Community discussions

Search found 159 matches

by aarango
Tue Apr 03, 2018 8:23 am
Forum: Beginner Basics
Topic: No internet router Mikrotik
Replies: 13
Views: 3762

Re: No internet router Mikrotik

Any idea to solve it please?
My router has 192.168.77.1
And all my pc has same range (192.168.77.X). All PC has internet connection but router can't connect.

I haven't any rule in Firewall to drop that traffic.
I dont know why router hasn't connection but yes all pc

Thanks.
by aarango
Fri Mar 23, 2018 8:06 am
Forum: Beginner Basics
Topic: No internet router Mikrotik
Replies: 13
Views: 3762

Re: No internet router Mikrotik

easy way: download the package, upload to your router (open file, drag the file to it) and reboot all master port settings will be replaced with bridge. so if you have any, change it to bridge before the upgrade. Thanks, how could I check if I have master port? Open ethernet interface and you'll fi...
by aarango
Mon Mar 12, 2018 8:58 am
Forum: Beginner Basics
Topic: No internet router Mikrotik
Replies: 13
Views: 3762

Re: No internet router Mikrotik

easy way: download the package, upload to your router (open file, drag the file to it) and reboot

all master port settings will be replaced with bridge. so if you have any, change it to bridge before the upgrade.
Thanks, how could I check if I have master port?
by aarango
Fri Mar 09, 2018 7:57 am
Forum: Beginner Basics
Topic: No internet router Mikrotik
Replies: 13
Views: 3762

Re: No internet router Mikrotik

It seems likely that you have some firewall rules preventing CCR to access the internet. Please post results of command /ip firewall export hide-sensitive . Im sorry for delay, I was busy working and I forgot to reply, here output command: [admin@MikroTik] /ip firewall> export hide-sensitive # mar/...
by aarango
Tue Mar 06, 2018 11:24 am
Forum: Beginner Basics
Topic: No internet router Mikrotik
Replies: 13
Views: 3762

Re: No internet router Mikrotik

Make sure the router also can resolve dns. For manual download you want Tile for CCR. Either bugfix or current. Main package, unless you've already added extra packages. I can't do ping to 8.8.8.8 either, but all servers connected to router have access internet without problem, how could I solve it...
by aarango
Mon Mar 05, 2018 3:46 pm
Forum: Beginner Basics
Topic: No internet router Mikrotik
Replies: 13
Views: 3762

No internet router Mikrotik

Hi, I have this model: Board Name CCR1016-12G Version 6.XX.XX (stable) I am trying to update version going to system>packages but when I do click on "Check for updates" says me that I haven't connection. By other way, I have router configured with bridges, ports, a lot of servers, pcs... and its ok,...
by aarango
Wed Feb 14, 2018 1:45 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

So it looks like it doesn't get connected :o :o :? :? Since I didn't write that code I'm at a loss as well. I understand, I enabled debug (to test connection) and it works: Connection attempt #1 to 192.168.100.1:8728... <<< [6] /login Connection attempt #2 to 192.168.100.1:8728... <<< [6] /login Co...
by aarango
Wed Feb 14, 2018 10:05 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Since I didn't write that code I'm at a loss as well. I understand, I enabled debug (to test connection) and it works: Connection attempt #1 to 192.168.100.1:8728... <<< [6] /login Connection attempt #2 to 192.168.100.1:8728... <<< [6] /login Connection attempt #3 to 192.168.100.1:8728... <<< [6] /...
by aarango
Wed Feb 14, 2018 8:41 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters? $mikrotik_addr = "__someip__"; $mikrotik_user = "admin"; $mikrotik_pwd = "__somesecret__"; Its strange tomfisk, I am using a new server but in same net and I copied (using SCP...
by aarango
Mon Feb 12, 2018 12:06 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, I am using a Debian 9 (before I used Ubuntu 16 and it works), but with this Debian 9 + php7 , script fas2mikrotik fails with this: PHP Warning: fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363 PHP Warning: fwrite(): supplied resource is...
by aarango
Thu Feb 08, 2018 3:33 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Maybe for anyone is useful this tool:
https://www.stamus-networks.com/open-source/

Integrate suricata + ELKS in a dashboard. I added Tomfisk's script and my MK ban IPs and I can check logs on a website. Final result is very pretty.
by aarango
Fri Feb 02, 2018 1:24 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Definitely Suricata has any bug with threshold. suppress gen_id 1, sig_id 2020565, track by_src, ip 8.8.8.8 And I receive an alert: The IP address 8.8.8.8 has been blocked due to the following rule match: The signature ID is [1:2020565:1] ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup i...
by aarango
Thu Feb 01, 2018 12:10 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

I am having troubles to create "white list". I create it but IDS continue adding thats IPs to blocks. suppress gen_id 1, sig_id 2240001 suppress gen_id 1, sig_id 2220006, track by_src, ip 192.168.XX.XX I added it too in MK in "Packet Sniffer" but not luck neither. MK continue stopping traffic from t...
by aarango
Thu Feb 01, 2018 9:39 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Oops! Looks like I left some debug code in fast2mikrotik.php :(
Delete the "echo" and "return" lines...should work then :) :)
I went to write that too :) I removed it and it works fine. Thanks tomfisk.
by aarango
Wed Jan 31, 2018 2:06 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

I have installed a new VPS with new suricata 4.0.3, its installed correctly and I can start it good: root@suricatanew:/# trafr -s | suricata -c /etc/suricata/suricata.yaml -r - 31/1/2018 -- 07:01:57 - <Notice> - This is Suricata version 4.0.3 RELEASE 31/1/2018 -- 07:02:02 - <Notice> - all 5 packet p...
by aarango
Wed Jan 31, 2018 12:04 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

The "!" goes in the little box before the IP address. Just click on it and it should change to "!".
Im stupid, I know it. Thanks as always tomfisk.
I am going to test new version 4.0.3.
by aarango
Wed Jan 31, 2018 11:49 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from the IP you want to ignore set that it doesn't get sent to suricata in the first place. Set up a filter to exclude the a...
by aarango
Wed Jan 31, 2018 10:33 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

You'd have to ask the developers that question...just what I found in the documentation :) This: suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX Done! thanks. A bit question. I was using gen_id 1 always, why now 0? :( With that rule router yet banned my IP again. What am i doing wrong? I...
by aarango
Tue Jan 30, 2018 2:33 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
by aarango
Tue Jan 30, 2018 1:28 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address. Hi, How could I add an IP as whitelist? Thanks. I put a line in threshold.config indicating the specific rule and IP address to suppress. suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168...
by aarango
Tue Jan 30, 2018 12:59 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, How could I add an IP as whitelist? Thanks. I put a line in threshold.config indicating the specific rule and IP address to suppress. suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2 Hi, re-open this reply. How could I do a whitelist for all entry for one IP? I had this: suppre...
by aarango
Fri Jan 26, 2018 10:02 am
Forum: General
Topic: Limit bandwith (Where?)
Replies: 8
Views: 816

Re: Limit bandwith (Where?)

That's then confirmed that it is not MT, as PC could transfer good BW in same port.
Good luck with the investigation. Few things I can think off: verify cpu usage, io activity, tcp window size tuning
Thanks sebastia, its a shit when as IT have to use a not open source with a useful debug.
by aarango
Thu Jan 25, 2018 2:57 pm
Forum: General
Topic: Limit bandwith (Where?)
Replies: 8
Views: 816

Re: Limit bandwith (Where?)

PC has good BW, in another port (8 in same bridge) I can transfer a good BW. 3 server have same bridge. Port 7 is a NAS server and there I am having troubles. Maybe NAS is the problem... they isn't opensource and I can't debug it correctly but I want to discard that its was a problem with my router/...
by aarango
Thu Jan 25, 2018 10:57 am
Forum: General
Topic: Limit bandwith (Where?)
Replies: 8
Views: 816

Re: Limit bandwith (Where?)

Could you clarify what hardware you use and what your current config is: * switching / briding * routing * natting Have you verified what is the load on the RB in profiler while transferring? Hi, thanks for reply. I am using Mikrotik CCR1016-12G. I have port 7,8,9 with a bridge (servers), in that p...
by aarango
Wed Jan 24, 2018 3:29 pm
Forum: General
Topic: Limit bandwith (Where?)
Replies: 8
Views: 816

Limit bandwith (Where?)

Hi, I have a Mikrotik router. I am having a trouble with a transfer. I have 2 network (net 192.168.1.0/24 and net 192.168.100.0/24). If I transfer one file to net 192.168.100.X -> External_Server I get maximum BW (around 35MB/s). If I transfer one file from net 192.168.1.X -> External_Server I get 3...
by aarango
Fri Nov 17, 2017 12:27 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Thanks tomfisk! great job as always
by aarango
Fri Nov 17, 2017 10:55 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi,

How could I add an IP as whitelist?

Thanks.
by aarango
Thu Aug 24, 2017 1:42 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

I do it in my oinkupdate.sh script. #!/bin/bash /usr/local/bin/oinkmaster.pl -C /etc/suricata/oinkmaster.conf -o /etc/suricata/rules chown snort:snort /etc/suricata/rules/* pkill -USR2 -u snort -f /usr/bin/suricata /etc/init.d/aanval restart /etc/init.d/barnyard2 stop sleep 5 /etc/init.d/barnyard2 ...
by aarango
Thu Aug 24, 2017 12:22 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

In my nightly process to update the rules, I issue the following command to suricata: pkill -USR2 -u snort -f /usr/bin/suricata This might help with the problem. A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way t...
by aarango
Wed Aug 23, 2017 2:40 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
by aarango
Tue Aug 22, 2017 10:46 am
Forum: General
Topic: How to block Youtube and facebook Android App in router Mikrotik
Replies: 30
Views: 71522

Re: How to block Youtube and facebook Android App in router Mikrotik

Mikrotik offer a scripted method of blocking sites here :- http://wiki.mikrotik.com/wiki/Manual:Scripting-examples#Block_access_to_specific_websites It finally did the job for me! The goal was to block youtube on my son's iPad. After running that script it blocked youtube site (even on https) but s...
by aarango
Mon Aug 21, 2017 8:19 am
Forum: General
Topic: Honeypot with Mikrotik
Replies: 2
Views: 1801

Re: Honeypot with Mikrotik

Thanks! I will test it :)
by aarango
Thu Aug 10, 2017 2:04 pm
Forum: General
Topic: Honeypot with Mikrotik
Replies: 2
Views: 1801

Honeypot with Mikrotik

Hi,

Anyone knows how do a Honeypot with Mikrotik? I read a old post here but its date from 2015 ( viewtopic.php?t=96453 ) and I haven't clear how its works. If anyone could advice me something, thanks.

Regards.
by aarango
Wed Aug 09, 2017 9:41 am
Forum: Beginner Basics
Topic: Question about 2 subnet
Replies: 6
Views: 701

Re: Question about 2 subnet

Hello aarango, as pe1chl says, you should be more specific on NAT rules, the one you have: 0 chain=srcnat action=masquerade log=no masquerade's all the traffic passing through the router, this is not recommended as it will consume (unnecessarily) a lot of resources in your router. In your case, you...
by aarango
Tue Aug 08, 2017 8:48 am
Forum: Beginner Basics
Topic: Question about 2 subnet
Replies: 6
Views: 701

Re: Question about 2 subnet

This rule is too broad! You need to narrow it with output-interface, like it was before you modified it. When you have to internet interfaces, create another rule like that. Could you let me know some more information? This is a real connection with employees working all time, I do not want to leav...
by aarango
Mon Aug 07, 2017 3:50 pm
Forum: Beginner Basics
Topic: Question about 2 subnet
Replies: 6
Views: 701

Re: Question about 2 subnet

Thanks for reply.

In NAT I have only a masquerade
[admin@MikroTik] /ip firewall nat> print
 0    chain=srcnat action=masquerade log=no 
Rest rules on NAT are for specific ports. Should I create any extra rule?

Regards.
by aarango
Mon Aug 07, 2017 12:56 pm
Forum: Beginner Basics
Topic: Question about 2 subnet
Replies: 6
Views: 701

Question about 2 subnet

Hi, I have this plan: 2 ISP and 1 router Mikrotik. Port 1 Mikrotik has 1 ISP connected Port 2 Mikrotik has another ISP connected Port 3 Mikrotik has a switch for internal network Port 4 Mikrotik has another switch for internal network Internal network is in subnet 192.168.90.0/32 (second ISP) and se...
by aarango
Wed Jul 26, 2017 10:31 am
Forum: Beginner Basics
Topic: How to block all websites except special website
Replies: 10
Views: 3334

Re: How to block all websites except special website

No. Your transparent proxy setup involves a NAT rule where you redirect only TCP Port 80 to the proxy. You will not redirect port 443, because SSL can't be proxied like that.
Thanks normis, what way could I audit SSL traffic? not content of course.
by aarango
Wed Jul 26, 2017 10:07 am
Forum: Beginner Basics
Topic: How to block all websites except special website
Replies: 10
Views: 3334

Re: How to block all websites except special website

If you block all except google they can't search anything because you are dropping all searchs. You could use Web Proxy if it's not HTTPS. BTW, why can't you block it if to use HTTPS? I ment: you can't use https on a transparent proxy. Okey! :) now yes. I have a question about that, maybe you can r...
by aarango
Tue Jul 25, 2017 3:49 pm
Forum: Beginner Basics
Topic: How to block all websites except special website
Replies: 10
Views: 3334

Re: How to block all websites except special website

If you block all except google they can't search anything because you are dropping all searchs.
You could use Web Proxy if it's not HTTPS.
BTW, why can't you block it if to use HTTPS?
by aarango
Tue Jul 25, 2017 3:30 pm
Forum: Beginner Basics
Topic: Isolate subnet
Replies: 2
Views: 1681

Re: Isolate subnet

/ip firewall filter add chain=forward action=accept src-address=192.168.4.0/24 dst=address=192.168.1.0/24 connection-state=established, related add chain=forward action=drop src-address=192.168.4.0/24 dst=address=192.168.1.0/24 connection-state=new, invalid add chain=input action=drop dst-address=1...
by aarango
Tue Jul 25, 2017 2:13 pm
Forum: Beginner Basics
Topic: Isolate subnet
Replies: 2
Views: 1681

Isolate subnet

Hi, I am trying isolate 2 subnet. In port9 I have subnet 192.168.4.0/24 and in port 2,3,4 a bridge with subnet 192.168.1.0/24. I want that subnet 192.168.4.0/24 can't reach 192.168.1.0/24 but YES 192.168.1.0/24 reach 192.168.4.0/24 I created a rule in firewall with forward 4.0 -> 1.0 DROP. And it wo...
by aarango
Mon Jun 26, 2017 12:51 pm
Forum: Beginner Basics
Topic: Connect MK - Linux laptop Serial
Replies: 20
Views: 2968

Re: Connect MK - Linux laptop Serial

Hi, after some months without re-open post I have to say that I can't connect using serial. My windows recognize the cable (COM4), and I have enabled serial0 and 1 in router MK but when I open putty with COM4 and baudios I can't connect. [admin@MikroTik] /port> print Flags: I - inactive # DEVICE NAM...
by aarango
Thu Jun 15, 2017 3:13 pm
Forum: General
Topic: Shared Folders
Replies: 15
Views: 2117

Re: Shared Folders

Hi. You can add adress-list with the exceptions and put a rule below all the other rules Puedes agregar un address-list con las excecpiones y colocar una regla por encima de todas las reglas La ip del pc que quiere ver las carpetas de la red LAN seria esta 10.10.1.87. ¿Como seria la regla del firew...
by aarango
Fri Jun 02, 2017 1:40 pm
Forum: General
Topic: Analyze traffic router Mikrotik
Replies: 8
Views: 1608

Re: Analyze traffic router Mikrotik

Finally I have installed Graylog + Netflow plugin as kamillo advice me.
Its works fine, graphs are pretty :)

Thanks!
by aarango
Fri Jun 02, 2017 10:18 am
Forum: General
Topic: Redirect port 443 different internal IP
Replies: 5
Views: 1191

Re: Redirect port 443 different internal IP

Thanks both :)
by aarango
Thu Jun 01, 2017 2:17 pm
Forum: General
Topic: Redirect port 443 different internal IP
Replies: 5
Views: 1191

Re: Redirect port 443 different internal IP

No. The normal pattern for this use case is to setup a reverse proxy with Nginx or similar between the firewall and the various web servers.
Thanks, I thought that the "content" option could do it that, if not I will setup with nginx. Thanks!
by aarango
Thu Jun 01, 2017 8:44 am
Forum: General
Topic: Shared Folders
Replies: 15
Views: 2117

Re: Shared Folders

Hi. Veo que eres Español. Gracias por responder. El punto de acceso esta conectado a la ether6 y en out interface he puesto ether1 gateway. Me tira este error In/out interface matcher no posible when interface 6 is slave use masterd instead br2-lan. con br-lan tambien da ese error. ¿que esta mal? H...
by aarango
Thu Jun 01, 2017 8:29 am
Forum: General
Topic: Redirect port 443 different internal IP
Replies: 5
Views: 1191

Redirect port 443 different internal IP

Hi, I have a public IP (123.45.67.89), now I had setup a rule in Firewall -> NAT: chain=dstnat action=dst-nat to-addresses=192.168.1.101 to-ports=443 protocol=tcp in-interface=MY_INTERFACE dst-port=443 log=no When any from external IP go to my public IP to port 443, router will redirect to 192.168.1...
by aarango
Wed May 31, 2017 9:23 am
Forum: General
Topic: Analyze traffic router Mikrotik
Replies: 8
Views: 1608

Re: Analyze traffic router Mikrotik

Thanks all. I will try to setup it correctly. I will post if I get any usable :)
by aarango
Tue May 30, 2017 3:18 pm
Forum: General
Topic: Analyze traffic router Mikrotik
Replies: 8
Views: 1608

Re: Analyze traffic router Mikrotik

Thanks, do you use that tools on another linux server, right? I would like to see stats on any GUI, I don't know if its possible (free or pay) Yes, on server where netflow are saved (flow-capture). About GUI: sorry, I don't have experience. Hi MartinT, I installed but at the momment I hadn't much t...
by aarango
Mon May 29, 2017 7:58 am
Forum: General
Topic: Analyze traffic router Mikrotik
Replies: 8
Views: 1608

Re: Analyze traffic router Mikrotik

Thanks, do you use that tools on another linux server, right?

I would like to see stats on any GUI, I don't know if its possible (free or pay)
by aarango
Fri May 26, 2017 2:02 pm
Forum: General
Topic: Analyze traffic router Mikrotik
Replies: 8
Views: 1608

Analyze traffic router Mikrotik

Hi,
I am sending all information to my linux server using Traffic Flow in Mikrotik but I would to like know how could I analyze that info. I tried ntop but I don't like. Are there other options?

Thanks.
by aarango
Wed May 10, 2017 11:57 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response. Sorry for late reply. Here a example alerts.log: ** Alert 1494324377.869344: mail - syslog,sshd, 2017 May 09 12:06:17 (mail.mydomain.c...
by aarango
Wed May 10, 2017 8:40 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it? I have logs with info, as /etc/ossec/logs/active-responses.log Here a examp...
by aarango
Tue May 09, 2017 1:06 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it? I have logs with info, as /etc/ossec/logs/active-responses.log Here a examp...
by aarango
Fri May 05, 2017 2:12 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it? I have logs with info, as /etc/ossec/logs/active-responses.log Here a exampl...
by aarango
Fri Apr 28, 2017 9:26 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thanks! Its an email very useful :D :D I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine. Thanks again for your job. I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@h...
by aarango
Fri Apr 28, 2017 8:28 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc) Here a example (body is empty): firewall,info [DR...
by aarango
Thu Apr 27, 2017 2:51 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible? Thanks. There is not an email function within Suricata or my implementation. Would you like an email every time a bl...
by aarango
Thu Apr 27, 2017 1:49 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Are you referring to maximan's implementation? No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible? Thanks. There is not an email function within Suricata or my implemen...
by aarango
Thu Apr 27, 2017 8:28 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login) How could I enable it? Thanks. Are you referring to maximan's implementat...
by aarango
Thu Apr 27, 2017 8:09 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login) How could I enable it? Thanks. Are you referring to maximan's implementat...
by aarango
Wed Apr 26, 2017 2:01 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
by aarango
Wed Apr 26, 2017 10:25 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, yesterday I had a false positive with this: fast.log.2:04/25/2017-14:05:58.149205 [**] [1:2002994:7] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack [**] [Classification: Misc activity] [Priority: 3] {TCP} alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connec...
by aarango
Wed Apr 26, 2017 9:58 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, yesterday I had a false positive with this: fast.log.2:04/25/2017-14:05:58.149205 [**] [1:2002994:7] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack [**] [Classification: Misc activity] [Priority: 3] {TCP} alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connec...
by aarango
Wed Apr 26, 2017 9:15 am
Forum: General
Topic: Port Mirror vs NetFlow
Replies: 4
Views: 737

Re: Port Mirror vs NetFlow

I'm using netflow and NTOPNG and I have nice graphs :)
I didn't use port mirror but only I wanted to let you know my own experience.
by aarango
Wed Apr 26, 2017 8:54 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Hi, yesterday I had a false positive with this: fast.log.2:04/25/2017-14:05:58.149205 [**] [1:2002994:7] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack [**] [Classification: Misc activity] [Priority: 3] {TCP} alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connect...
by aarango
Thu Apr 20, 2017 8:46 am
Forum: General
Topic: Ntop + Mikrotik (Loading checking traffic)
Replies: 1
Views: 722

Re: Ntop + Mikrotik (Loading checking traffic)

I changed to Debian Jessi and I haven't this problem, maybe someone has same "bug".
by aarango
Mon Apr 17, 2017 3:49 pm
Forum: General
Topic: Ntop + Mikrotik (Loading checking traffic)
Replies: 1
Views: 722

Ntop + Mikrotik (Loading checking traffic)

Hi,

Recently I installed ntop on a Linux server, after, I enabled Traffic Flow in Mikrotik to this new server with ntop. I can see traffic in Ntop but when I try to check some IP, the website keep loading all time without luck.

Any idea?

Ubuntu 14 and ntop from repository.

Thanks.
by aarango
Mon Apr 17, 2017 3:18 pm
Forum: Beginner Basics
Topic: No internet on Mikrotik
Replies: 19
Views: 2697

Re: No internet on Mikrotik

Thanks you all. I will try debug it unplug devices... its hard because we have many of them but I will try.

I am missing a route I think.
by aarango
Wed Apr 12, 2017 2:40 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

OSSEC installed and running fine (excelent & easy manual). Two question, I installed too web UI for OSSEC and its running fine too, but I would like to have logs from anothers servers to check integrity, logs, etc. Most important question. Should I install agent on servers or since everything is ad...
by aarango
Wed Apr 12, 2017 1:28 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

OSSEC installed and running fine (excelent & easy manual). Some question, I installed too web UI for OSSEC and its running fine too, but I would like to have logs from anothers servers to check integrity, logs, etc. Most important question. Should I install agent on servers or since everything is ad...
by aarango
Wed Apr 12, 2017 11:07 am
Forum: Beginner Basics
Topic: Cannot access the server MikroTik
Replies: 7
Views: 643

Re: Cannot access the server MikroTik

Which is your laptop's IP?
Can you do ping from CMD to that IP?
Which is mikrotik's IP 88 or 100?
by aarango
Wed Apr 12, 2017 11:02 am
Forum: Beginner Basics
Topic: No internet on Mikrotik
Replies: 19
Views: 2697

Re: No internet on Mikrotik

I'm sorry for delay reply. Here: /ip firewall> export # apr/12/2017 09:17:57 by RouterOS 6.38.5 # software id = 8ZHH-KYXY # /ip firewall filter add action=accept chain=forward dst-port=25 protocol=tcp src-address=192.168.11.X add action=drop chain=forward dst-port=25 log=yes log-prefix="[SMTPOUT]" p...
by aarango
Wed Apr 12, 2017 10:15 am
Forum: Beginner Basics
Topic: Connect MK - Linux laptop Serial
Replies: 20
Views: 2968

Re: Connect MK - Linux laptop Serial

Do you have any cisco box to try that adapter, maybe it's just not working?
Default settings are 9600 8N1
Hi, thanks. I have requested a adapter, when I receive it I will test it.
by aarango
Tue Apr 11, 2017 8:04 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

Hmmmm...can you post the definition of your block_queue table? mysql> show table create block_queue; Here: mysql> SHOW CREATE TABLE block_queue\G; *************************** 1. row *************************** Table: block_queue Create Table: CREATE TABLE `block_queue` ( `que_id` int(11) NOT NULL A...
by aarango
Mon Apr 10, 2017 3:33 pm
Forum: Beginner Basics
Topic: help me!
Replies: 3
Views: 506

Re: help me!

Maybe you have to restory default your Mikrotik. I understand that if you want restore a backup you will need your root password.
by aarango
Mon Apr 10, 2017 12:38 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

Hmmmm...can you post the definition of your block_queue table? mysql> show table create block_queue; Here: mysql> SHOW CREATE TABLE block_queue\G; *************************** 1. row *************************** Table: block_queue Create Table: CREATE TABLE `block_queue` ( `que_id` int(11) NOT NULL A...
by aarango
Mon Apr 10, 2017 12:10 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

Yes, I edited my own message to be more clear: Yes, suricata is getting rules because I can see it on Snorby. When I start script again, Mikrotik receive all rules which Suricata/Barnyard2/Snorby had captured. I have to re-start it again because script stops when I leave shell and access a new bad ...
by aarango
Mon Apr 10, 2017 11:36 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

Yes, when I run script again Mikrotik receive all rules which Suricata/Barnyard2/Snorby had captured. I have to re-run it again because script is stopped when I leave shell. Here my tests in fast.log 04/10/2017-09:47:00.315253 [**] [1:2404571:4579] ET CNC Ransomware Tracker Reported CnC Server grou...
by aarango
Mon Apr 10, 2017 11:21 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

Hi, I added my HOME_NET to suricata.yaml: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,192.168.5.0/24]" And I too added a line in threshold.config to avoid that alert from my IP. Could you say me if its right? suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.100 suppress gen_id 1, sig_id 2006...
by aarango
Mon Apr 10, 2017 11:06 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

Hi, I added my HOME_NET to suricata.yaml: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,192.168.5.0/24]" And I too added a line in threshold.config to avoid that alert from my IP. Could you say me if its right? suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.100 suppress gen_id 1, sig_id 2006...
by aarango
Mon Apr 10, 2017 8:11 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

I will look to test it. My Mikrotik has banned my own mail IP, are there way to add a whitelist in suricata or script or Mikrotik? Could I create a rule in first place to allow traffic to my mail address? Thanks again. A couple of different ways to do this in suricata. First of all in /etc/suricata...
by aarango
Fri Apr 07, 2017 1:21 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

A add trigger deleting old trigger, I think that its works ,but I discovered a new thing: If I do from myqsl console set inet_ntoa(NEW.ip_src) -> I get real IP But MK is adding the number without decipher. Any idea? Thanks So if you do this in MySQL: use snorby; Select * from block_queue; What do y...
by aarango
Fri Apr 07, 2017 9:00 am
Forum: Beginner Basics
Topic: Connect MK - Linux laptop Serial
Replies: 20
Views: 2968

Re: Connect MK - Linux laptop Serial

If you reboot mikrotik box is there any startup messages? Can you login via winbox, open terminal and check serial port config with [admin@MikroTik] system serial-console> /port print detail [admin@MikroTik] /system console> /port print detail Flags: I - inactive 0 name="serial0" used-by="Serial Co...
by aarango
Fri Apr 07, 2017 7:40 am
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

A add trigger deleting old trigger, I think that its works ,but I discovered a new thing: If I do from myqsl console set inet_ntoa(NEW.ip_src) -> I get real IP But MK is adding the number without decipher. Any idea? Thanks So if you do this in MySQL: use snorby; Select * from block_queue; What do y...
by aarango
Thu Apr 06, 2017 3:55 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

I haven't examined his code in detail so I couldn't say what changes he may have made. Well, its seems same but maybe I should restore database to original (before to install that script) and add your tables. If I paste your mysql's code on a file .sql and export, is it right? or how should I add t...
by aarango
Thu Apr 06, 2017 3:09 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

What version of MySql are you using? inet_ntoa was introduced in version 5.5.3. Thanks you for reply. I am using this: # mysql -V mysql Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (x86_64) using readline 6.3 For other side, I used your script php but I added the tables using the package from max...
by aarango
Thu Apr 06, 2017 1:44 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please? Here a picture: http://i64.tinypic.com/2zjiyxc.png What version of MySql are you using? inet_ntoa was introduced in version 5.5.3. Thanks you for reply. I am using this: # mysql -V mysql Ver 14.14 Distrib...
by aarango
Thu Apr 06, 2017 1:35 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please? Here a picture: http://i64.tinypic.com/2zjiyxc.png What version of MySql are you using? inet_ntoa was introduced in version 5.5.3. Thanks you for reply. I am using this: # mysql -V mysql Ver 14.14 Distrib...
by aarango
Thu Apr 06, 2017 1:24 pm
Forum: Beginner Basics
Topic: Connect MK - Linux laptop Serial
Replies: 20
Views: 2968

Re: Connect MK - Linux laptop Serial

Fairly obviously, COM8.
thanks, it was stupid for my side :)

I connected to COM8 but I can't see anything on screen, putty keep on blank screen (I setup 115200 bps)

Ayn idea?

Thanks.
by aarango
Thu Apr 06, 2017 1:09 pm
Forum: General
Topic: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)
Replies: 183
Views: 77959

Re: Suricata IDS/IPS integration with Mikrotik

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please? Here a picture: http://i64.tinypic.com/2zjiyxc.png Hello Well, after working a few days, I used your post like base, to make this project https://github.com/elmaxid/ips-mikrotik-suricata Tell me if you hav...
by aarango
Thu Apr 06, 2017 12:10 pm
Forum: Beginner Basics
Topic: Connect MK - Linux laptop Serial
Replies: 20
Views: 2968

Re: Connect MK - Linux laptop Serial

As I wrote before, You have usb-to-serial adapter that is not working out of the box on linux. You could try to compile driver, https://www.linux.org.ru/forum/linux-hardware/11965571, for procedure look at the last post . IMHO, best option for You is to sell current adapter and buy adapter based on...
by aarango
Thu Apr 06, 2017 9:10 am
Forum: Beginner Basics
Topic: Connect MK - Linux laptop Serial
Replies: 20
Views: 2968

Re: Connect MK - Linux laptop Serial

Hit enter at least 1 time to bring up login screen. If it's not that then look at my previous post about configuring the MikroTik to use the /system console correctly. Does your model have a bit in serial port or are you doing a USB to Serial on the MikroTik as well as the computer like my picture?...
by aarango
Wed Apr 05, 2017 11:57 am
Forum: Beginner Basics
Topic: Connect MK - Linux laptop Serial
Replies: 20
Views: 2968

Re: Connect MK - Linux laptop Serial

Sorry for late reply. I tried with 9200, 115200... but when I connect -> minicom -o /dev/ttyUSB0 I can't see anything, screen is locked.

Have I enable any option on MK?

Thanks.
by aarango
Fri Mar 31, 2017 7:47 am
Forum: Beginner Basics
Topic: Connect MK - Linux laptop Serial
Replies: 20
Views: 2968

Re: Connect MK - Linux laptop Serial

Hi,

Thanks you all. In dmesg I see /dev/ttyUSB0.

My router is this: https://routerboard.com/CCR1016-12G

Should I change any value on Minicom to connect router MK?

Thanks again.
by aarango
Thu Mar 30, 2017 4:00 pm
Forum: Beginner Basics
Topic: Connect MK - Linux laptop Serial
Replies: 20
Views: 2968

Connect MK - Linux laptop Serial

Hi, Recently I bought this: https://www.amazon.es/RS232-Serial-DB9-RS-232-hembra-convertidor-adaptador-conversor/dp/B01I6PACTE/ref=sr_1_10?ie=UTF8&qid=1490189591&sr=8-10&keywords=usb+serial I connected to port serial and usb to my laptop, how could I get console? I tried using "Minicom" but not luck...
by aarango
Thu Mar 30, 2017 2:54 pm
Forum: General
Topic: Mikrotik Router OS / RouterBoard and Snort IDS/IPS
Replies: 15
Views: 20845

Re: Mikrotik Router OS / RouterBoard and Snort IDS/IPS

Hi, I configured correctly (I think) IDS/IPS this https://sourceforge.net/projects/mt-fw-attack/

But I can't test if its works or not, how could I do it? Any test?

Thanks.
by aarango
Thu Mar 30, 2017 2:52 pm
Forum: General
Topic: Snort IDS ?
Replies: 4
Views: 3807

Re: Snort IDS ?

Hi, I have developed an IDS/IPS system for RouterOS. It is here : http://sourceforge.net/projects/mt-fw-attack/ You need a linux machine to compile and run it. It collects syslog messages from your's routeros device (there are instructions on how to use it) and adds the attackers on an address list...
by aarango
Wed Mar 29, 2017 8:18 am
Forum: Beginner Basics
Topic: No internet on Mikrotik
Replies: 19
Views: 2697

Re: No internet on Mikrotik

If you would like to run a ping test to say 8.8.8.8 from your router. from within winbox you can select the advanced tab. Where Src address is you can type in the wan ip of the interface you would like to test from. and run the test. When you have mutiple WAN ports. You can send traffic out differe...
by aarango
Tue Mar 28, 2017 12:38 pm
Forum: Beginner Basics
Topic: No internet on Mikrotik
Replies: 19
Views: 2697

Re: No internet on Mikrotik

When running tests you can choose out interface and address traffic is coming from for instance from ping. PCC would allow you to set controls saying what traffic goes out which wan.
I'm sorry dgnevans but I don't understand you, could you explain me a bit more? thanks.
by aarango
Tue Mar 28, 2017 8:47 am
Forum: General
Topic: Maltrail + Mikrotik (IDS)
Replies: 10
Views: 2244

Re: Maltrail + Mikrotik (IDS)

Hello I use it creating a dummy interface and replay the tzsp traffic to it with tcpreplay. modprobe dummy ip link set name eth10 dev dummy0 ifconfig eth10 192.168.42.42 trafr -s | tcpreplay --topspeed -i eth10 - python sensor.py python server.py and chan chan chan chan....you can use maltrail usin...
by aarango
Tue Mar 28, 2017 8:09 am
Forum: Beginner Basics
Topic: No internet on Mikrotik
Replies: 19
Views: 2697

Re: No internet on Mikrotik

Can you post updated output after the changes you made earlier. > print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK INTERFACE 0 192.168.10.2/24 192.168.10.0 A_XXX 1 192.168.200.1/24 192.168.200.0 lan_XXX 2 192.168.11.1/24 192.168.11.0 YYY 3 192.168.12.2/24 192.168.12.0 A_XXX:2 A...
by aarango
Mon Mar 27, 2017 3:35 pm
Forum: General
Topic: Maltrail + Mikrotik (IDS)
Replies: 10
Views: 2244

Re: Maltrail + Mikrotik (IDS)

I solved to get traffic on server snort from Mikrotik. Server couldn't take traffic from MK because tool "trafr" isn't good installed, you have to download it and install a package, here output: # ./trafr -bash: ./trafr: No such file or directory The problem is that the trafr program is a 32 bit app...
by aarango
Mon Mar 27, 2017 3:00 pm
Forum: Beginner Basics
Topic: No internet on Mikrotik
Replies: 19
Views: 2697

Re: No internet on Mikrotik

2 192.168.11.1/24 192.168.11.0 XXXX 1 A S 0.0.0.0/0 192.168.11.1 1 Thanks. Your IP address number 2 and default route number 1 are the same address. this means you pointing default traffic out back at the router. Check this config. Thanks, but I can't solve it. Checking steps: I changed default rou...
by aarango
Sun Mar 26, 2017 5:36 pm
Forum: Beginner Basics
Topic: No internet on Mikrotik
Replies: 19
Views: 2697

Re: No internet on Mikrotik

Which is your wan ip address. do you have mutiple wan ip's
I'm sorry for late reply.
I have multiple wan (subnet with different servers) but main its -> 192.168.10.2/24 192.168.10.0 A_XXX
by aarango
Sun Mar 26, 2017 5:34 pm
Forum: General
Topic: Maltrail + Mikrotik (IDS)
Replies: 10
Views: 2244

Re: Maltrail + Mikrotik (IDS)

Hi,
I think you should download trafr from http://mikrotik.com/download
thanks, but my error is showed on my server ids (debian normal), could you guide me a few?
by aarango
Thu Mar 23, 2017 3:32 pm
Forum: General
Topic: Maltrail + Mikrotik (IDS)
Replies: 10
Views: 2244

Re: Maltrail + Mikrotik (IDS)

New update, I installed on VirtualBox server and I get this with this new server: root@ids:~# ./trafr -s | snort -r - bash: ./trafr: No existe el archivo o el directorio Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to read-file. ERROR: Can...
by aarango
Thu Mar 23, 2017 3:14 pm
Forum: General
Topic: Maltrail + Mikrotik (IDS)
Replies: 10
Views: 2244

Re: Maltrail + Mikrotik (IDS)

With snort installed I get this when I try start Snort: # ./trafr -s | snort -r - -bash: ./trafr: No such file or directory Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to read-file. ERROR: Can't initialize DAQ pcap (-1) - truncated dump f...
by aarango
Thu Mar 23, 2017 2:48 pm
Forum: General
Topic: Maltrail + Mikrotik (IDS)
Replies: 10
Views: 2244

Re: Maltrail + Mikrotik (IDS)

Thanks you both. I had installed Snort/Maltrail/Suricata on container openvz, is it a problem?

Suricata give me
23/3/2017 -- 08:37:56 - <Error> - [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 65535 not yet supported in module DecodeAFP

Thanks again.
by aarango
Thu Mar 23, 2017 2:18 pm
Forum: General
Topic: Maltrail + Mikrotik (IDS)
Replies: 10
Views: 2244

Maltrail + Mikrotik (IDS)

Hi, I am looking a good IDS to my net, I know that exits Suricata and Snort, but I would like to use "Maltrail". I installed on server but I dont know how sent the info from MK to Maltrail's server. MK tries do it using port 37008 but Maltrail is only listening on http port. Any advice? BTW, I insta...
by aarango
Thu Mar 23, 2017 12:12 pm
Forum: General
Topic: Tool: Realtime per IP traffic monitor for home/office
Replies: 289
Views: 305140

Re: Tool: Realtime per IP traffic monitor for home/office

Is there this tool for Linux? (Service & Viewer)

Thanks.
by aarango
Thu Mar 23, 2017 8:19 am
Forum: Beginner Basics
Topic: No internet on Mikrotik
Replies: 19
Views: 2697

Re: No internet on Mikrotik

Are you able to ping an ip address from the mikrotik ie 8.8.8.8 No, I can't do ping to 8.8.8.8 neither DNS resolution as google.com Maybe I forgot any route? Here my address and route: [admin@MK] /ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK INTERFACE 0 192.168....
by aarango
Thu Mar 23, 2017 8:13 am
Forum: General
Topic: DDoS story, or WARNING: use 'conection-limit' with caution!
Replies: 112
Views: 63057

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

I normally use MK from interface web, how could I change the rule's order?
just drag'n'drop the rule by your mouse :)
:D I feel stupid now! I tried a lot of things less that...
by aarango
Wed Mar 22, 2017 2:53 pm
Forum: Beginner Basics
Topic: No internet on Mikrotik
Replies: 19
Views: 2697

Re: No internet on Mikrotik

So just to confirm from your post. Your servers and devices can browse internet from behind the mikrotik router but you cannot ping from the mikrotik out to the internet.
Right. All servers and devices can browser withouth problem but MK can't do it.
by aarango
Wed Mar 22, 2017 2:36 pm
Forum: Beginner Basics
Topic: No internet on Mikrotik
Replies: 19
Views: 2697

No internet on Mikrotik

Hi,

I have a bit problem. I haven't internet in Mikrotik, I can't do ping any site but I have connected a lot of servers/laptop/bridges/ 2 ISP... and all them can surf without some problem. How could I debug it? What info could I paste to check it?

Thanks.
by aarango
Wed Mar 22, 2017 2:21 pm
Forum: General
Topic: DDoS story, or WARNING: use 'conection-limit' with caution!
Replies: 112
Views: 63057

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Are there way to add any whitelist? just add one more 'return' rule next to the current 'return' rule: add chain=block-ddos src-address-list=whitelisted-from-ddos-checker action=return and then use this address-list for whitelisting Thanks you, a stupid question. I normally use MK from interface we...
by aarango
Wed Mar 22, 2017 9:20 am
Forum: General
Topic: DDoS story, or WARNING: use 'conection-limit' with caution!
Replies: 112
Views: 63057

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Hi, I added your lines on first post Chupaka and I see packets / bytes on jump and return on my firewall, but I want to know how could I see what packets are, what IP its and where could I see if that traffic is DDoS or simply traffic. Basic how I could monit that traffic to avoid DDoS attacks. 6 ch...
by aarango
Thu Feb 23, 2017 11:14 am
Forum: Beginner Basics
Topic: Disable dhcp ethernet (not wifi)
Replies: 3
Views: 582

Re: Disable dhcp ethernet (not wifi)

Thanks for reply. I finally did with separate bridge, keeping "bridge-local" inactive.
by aarango
Thu Feb 23, 2017 10:12 am
Forum: Beginner Basics
Topic: Disable dhcp ethernet (not wifi)
Replies: 3
Views: 582

Disable dhcp ethernet (not wifi)

Hi,

I would like to disable DHCP for connections using Ethernet but I would like keep DHCP for wifi, is that possible?

Thanks.
by aarango
Wed Feb 22, 2017 3:29 pm
Forum: Beginner Basics
Topic: Join two subnet - Different range - two Mikrotik
Replies: 7
Views: 2933

Re: Join two subnet - Different range - two Mikrotik

Finally I solved creating what you said me in first post:

A rule on IP -> route to reach subnet 88.

192.168.88.0/24 192.168.158.58 (IP that main router mikrotik gaves to wireless router)

Thanks.
by aarango
Wed Feb 22, 2017 2:30 pm
Forum: Beginner Basics
Topic: Join two subnet - Different range - two Mikrotik
Replies: 7
Views: 2933

Re: Join two subnet - Different range - two Mikrotik

Hi,

Im sorry for changes but I was changing some values and for that motive the IP has changed, I need delete some values from full export for security.
by aarango
Wed Feb 22, 2017 8:21 am
Forum: Beginner Basics
Topic: Join two subnet - Different range - two Mikrotik
Replies: 7
Views: 2933

Re: Join two subnet - Different range - two Mikrotik

Sorry for late reply. Here export main router (150.1) /ip firewall nat add action=masquerade chain=srcnat /ip route add distance=1 dst-address=192.168.88.0/24 gateway=192.168.150.51 (IP that main Router gives wireless router) /ip route rule add dst-address=192.168.150.0/24 src-address=192.168.88.0/2...
by aarango
Mon Feb 20, 2017 3:33 pm
Forum: Beginner Basics
Topic: Join two subnet - Different range - two Mikrotik
Replies: 7
Views: 2933

Re: Join two subnet - Different range - two Mikrotik

Hi, Thanks you for fast reply. I created that route but I can't reach that subnet. (I can ping wireless router - 192.168.150.58) $ ping 192.168.150.58 PING 192.168.150.58 (192.168.150.58) 56(84) bytes of data. 64 bytes from 192.168.100.58: icmp_seq=1 ttl=64 time=0.219 ms Router is created on wired r...
by aarango
Mon Feb 20, 2017 2:54 pm
Forum: Beginner Basics
Topic: Join two subnet - Different range - two Mikrotik
Replies: 7
Views: 2933

Join two subnet - Different range - two Mikrotik

Hi, I am using a main router Mikrotik for daily use, 192.168.150.0/24. After I have another router Mikrotik connected on a switch on same net but this new Mikrotik has wifi and his subnet is 192.168.88.0/24 (this is the cause for that I want to connect this new Mikrotik) If I connect to this last Mi...
by aarango
Thu Feb 16, 2017 1:04 pm
Forum: Beginner Basics
Topic: Outgoing port 9 for port 2 (second ISP line)
Replies: 3
Views: 457

Re: Outgoing port 9 for port 2 (second ISP line)

Thanks both. I did it and its works.
by aarango
Tue Feb 14, 2017 9:02 am
Forum: Beginner Basics
Topic: Use Cloud switch as Wifi point
Replies: 3
Views: 554

Re: Use Cloud switch as Wifi point

Thanks Sob, but I can't do it. I assigned IP to Mikrotik Cloud Switch Series (same subnet than main router), after I created on Mikrotik Cloud Switch Series a new range for wireless and it assigned me IP (another range) but I can't navigate. I am forgetting any rule or route I think. BTW, I assigned...
by aarango
Mon Feb 13, 2017 3:58 pm
Forum: Beginner Basics
Topic: Outgoing port 9 for port 2 (second ISP line)
Replies: 3
Views: 457

Outgoing port 9 for port 2 (second ISP line)

Hi, I would like to know if its possible to do that port 9 (server connected) can use port 2 (connected second line ISP) outgoing to net, using a different subnet. I tried with routes but not luck, maybe I am doing some wrong things. In port 1 Mikrotik Router there is another ISP working fine as mai...
by aarango
Mon Feb 13, 2017 11:47 am
Forum: Beginner Basics
Topic: Use Cloud switch as Wifi point
Replies: 3
Views: 554

Use Cloud switch as Wifi point

Hi, I would use a old Cloud Switch Series as wifi point. I had connected that Cloud Switch Series to a Router Mikrotik. What config should I use on Cloud Switch Series to use it as wifi? default route gateway to main Router Mikrotik on port where I connected both routers? Scheme: ONT - Main Router M...
by aarango
Wed Feb 08, 2017 8:08 am
Forum: Beginner Basics
Topic: Connectivity 2 IP different range
Replies: 8
Views: 1155

Re: Connectivity 2 IP different range

Thanks. I will do it in this days, I was a little busy, sorry.
by aarango
Fri Feb 03, 2017 10:55 am
Forum: Beginner Basics
Topic: Connectivity 2 IP different range
Replies: 8
Views: 1155

Connectivity 2 IP different range

Hi, I would like to configure 2 different subnet and that they have connectivity. I explain: Port 2 Mikrotik -> Switch with 30 laptop (range 192.168.100.0/24) Port 5 Mikrotik -> 1 mail server with IP different (192.168.1.20 for example) I want both ports to have connectivity to each other. If I from...
by aarango
Tue Jan 31, 2017 8:41 am
Forum: RouterBOARD hardware
Topic: Usage GPON module SFP in Spain
Replies: 253
Views: 52346

Re: Usage GPON module SFP in Spain

Muchas gracias a todos por vuestra ayuda. Finalmente no he tenido mayores problemas, no necesité configurar el PPoE cliente (no sé si esto irá en perjuicio del servicio o no), ¿debería ponerlo con PPoE?. Mi router es el de "All in one". https://i.blogs.es/0ac724/hgu-movistar/1366_2000.jpg Tiré un ca...
by aarango
Fri Jan 27, 2017 8:10 am
Forum: RouterBOARD hardware
Topic: Usage GPON module SFP in Spain
Replies: 253
Views: 52346

Re: Usage GPON module SFP in Spain

Hola a ambos. Disculpad por entrometerme en un tema sobre GPON y SFP, pero tengo una duda en cuanto a la ONT - Mikrotik y aprovecho el habla hispana para decirlo ya que veo que tenéis algo montado similar a lo que pretendo. Tenemos fibra con Movistar y quiero enchufar la ONT al router Mikrotik (CCR...
by aarango
Thu Jan 26, 2017 8:52 am
Forum: RouterBOARD hardware
Topic: Usage GPON module SFP in Spain
Replies: 253
Views: 52346

Re: Usage GPON module SFP in Spain

Hola a ambos. Disculpad por entrometerme en un tema sobre GPON y SFP, pero tengo una duda en cuanto a la ONT - Mikrotik y aprovecho el habla hispana para decirlo ya que veo que tenéis algo montado similar a lo que pretendo. Tenemos fibra con Movistar y quiero enchufar la ONT al router Mikrotik (CCR1...
by aarango
Thu Jan 26, 2017 8:05 am
Forum: RouterBOARD hardware
Topic: Which switch with CCR1016-12G?
Replies: 17
Views: 1983

Re: Which switch with CCR1016-12G?

Finally we got Mikrotik RB/CCR1016-12G (router) TP-LINK TL-SG1048 (switch) A question. I will connect 2 lines (two ISP) to same router, is it possible? Creating vlan maybe? BTW, I connect switch to port 2 of router (for example), can router see 48 ports switch? Thanks again. Afaik RouterOS doesn't ...
by aarango
Tue Jan 24, 2017 8:10 am
Forum: RouterBOARD hardware
Topic: Which switch with CCR1016-12G?
Replies: 17
Views: 1983

Re: Which switch with CCR1016-12G?

Finally we got
Mikrotik RB/CCR1016-12G (router)
TP-LINK TL-SG1048 (switch)

A question. I will connect 2 lines (two ISP) to same router, is it possible? Creating vlan maybe?
BTW, I connect switch to port 2 of router (for example), can router see 48 ports switch?

Thanks again.
by aarango
Mon Jan 23, 2017 8:05 am
Forum: RouterBOARD hardware
Topic: Which switch with CCR1016-12G?
Replies: 17
Views: 1983

Re: Which switch with CCR1016-12G?

Hi,
I was looking dumb switch, Mikrotik has its own switch but management and only 24 ports, any advice about dumb switch with 48 ports?

Thanks,
by aarango
Sat Jan 21, 2017 10:07 pm
Forum: RouterBOARD hardware
Topic: Which switch with CCR1016-12G?
Replies: 17
Views: 1983

Re: Which switch with CCR1016-12G?

I will have a look to some Switch (without management) and I will check prices.

Thanks you all for help
by aarango
Fri Jan 20, 2017 12:26 pm
Forum: RouterBOARD hardware
Topic: Which switch with CCR1016-12G?
Replies: 17
Views: 1983

Re: Which switch with CCR1016-12G?

Ok So On the CCR, you would create a bridge and add e.g ether1,2,3 to the bridge. These are the ethernets connecting to the crs switches. I would advise then creating a management IP range. e.g 10.0.2.0/29 to manage the switches. e.g 10.0.2.1 on the CCR and 10.0.2.2 etc on the switches. You can run...
by aarango
Fri Jan 20, 2017 9:49 am
Forum: RouterBOARD hardware
Topic: Which switch with CCR1016-12G?
Replies: 17
Views: 1983

Re: Which switch with CCR1016-12G?

Sounds like you are just needing a gigabit "dumb" switch. So either get the crs 125 or the crs 226 (if you need SFP+) - then set all ethernet ports as slaves to the master port, i.e the port that connects to the CCR. Then e.g add your /24 on the uplink port on the ccr, and you can take an IP and as...
by aarango
Fri Jan 20, 2017 8:05 am
Forum: RouterBOARD hardware
Topic: Which switch with CCR1016-12G?
Replies: 17
Views: 1983

Re: Which switch with CCR1016-12G?

Now it depends again if you would need the following: - do you need to separate clients in groups without interaction between them? - do you need user/guest access? - do you need to deploy PoE devices like VoIP phones or access points? - do you need to deploy multicast services, like IPTV? - do you...
by aarango
Thu Jan 19, 2017 12:06 pm
Forum: RouterBOARD hardware
Topic: Which switch with CCR1016-12G?
Replies: 17
Views: 1983

Re: Which switch with CCR1016-12G?

It depends. You need to be a bit more explicit about what you want to do with it.
Sorry, its right. I'm working around 100 employers, My idea is take that router + switch. I have decided router but not switch yet, any advice?

Thanks.
by aarango
Thu Jan 19, 2017 9:57 am
Forum: RouterBOARD hardware
Topic: Which switch with CCR1016-12G?
Replies: 17
Views: 1983

Which switch with CCR1016-12G?

Hi,

I am thinking take https://routerboard.com/CCR1016-12G

I will need a switch too, which switch it will be better option?

Thanks.
by aarango
Wed Jan 11, 2017 9:47 am
Forum: General
Topic: Wifi another subnet
Replies: 16
Views: 2052

Re: Wifi another subnet

I solved. I added new address to bridge-wifiguest, after joined bridge-wifiguest & wlan1 and created new pool for that.

Thanks you both.
by aarango
Tue Jan 10, 2017 2:55 pm
Forum: General
Topic: Wifi another subnet
Replies: 16
Views: 2052

Re: Wifi another subnet

Make an export of your configuration and put it here inside [admin@MikroTik] > export # jan/10/2017 13:46:53 by RouterOS 6.5 # software id = UUEG-228A # /interface bridge add admin-mac=D4:CA:6D:F8:5A:A3 auto-mac=no l2mtu=1588 name=bridge-local protocol-mode=rstp add admin-mac=D4:CA:6D:F8:5A:BB auto...
by aarango
Tue Jan 10, 2017 2:28 pm
Forum: General
Topic: Wifi another subnet
Replies: 16
Views: 2052

Re: Wifi another subnet

First of all you don't need bridges. Delete the bridges and delete the ports from the bridges.
Put the IP of the bridge-local to ether2. Put ether2 to look in default-dhcp in DHCP Server.
Give IP 192.168.90.1/24 to wlan.
If i remove bridge I haven't net :(
by aarango
Tue Jan 10, 2017 1:33 pm
Forum: General
Topic: Wifi another subnet
Replies: 16
Views: 2052

Re: Wifi another subnet

Your post is little confused. Now, in bridge-local do you have ether2 and wlan or only ether2? Sorry. bridge-local is using ether2-master-local bridge-wifiguest is using wlan1 interface If I change wlan1 to bridge-local, I can connect using Wifi without problem, but if I change to bridge-wifiguest ...
by aarango
Tue Jan 10, 2017 11:10 am
Forum: General
Topic: Wifi another subnet
Replies: 16
Views: 2052

Re: Wifi another subnet

Which interface belong to the bridge? You are using default bridge, in this case it have wlan and and ether ports. bridge-local is connected to ether2-master-local. I had same bridge port on WLAN and ether2-master-local. I changed to different bridge but now I can't connect that Wifi. Laptop keep t...
by aarango
Mon Jan 09, 2017 3:46 pm
Forum: General
Topic: Wifi another subnet
Replies: 16
Views: 2052

Re: Wifi another subnet

I have 2 config in DHCP Server: [admin@MikroTik] /ip dhcp-server> print # NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP 0 default bridge-local default-dhcp 3d 1 dhcp-wifiguest wlan1 pool-wifiguest 3d 2 DHCP Wifi Vis Wifi Visit Pool Visit 3d I tried that dhcp-wifiguest give another subnet. MK ...
by aarango
Mon Jan 09, 2017 11:44 am
Forum: General
Topic: Wifi another subnet
Replies: 16
Views: 2052

Wifi another subnet

Hi, I have MIKROTIK ROUTEROS with 15 laptop using ethernet and I have a WLAN that clients and visitors use it. I want to give using DHCP to ethernet subnet 192.168.80.0/24 (example) and WLAN subnet 192.168.90.0/24. I configured in DHCP server -> interface WLAN1 -> Address Pool -> MyPool and that poo...
by aarango
Mon Dec 19, 2016 1:46 pm
Forum: General
Topic: Control traffic Switch cisco -> MK -> ISP
Replies: 1
Views: 351

Re: Control traffic Switch cisco -> MK -> ISP

Any?
by aarango
Fri Dec 16, 2016 9:43 am
Forum: General
Topic: Control traffic Switch cisco -> MK -> ISP
Replies: 1
Views: 351

Control traffic Switch cisco -> MK -> ISP

Dear all, I actually have all interfaces from office connected to same Mikrotik and Mikrotik to ISP, its works fine, without problem. And I can control all traffic (proxy, netflow - ntopng + nprobe, torch...) Now we need expand our office so, we have some cisco switchs, I would like to know if I can...
by aarango
Fri Dec 09, 2016 1:55 pm
Forum: Scripting
Topic: Script to check new hardware connected (IP - MAC)
Replies: 8
Views: 2589

Re: Script to check new hardware connected (IP - MAC)

Hi, I did it but I can't receive any emails, here log: 12:20:27 dhcp,info default deassigned 192.168.XX.XX from 78:F8:XX:XX:XX:XX 12:20:27 dhcp,info default assigned 192.168.XX.XX to 78:F8:XX:XX:XX:XX 12:20:38 dhcp,info default deassigned 192.168.XX.XX from 2C:76:XX:XX:XX:XX 12:20:38 dhcp,info defau...
by aarango
Fri Dec 09, 2016 8:16 am
Forum: Scripting
Topic: Script to check new hardware connected (IP - MAC)
Replies: 8
Views: 2589

Re: Script to check new hardware connected (IP - MAC)

Hi BlackVS, as always thanks you for your patience. I changed to e-mail but not luck, I don't receive any emails. I checked logs but there aren't any entry respect that, only I see that: 07:11:13 wireless,info 08:D4:XX:XX:XX:XX@wlan1: connected 07:11:17 wireless,info 08:D4:XX:XX:XX:XX@wlan1: disconn...
by aarango
Wed Dec 07, 2016 9:21 am
Forum: Scripting
Topic: Script to check new hardware connected (IP - MAC)
Replies: 8
Views: 2589

Re: Script to check new hardware connected (IP - MAC)

Thanks BlackVS, I tried to do it but I can't receive emails when any IP is given. Here my screenshots (I can send me test emails without problem). Any help is appreciated :) Section Scripts: http://i65.tinypic.com/2061u92.jpg Section DHCP Server -> default zone. http://i65.tinypic.com/2vmaxci.jpg Th...
by aarango
Mon Dec 05, 2016 8:16 am
Forum: Scripting
Topic: Script to check new hardware connected (IP - MAC)
Replies: 8
Views: 2589

Re: Script to check new hardware connected (IP - MAC)

Hi, thanks you for reply BlackVS. I added that code on Scripting section but I dont know if I need do something more to receive emails when any IP is assigned. You said me that I need send email with leaseActIP / leaseActMAC but I dont know where I could do it. Could you guide me a little? I'm new o...
by aarango
Wed Nov 30, 2016 1:56 pm
Forum: Scripting
Topic: DHCP new lease
Replies: 3
Views: 992

Re: DHCP new lease

Hi,

I used that script but it only send an email when I execute. How could I keep constantly listening new ask? I would to like to receive an email when DHCP give a IP (email with MAC & IP gave)
And if its possible, steps to do it, I'm newbie on this.
Thanks.
by aarango
Wed Nov 30, 2016 1:35 pm
Forum: Scripting
Topic: Script to check new hardware connected (IP - MAC)
Replies: 8
Views: 2589

Script to check new hardware connected (IP - MAC)

Hello, I am new on this forum and with MK too. I would to know how could I do a script to send me an email when a new hardware request IP to my MK. The email should have IP and MAC from request to check our schedule whom is asking for new IP. I have already email config configured but I don't know h...