Community discussions

MikroTik App

Search found 89 matches

by tomfisk
Tue Jun 16, 2020 12:12 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

There is someone who used this work as the basis of a github project, https://github.com/elmaxid/ips-mikrotik-suricata Hi TomFisk, I see your point. Maybe you can help me to do step-by-step list what and how to use your methid with SELKS. As you pointed additional components in SELKS really add lot ...
by tomfisk
Sun Jun 14, 2020 4:26 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, So what problem are you trying to solve? SELKS is an IDS/IPS reporting/visualization and management platform that uses Suricata to implement network firewall rules. There is nothing inherent in Suricata to implement the firewall rules through a Microtik device. SELKS doesn't change that. That is...
by tomfisk
Fri Dec 20, 2019 3:24 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Glad you got it working Pranav! Hi Tom, I suspect the problem was that I was using the pppoe interface. https://groups.google.com/forum/#!topic/security-onion/XUUNgIGqsv4 gave me a clue; I have run the test script mentioned at the above URL and am getting alerts ever since I set the sniffer interfac...
by tomfisk
Thu Dec 19, 2019 2:13 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi Tom, Your sniffer streaming from the mikrotik is set up and you are seeing data? PL] Yes. Your streaming server is your suricata host? PL] Yes. The interface is the port connected to your ISP? PL] Ahem, I have a pppoe connection so that is the interface I have defined for sniffing. Should I defi...
by tomfisk
Wed Dec 18, 2019 2:27 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Your sniffer streaming from the mikrotik is set up and you are seeing data? Your streaming server is your suricata host? The interface is the port connected to your ISP? /tool sniffer set filter-interface=ether1 filter-ip-address=!1.2.3.4/32 filter-stream=yes streaming-enabled=yes streaming-server=1...
by tomfisk
Tue Dec 17, 2019 5:09 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

I believe that will work going through a file...here is how I start my instance of suricata: nohup /usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin & So pipe the output of tzsp2pcap into suricata through stdin. If you ran a port scan, and those ports ar...
by tomfisk
Mon Dec 16, 2019 1:09 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi Tom, Thanks for confirming the use of tzsp2pcap. Is there any documentation on how to get it going? I have cloned its source and see the make file but I suspect I need to install headers etc., to build the program. Check this blog entry for instructions on compiling [url]https://bløgg.no/2015/03...
by tomfisk
Mon Dec 16, 2019 3:07 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Yes, the format from the sniffer stream needs to be converted with tzsp2pcap.
Hi,
I am sending the stream from the sniffer tool directly to a Linux box on which I have installed suricata. Do I need an intermediate tool?

Pranav
by tomfisk
Sun Dec 15, 2019 4:26 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

You have tzsp2pcap running to capture stream and send to suricata? Here are my processes on my suricata host: snort 656 1 0 Nov18 ? 05:27:05 /usr/local/bin/tzsp2pcap -f snort 658 1 4 Nov18 ? 1-02:37:00 /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin snort 24966 1 8 00:01 ? 00:45:40...
by tomfisk
Fri Dec 13, 2019 5:14 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi all, Could someone please point me to a resource that shows me how to set up Suricata from scratch? I have a server running Ubuntu 19.10 and a mikrotik RB751g-2hnd router. The router is the gateway to my home network. It handles PPPOE authentication with my ISP. I already have the firewall confi...
by tomfisk
Wed Jun 05, 2019 2:08 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hey, Currently we don't have Mikrotik. We have some "homebuilt" Linux routers running our internal routing and firewalling, along with Suricata. We block bad IPs with a couple of ipset sets and iptables rules. How does Mikrotik's perform when they have to block a list of say 200.000 IPs? Hi Haj, I ...
by tomfisk
Mon Mar 04, 2019 5:23 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Yes, time lag is very short. Less than 2 seconds. Q1. Simple answer, of course, is "that depends". I do have services that I have open to the wild, so in my case I do want to stop someone trying to gain access through those services. If you don't have any services published, and are just a consumer ...
by tomfisk
Sun Mar 03, 2019 8:49 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, First of all, I think it is important for you to understand what a network threat detection engine, like Suricata, does. It ingests network packets, runs those packets against a set of rules, and then reports on those packets which match the rules. Suricata also provides the ability to do intrus...
by tomfisk
Thu Feb 21, 2019 11:46 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Do I have to run suricata through trafr? Nope. Haven't heard of trafr until your message. Can't find trafr officially listed on the MikroTik downloads page either. It's referenced on the Wiki but looks pulled? Presumably "tzsp2pcap" is the drop in replacement and MikroTik moved to the TZSP protocol...
by tomfisk
Tue Nov 27, 2018 10:24 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web se...
by tomfisk
Tue Nov 27, 2018 1:51 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web se...
by tomfisk
Wed Nov 07, 2018 3:46 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

1. Packet sniffer on Mikrotik is used, streaming output to specific IP address. 2. tzsp2pcap is used to receive stream (/usr/local/bin/tzsp2pcap -f) 3. Output from tzsp2pcap goes to suricata (/usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -) Thank you. This image was not found in the descri...
by tomfisk
Wed Nov 07, 2018 10:08 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Do I have to run suricata through trafr? Nope. Haven't heard of trafr until your message. I found this information in threads about Snort. I wonder how Suricata receives packets from the mikrotik sniffer with the Tazmen Sniffer Protocol (TZSP) 1. Packet sniffer on Mikrotik is used, streaming output...
by tomfisk
Wed Nov 07, 2018 2:18 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
by tomfisk
Tue Sep 25, 2018 6:23 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi Halimzhz, Sorry for the delayed reply. I'm sorry but I really don't have time to be able to help you with this. This solution uses the insert trigger from barnyard2 to grab events that subsequently get processed. It only processes those rules that match what is in the sigs_to_block table in mysql...
by tomfisk
Thu Sep 20, 2018 6:22 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

OK, I thought you wanted to stop scanning traffic that was already blocked by a firewall rule. So you're saying don't delete and re-add a firewall rule if it already exists for in IP address? Let me look at suricata_block.php and see if that can be added as an option. Dear Tomfisk, I have another id...
by tomfisk
Wed Sep 19, 2018 5:36 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

I understand what you are saying. Have you looked at the number of packets that would be blocked vs. the total volume? There would be a threshold where passing the packets after the firewall would make sense. I'm not sure what that threshold would be, but I would suspect that it would have to be a "...
by tomfisk
Tue Sep 18, 2018 5:17 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi Halimzhz, I don't think it is possible to get the packets only after they've gone through the firewall. The first firewall rule drops all packets from blocked IP addresses. I've look to see if the next rule could run the traffic through a virtual interface (possible), but then you'd have to get t...
by tomfisk
Sun Sep 16, 2018 8:16 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

1. These scripts are running in the background and are started as a service. 2. You can get an email alert when an IP address has been blocked by changing the $email_alert variable in suricata_block.php Dear All, I have few question about this script: 1- I would like to know this script is running o...
by tomfisk
Fri Apr 27, 2018 1:08 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Do I need calea packege to restream packets .Snort need calea. Alsa will hap ac2 4 core cPU handle suricata+ few qos+25filter rules?
No, just stream packets with the sniffer tool to the suricata host. Yes, I don't see any problem with the ability to handle that configuration.
by tomfisk
Wed Apr 18, 2018 11:33 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

This is awesome...if only I could get this on a RB450G...is there? Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions. So, are you saying one has to have a separate Suricata box for this to work? The RB450G only has 512M...
by tomfisk
Tue Apr 17, 2018 1:17 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

This is awesome...if only I could get this on a RB450G...is there?
Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions.
by tomfisk
Wed Feb 14, 2018 10:13 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

So it looks like it doesn't get connected :o :o :? :? Since I didn't write that code I'm at a loss as well. I understand, I enabled debug (to test connection) and it works: Connection attempt #1 to 192.168.100.1:8728... <<< [6] /login Connection attempt #2 to 192.168.100.1:8728... <<< [6] /login Con...
by tomfisk
Wed Feb 14, 2018 8:46 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Since I didn't write that code I'm at a loss as well. It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters? $mikrotik_addr = "__someip__"; $mikrotik_user = "admin"; $mikrotik_pwd = "__somesecret__"; Its strange tomfisk, I am using...
by tomfisk
Tue Feb 13, 2018 4:57 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters? $mikrotik_addr = "__someip__"; $mikrotik_user = "admin"; $mikrotik_pwd = "__somesecret__"; Hi, I am using a Debian 9 (before I used Ubuntu 16 and it works), but with this Debia...
by tomfisk
Fri Feb 02, 2018 2:40 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Yes, sniffer does stop FastPath and FastTrack. I have an RB951G-2HnD running with a sniffer and I am still able to achieve my ISP's full bandwidth of 350mbs. Just my observation...I'm not a networking professional so I can't fully address your concern. Perhaps you can turn on the sniffer and do a ba...
by tomfisk
Thu Feb 01, 2018 8:37 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Oops! Looks like I left some debug code in fast2mikrotik.php :( echo "Target will be: " . $target . "\r\n"; return true; try { $API->connect($mikrotik_addr, $mikrotik_user, $mikrotik_pwd); } catch (Exception $e) { die('Unable to connect to RouterOS. Error:' . $e); } Delete the "echo" and "return" li...
by tomfisk
Wed Jan 31, 2018 11:54 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

The "!" goes in the little box before the IP address. Just click on it and it should change to "!". Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from the IP you want to i...
by tomfisk
Wed Jan 31, 2018 11:06 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from the IP you want to ignore set that it doesn't get sent to suricata in the first place. Set up a filter to exclude the ad...
by tomfisk
Tue Jan 30, 2018 2:39 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

You'd have to ask the developers that question...just what I found in the documentation :)
This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
by tomfisk
Tue Jan 30, 2018 1:59 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

This: suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address. Hi, How could I add an IP as whitelist? Thanks. I put a line in threshold.config indicating the specific rule and IP address to suppr...
by tomfisk
Tue Jan 30, 2018 1:18 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address. Hi, How could I add an IP as whitelist? Thanks. I put a line in threshold.config indicating the specific rule and IP address to suppress. suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168....
by tomfisk
Fri Dec 08, 2017 9:33 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

I've included a script, fast2mikrotik.php, that will do what I think you are looking for. Check the original post.
Someone who can help me, I need sent Mikrotik from the Suricata, without MySQl some easy php like https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS
by tomfisk
Sat Nov 25, 2017 5:07 pm
Forum: General
Topic: Historical IP address analysis for Intrusion Prevention
Replies: 0
Views: 2056

Historical IP address analysis for Intrusion Prevention

In my post titled Suricata IDS/IPS integration with Mikrotik (now with OSSEC) I provided a system to: scan network traffic going through a Mikrotik router, creating IPS (Intrusion Prevention System) events that would, trigger the creation of firewall rules to prevent access to the target network. Th...
by tomfisk
Thu Nov 23, 2017 10:45 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

The Mikrotik interface to sniff should be the one that is connected to your ISP. That is where all of the traffic in/out of your network is. Make sure tzsp2pcap is running. In /var/log/suricata/ check suricata.log to make sure it started successfuly and fast.log to see if events are being flagged. I...
by tomfisk
Thu Nov 23, 2017 10:18 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

It is possible to customize and/or build a SELKS distribution and there are guides here https://github.com/StamusNetworks/SELKS/wiki/Customizing-SELKS and here https://github.com/StamusNetworks/SELKS/wiki/Building-SELKS . Including this functionality into the SELKS distribution would be possible, bu...
by tomfisk
Fri Nov 17, 2017 11:13 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
by tomfisk
Tue Oct 31, 2017 11:11 am
Forum: General
Topic: Ipsec Site to Site, again...
Replies: 14
Views: 2479

Re: Ipsec Site to Site, again...

From your attachments, you are trying to route to a specific address and not the tunnel. I can't see your interface list window...but like I said before, my take is that you need to assign an address to the tunnel, and then route to that address, not the public address of the remote end. See my conf...
by tomfisk
Mon Oct 30, 2017 9:43 am
Forum: General
Topic: Ipsec Site to Site, again...
Replies: 14
Views: 2479

Re: Ipsec Site to Site, again...

I have a similar setup and I think all you need to do is add an address for the IPIP tunnel: add address=10.0.0.2/30 interface=IPIP_Plainview network=10.0.0.0 Now add route to the remote address range, pointing at the address for the tunnel: add check-gateway=ping comment="Route to Plainview" distan...
by tomfisk
Thu Aug 31, 2017 2:46 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

The warning for mysqli is normal. If you want to send email notifications, then you'll have to change the location to sendmail on your system. Do whereis sendmail and modify suricata_block.php as necessary. It's me again ... I run suricata_block.pxp from the command line: php -f /usr/bin/suricata_bl...
by tomfisk
Wed Aug 30, 2017 3:44 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Excellent! Glad it worked! You must have MySQL version 5.7.5 or greater. I believe you will need to disable the ONLY_FULL_GROUP_BY sql_mode with the following: sudo nano /etc/mysql/my.cnf Add this to the end of the file [mysqld] sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_...
by tomfisk
Wed Aug 30, 2017 2:51 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

You must have MySQL version 5.7.5 or greater. I believe you will need to disable the ONLY_FULL_GROUP_BY sql_mode with the following: sudo nano /etc/mysql/my.cnf Add this to the end of the file [mysqld] sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CR...
by tomfisk
Thu Aug 24, 2017 12:29 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

I do it in my oinkupdate.sh script. #!/bin/bash /usr/local/bin/oinkmaster.pl -C /etc/suricata/oinkmaster.conf -o /etc/suricata/rules chown snort:snort /etc/suricata/rules/* pkill -USR2 -u snort -f /usr/bin/suricata /etc/init.d/aanval restart /etc/init.d/barnyard2 stop sleep 5 /etc/init.d/barnyard2 s...
by tomfisk
Thu Aug 24, 2017 7:31 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

In my nightly process to update the rules, I issue the following command to suricata: pkill -USR2 -u snort -f /usr/bin/suricata This might help with the problem. A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to...
by tomfisk
Tue Aug 15, 2017 5:18 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Good day i've made this, added a new column for queue_block table ALTER TABLE block_queue ADD que_ip_adrlan VARCHAR(64) COLLATE utf8_unicode_ci NOT NULL; modify trigger .... INSERT INTO block_queue SET que_ip_adr =NEW.ip_src, `que_ip_adrlan = NEW.ip_dst,` que_timeout = timeout, que_sig_name = this_...
by tomfisk
Mon Aug 14, 2017 6:08 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thanks for your comments Percanta. I will look at adding in the IP of the internal source/destination to the comment.

Tom
by tomfisk
Fri Jul 14, 2017 11:24 am
Forum: General
Topic: Tor browser
Replies: 1
Views: 759

Re: Tor browser

Without a way to do packet inspection over the life of a session, I don't think there is a reliable way. I use suricata which I have integrated with the Mikrotik router as an IDS/IPS. See this post: https://forum.mikrotik.com/viewtopic.php?f=2&t=111727 It might be more than you are looking for, but ...
by tomfisk
Tue Jul 04, 2017 2:56 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hello, I'm try to implement this one, but I don't know how to test it, works or not. Please help my! There are several tutorials on testing the alerts on Suricata. For example, look at paragraph 1.5 of this tutorial to test if the rules are firing. https://web.nsrc.org/workshops/2015/pacnog17-ws/ra...
by tomfisk
Thu Jun 29, 2017 9:17 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

This looks like one of the things i've been searching for however i would like to know how much CPU is needed for this. Would using a quad core ARM A17 with gigabit ethernet would be sufficient for gigabit speeds? I would like to keep things as low power as possible and my routerboard has a usb por...
by tomfisk
Wed Jun 07, 2017 5:05 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hey tom, i think there is an issue with the routeros_api.class.php file i got. Is there a dedicated link to the one you used? I got mine from https://github.com/BenMenking/routeros-api/blob/master/routeros_api.class.php and when i run it, i get errors such as: PHP Warning: fwrite() expects paramete...
by tomfisk
Tue Jun 06, 2017 2:44 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Ok, new record are added to firewall's access list. One issue with it, is that they are added as unsigned long. Somehow they are not converted to addresses. Check the records in the block_queue table. Should be populated with IP v4 addresses. They are converted from numeric to IP v4 address by the ...
by tomfisk
Tue Jun 06, 2017 4:41 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error. I am really eager to try this as it seems fairly interesting, Thanks! error.JPG Does my reply from Mo...
by tomfisk
Tue Jun 06, 2017 4:38 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

+-----------+------------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-----------+------------------+------+-----+---------+-------+ | sid | int(10) unsigned | NO | PRI | NULL | | | cid | int(10) unsigned | NO | PRI | NULL | | | signature | int(10) unsigne...
by tomfisk
Mon Jun 05, 2017 3:09 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, Tried to implement this solution. I use Ubuntu 16.04 with mysql 5.7.18. When I put a trigger in place I get this while loading barnyard2: ERROR: database mysql_error: Unknown column 'event.id' in 'field list' SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_...
by tomfisk
Mon May 29, 2017 10:41 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wow, this is fantastic :) . A great way to do it without having to use an inline IPS. Just one question: can we do it without snorby? Could you maybe provide a full sql schema instead of just your additions for barnyard to write to? I usually use suricata with evebox (json api) so I was just trying...
by tomfisk
Wed May 10, 2017 8:57 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it? I have logs with info, as /etc/ossec/logs/active-responses.log Here a examp...
by tomfisk
Tue May 09, 2017 3:34 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it? I have logs with info, as /etc/ossec/logs/active-responses.log Here a examp...
by tomfisk
Sat May 06, 2017 5:37 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it? I have logs with info, as /etc/ossec/logs/active-responses.log Here a examp...
by tomfisk
Fri Apr 28, 2017 8:33 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Check the update to suricata_block.php that I just made. :) Thanks! Its an email very useful :D :D I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine. Thanks again for your job. I have a little problem, when the event noti...
by tomfisk
Thu Apr 27, 2017 3:02 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik? I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from M...
by tomfisk
Thu Apr 27, 2017 11:44 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login) How could I enable it? Thanks. Are you referring to maximan's implementat...
by tomfisk
Thu Apr 27, 2017 8:20 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login) How could I enable it? Thanks. Are you referring to maximan's implementat...
by tomfisk
Thu Apr 27, 2017 3:48 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login) How could I enable it? Thanks. Are you referring to maximan's implementat...
by tomfisk
Wed Apr 26, 2017 10:07 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, yesterday I had a false positive with this: fast.log.2:04/25/2017-14:05:58.149205 [**] [1:2002994:7] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack [**] [Classification: Misc activity] [Priority: 3] {TCP} alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connec...
by tomfisk
Wed Apr 26, 2017 9:32 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, yesterday I had a false positive with this: fast.log.2:04/25/2017-14:05:58.149205 [**] [1:2002994:7] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack [**] [Classification: Misc activity] [Priority: 3] {TCP} alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connec...
by tomfisk
Thu Apr 13, 2017 12:01 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

OSSEC installed and running fine (excelent & easy manual). Two question, I installed too web UI for OSSEC and its running fine too, but I would like to have logs from anothers servers to check integrity, logs, etc. Most important question. Should I install agent on servers or since everything is ad...
by tomfisk
Wed Apr 12, 2017 1:45 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

OSSEC installed and running fine (excelent & easy manual). Two question, I installed too web UI for OSSEC and its running fine too, but I would like to have logs from anothers servers to check integrity, logs, etc. Most important question. Should I install agent on servers or since everything is ad...
by tomfisk
Tue Apr 11, 2017 8:10 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

Hmmmm...can you post the definition of your block_queue table? mysql> show table create block_queue; Here: mysql> SHOW CREATE TABLE block_queue\G; *************************** 1. row *************************** Table: block_queue Create Table: CREATE TABLE `block_queue` ( `que_id` int(11) NOT NULL A...
by tomfisk
Tue Apr 11, 2017 4:59 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

Hmmmm...can you post the definition of your block_queue table? mysql> show table create block_queue; Here: mysql> SHOW CREATE TABLE block_queue\G; *************************** 1. row *************************** Table: block_queue Create Table: CREATE TABLE `block_queue` ( `que_id` int(11) NOT NULL A...
by tomfisk
Mon Apr 10, 2017 12:29 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

It is your script. Its weird because now script sent 2 rules to Mikrotik but in third test, script has stopped. Some is killing that script which I can't see what neither why. Here output file php (which its always showing but doesn't matter because with that error if I don't leave shell, Mikrotik ...
by tomfisk
Mon Apr 10, 2017 12:00 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

Yes, I edited my own message to be more clear: Yes, suricata is getting rules because I can see it on Snorby. When I start script again, Mikrotik receive all rules which Suricata/Barnyard2/Snorby had captured. I have to re-start it again because script stops when I leave shell and access a new bad ...
by tomfisk
Mon Apr 10, 2017 11:30 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

Yes, when I run script again Mikrotik receive all rules which Suricata/Barnyard2/Snorby had captured. I have to re-run it again because script is stopped when I leave shell. Here my tests in fast.log 04/10/2017-09:47:00.315253 [**] [1:2404571:4579] ET CNC Ransomware Tracker Reported CnC Server grou...
by tomfisk
Mon Apr 10, 2017 11:10 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

Hi, I added my HOME_NET to suricata.yaml: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,192.168.5.0/24]" And I too added a line in threshold.config to avoid that alert from my IP. Could you say me if its right? suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.100 suppress gen_id 1, sig_id 2006...
by tomfisk
Mon Apr 10, 2017 8:49 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

Hi, I added my HOME_NET to suricata.yaml: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,192.168.5.0/24]" And I too added a line in threshold.config to avoid that alert from my IP. Could you say me if its right? suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.100 suppress gen_id 1, sig_id 2006...
by tomfisk
Sat Apr 08, 2017 6:52 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

I will look to test it. My Mikrotik has banned my own mail IP, are there way to add a whitelist in suricata or script or Mikrotik? Could I create a rule in first place to allow traffic to my mail address? Thanks again. A couple of different ways to do this in suricata. First of all in /etc/suricata...
by tomfisk
Fri Apr 07, 2017 9:35 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

A add trigger deleting old trigger, I think that its works ,but I discovered a new thing: If I do from myqsl console set inet_ntoa(NEW.ip_src) -> I get real IP But MK is adding the number without decipher. Any idea? Thanks So if you do this in MySQL: use snorby; Select * from block_queue; What do y...
by tomfisk
Fri Apr 07, 2017 3:53 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

A add trigger deleting old trigger, I think that its works ,but I discovered a new thing: If I do from myqsl console set inet_ntoa(NEW.ip_src) -> I get real IP But MK is adding the number without decipher. Any idea? Thanks So if you do this in MySQL: use snorby; Select * from block_queue; What do y...
by tomfisk
Thu Apr 06, 2017 3:41 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

Thanks you for reply. I am using this: # mysql -V mysql Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (x86_64) using readline 6.3 For other side, I used your script php but I added the tables using the package from maximan. Are you tables inserted different way to thim and for that reason Mysql is...
by tomfisk
Thu Apr 06, 2017 1:57 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please? Here a picture: http://i64.tinypic.com/2zjiyxc.png What version of MySql are you using? inet_ntoa was introduced in version 5.5.3. Thanks you for reply. I am using this: # mysql -V mysql Ver 14.14 Distrib...
by tomfisk
Thu Apr 06, 2017 1:39 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please? Here a picture: http://i64.tinypic.com/2zjiyxc.png What version of MySql are you using? inet_ntoa was introduced in version 5.5.3. Thanks you for reply. I am using this: # mysql -V mysql Ver 14.14 Distrib...
by tomfisk
Thu Apr 06, 2017 1:26 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please?

Here a picture:

Image
What version of MySql are you using? inet_ntoa was introduced in version 5.5.3.
by tomfisk
Mon Feb 27, 2017 6:06 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

Looks good. There are a couple of reasons I don't clean out the block_queue table: I do some analytics to see who my repeat offenders are. The top repeat offenders get added into the address list on the mikrotik with no expiration time. If the mikrotik gets rebooted, then the blocked address list is...
by tomfisk
Mon Feb 27, 2017 5:44 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Re: Suricata IDS/IPS integration with Mikrotik

If you are using phpMyAdmin to define the trigger, you can't do it in an SQL window. Go to the "Triggers" tab on the iphdr table and add the new trigger. addtrigger.png Otherwise just put the code in a file and execute it from the command line: mysql -u username -p database_name < trigger_code.sql H...
by tomfisk
Thu Sep 01, 2016 12:01 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 205
Views: 136147

Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Update 7-December-2017 For those who don't want to fuss with MySQL, I've added fast2mikrotik.php that will read the suricata events from fast.log and create the firewall rules. Update 26-November-2017 Look at my post Historical IP address analysis for Intrusion Prevention on how event history can b...