
Currently not working for me
trafr -s | snort -D -r -
I dont know how to start Snort as daemon with trafr. Does someone know how to do this ?


Related topics
Streaming Server with Snort
Cloning traffic for monitoring
Snort IDS ?
Snort IDS and Mitrotik
anybody got trafr to run on os x?
trafr binary for *bsd?
trafr doesn't work
New trafr
Using Packet Sniffer with streaming-server
Mirror all traffic from one user to server
CALEA and Remote Log Server
CALEA compliance? Will the packet sniffer tool work?
Post subject: Packet Sniffing with Streaming Goes crazy
Port Mirroring ?
Help dissecting TZSP protocol
interface wireless sniffing
wireless sniffer
IDS snort

Wiki Posts
CALEA
System independent trafr script

Other Resources
MUM_CALEA.pdf
Last edited by stmx38 on Wed Nov 28, 2012 2:24 pm, edited 14 times in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik/RouterBoard and Snort IDS/IPS

Thu Feb 02, 2012 8:55 am

perfect post! thanks! give karma everyone
 
mkein
just joined
Posts: 11
Joined: Mon Mar 29, 2010 8:43 pm

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Fri Mar 30, 2012 1:53 am

Hello,


im having problems trying to run trafr on, is there any other alternative apart form the perl
script published on other post ??



This is what strace sees during the running, seems to be a problem at the very
beggining. System is a arch linux.

3.2.12-1-ARCH #1 SMP PREEMPT Mon Mar 19 17:50:01 CET 2012 x86_64 Intel(R) Core(TM) i5 CPU M 460 @ 2.53GHz GenuineIntel GNU/Linux


Strace output.


[root@barbaroja ~]# strace ./trafr
execve("./trafr", ["./trafr"], [/* 26 vars */]) = -1 ENOENT (No such file or directory)
dup(2) = 3
fcntl(3, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE)
fstat(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2ae8437000
lseek(3, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
write(3, "strace: exec: No such file or di"..., 40strace: exec: No such file or directory
) = 40
close(3) = 0
munmap(0x7f2ae8437000, 4096) = 0
exit_group(1)



Thank you
 
TangaRUS
just joined
Posts: 5
Joined: Mon Nov 09, 2009 4:21 pm
Location: Moscow, Russia

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Fri Mar 30, 2012 2:47 pm

On x64 Ubuntu:
sudo apt-get install libc6-i386
 
User avatar
stmx38
Long time Member
Long time Member
Topic Author
Posts: 617
Joined: Thu Feb 14, 2008 4:03 pm
Location: Moldova, Chisinau

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Sat Mar 31, 2012 8:42 pm

TangaRUS
Thank you.
Added in the first post.
Any idea how to start trafr with snort at start-up ?
 
mkein
just joined
Posts: 11
Joined: Mon Mar 29, 2010 8:43 pm

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Mon Apr 02, 2012 9:55 pm

On archlinux

pacman -S lib32-glibc
 
estenole
just joined
Posts: 3
Joined: Tue Apr 03, 2012 8:41 pm

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Tue Apr 03, 2012 9:18 pm

Hello all,

im afraid you cannot start snort as a daemon. At some point after snort has initialized its attack lists
and other stuff, another thread is launched and that one wont get any data form the unix cmd pipe .-(

After some tests with ossim and snort, im planning to use a dedicated ap with 9 ports and port mirroring
rulesets, could find any good binary or usefull app for tzsp.



Javi
 
User avatar
stmx38
Long time Member
Long time Member
Topic Author
Posts: 617
Joined: Thu Feb 14, 2008 4:03 pm
Location: Moldova, Chisinau

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Tue Apr 10, 2012 7:55 am

im afraid you cannot start snort as a daemon. At some point after snort has initialized its attack lists
and other stuff, another thread is launched and that one wont get any data form the unix cmd pipe .-(
This is right only if Snort started as daemon. If snort is started without -D key, it can receive data from pipe.

In my environment I have VmWare cluster with multiple VM and I have 2 solution:
1. Dedicated port or Vlan on VmWare side with port mirroring on RouterOS.
2. Send stream using calea.

I will try to make a start-up script using screen.
 
estenole
just joined
Posts: 3
Joined: Tue Apr 03, 2012 8:41 pm

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Wed Apr 11, 2012 8:56 pm

I have made some tests, and the problem with my configuration (the ossim default one), is located on
the preprocessor configuration, is i load the config like this its ok.

/root/trafr -s | /usr/sbin/snort_eth0 --disable-attribute-reload-thread -m 027 -d -l /var/log/snort -u snort -g snort -r -

But if i add the config file that reflect the preprocessor config no packets are processed. ( -c /etc/snort/snort.eth0.conf )
Ill make some test but having a look onto the cfg, guess its related to the preprocessors.


###################################################
# This file contains a sample snort configuration.
# You should take the following steps to create your own custom configuration:
#
# 1) Set the network variables.
# 2) Configure the decoder
# 3) Configure the base detection engine
# 4) Configure dynamic loaded libraries
# 5) Configure preprocessors
# 6) Configure output plugins
# 7) Customize your rule set
# 8) Customize preprocessor and decoder rule set
# 9) Customize shared object rule set
###################################################


Is anybody using trafr on ossim installations ?? How ??
Im considering using tcprewrite or some solution like this, but with no modifications
to the headers, at least its working rigth now rewriting the packets to loopback
but withe source and destination set to 127.0.0.1. Got to figure out if a direct rewrite
with no modifications exists, does anybody know ?


Thank you
 
troynel
just joined
Posts: 2
Joined: Thu Jul 19, 2012 6:44 am

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Fri Jul 20, 2012 3:26 am

Here is an open source program I created to take a TZSP stream and save the encapsulated data to a PCAP file. The TZSP protocol is stripped away, making it easy to import this data into many traffic analysis programs such as Wireshark and aircrack.

**edit:

this code is now hosted at Google code. Please feel free to make changes and support the project.
http://code.google.com/p/tzsp2cap/
Last edited by troynel on Mon Aug 26, 2013 6:26 pm, edited 1 time in total.
 
gkoufoud
just joined
Posts: 13
Joined: Tue Apr 15, 2008 11:22 pm

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Wed Nov 28, 2012 12:53 pm

Hi,
I have developed an IDS/IPS system for RouterOS.
It is here : http://sourceforge.net/projects/mt-fw-attack/

You need a linux machine to compile and run it.
It collects syslog messages from your's routeros device (there are instructions on how to use it) and adds the attackers on an address list which you can use to block them.
:-)
 
User avatar
cybercoder
Member Candidate
Member Candidate
Posts: 175
Joined: Tue Dec 07, 2010 11:20 pm
Location: Guilan, Iran
Contact:

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Wed Nov 28, 2012 2:01 pm

Use Snort's -r <filename> option to read a pcap capture file, whether from Snort, TCPDump, Ethereal, or any other program that creates a libpcap format file
you can use sniffer (traffr) in background with screen (you said urself) and then with -r switch of snort analyse the files but you need a timer script for check new files created by traffr
 
User avatar
cybercoder
Member Candidate
Member Candidate
Posts: 175
Joined: Tue Dec 07, 2010 11:20 pm
Location: Guilan, Iran
Contact:

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Wed Nov 28, 2012 2:09 pm

I think node.js is useful in this scenario, it will make a daemon for you by listening on ports and do your commands
http://www.nodejs.org/
 
User avatar
danial898
just joined
Posts: 16
Joined: Tue Dec 30, 2014 4:54 pm
Location: United Arab Emirates
Contact:

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Wed Aug 17, 2016 8:07 am

hi, Snort releas package for windows OS, maybe run ips on mikrotik and windows?
 
VincentL
newbie
Posts: 34
Joined: Fri Feb 03, 2017 3:27 pm

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Fri Feb 03, 2017 4:45 pm

Hello,

Thanks you a lot for this topic. With it and the help of Noah Dietrich, from Snort Technology, I m now able to use Snort with my Mikrotik.
I m using tmux for launching the commands.
As my snort vm use ubuntu, this is the command I m using : sudo trafr -s |sudo snort -c /etc/snort/snort.conf -l /var/log/snort/ -r - -A console
Snort is not daemonized anymore as recommended by the topic.

I still have a question : Does Barnyard2 needs to be launched manually, like snort ? Each times I launch it by SystemD, barnyard stop working after an undefined moment ( coud be 1 hour, but could be less ) ?

Thanks you,

Vincent

EDIT : 284 000+ events filled in my database, Snorby seems to being stuck, even if Snort and Barnyard are still running.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Thu Mar 30, 2017 2:54 pm

Hi, I configured correctly (I think) IDS/IPS this https://sourceforge.net/projects/mt-fw-attack/

But I can't test if its works or not, how could I do it? Any test?

Thanks.

Who is online

Users browsing this forum: Amazon [Bot], emunt6, menyarito, stef70 and 69 guests