Maltrail + Mikrotik (IDS)

aarango · March 23, 2017, 12:18pm

Hi,

I am looking a good IDS to my net, I know that exits Suricata and Snort, but I would like to use “Maltrail”. I installed on server but I dont know how sent the info from MK to Maltrail’s server. MK tries do it using port 37008 but Maltrail is only listening on http port. Any advice?

BTW, I installed Snort too but I dont know how do that the router’s info go until Snort.

I enabled on “streaming” my IP where its Maltrail (and snort) installed.

Thanks

okazdal · March 23, 2017, 12:27pm

Hi,
I quickly checked out Maltrail documentation. I think you should set up a mirror port and connect your sensor to that port.
Streaming will not help you. Streaming uses tzsp format to send traffic data. Check out https://wiki.mikrotik.com/wiki/Ethereal/Wireshark
Maybe you can use streaming with trafr executable. https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS
On this link, there is an example of how to do it with snort.

Osman Kazdal

efaden · March 23, 2017, 12:37pm

Interested in this myself. Once my internet gets restored I’m planning on setting up a bunch of these to test in a VM. I’ll let you know what I figure out

Sent from my Pixel XL using Tapatalk

aarango · March 23, 2017, 12:48pm

Thanks you both. I had installed Snort/Maltrail/Suricata on container openvz, is it a problem?

Suricata give me
23/3/2017 – 08:37:56 - - [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 65535 not yet supported in module DecodeAFP

Thanks again.

aarango · March 23, 2017, 1:14pm

With snort installed I get this when I try start Snort:

./trafr -s | snort -r -

-bash: ./trafr: No such file or directory
Running in packet dump mode

–== Initializing Snort ==–
Initializing Output Plugins!
pcap DAQ configured to read-file.
ERROR: Can’t initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0
Fatal Error, Quitting..

I am using this manual → https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS

Thanks.

aarango · March 23, 2017, 1:32pm

New update, I installed on VirtualBox server and I get this with this new server:

root@ids:~# ./trafr -s | snort -r -
bash: ./trafr: No existe el archivo o el directorio
Running in packet dump mode

–== Initializing Snort ==–
Initializing Output Plugins!
pcap DAQ configured to read-file.
ERROR: Can’t initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0
Fatal Error, Quitting.

And when OpenVz container, same output, but with virtual box container if I execute “snort” I receive packets, but with OpenVz container not, with this output:

root@ids:/# snort
Running in packet dump mode

–== Initializing Snort ==–
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from “venet0”.
ERROR: Cannot decode data link type 113
Fatal Error, Quitting..

okazdal · March 23, 2017, 1:50pm

Hi,
I think you should download trafr from http://mikrotik.com/download

aarango · March 26, 2017, 2:34pm

thanks, but my error is showed on my server ids (debian normal), could you guide me a few?

aarango · March 27, 2017, 12:35pm

I solved to get traffic on server snort from Mikrotik. Server couldn’t take traffic from MK because tool “trafr” isn’t good installed, you have to download it and install a package, here output:

./trafr

-bash: ./trafr: No such file or directory

The problem is that the trafr program is a 32 bit application and you’re trying this on a 64bit OS without 32bit compatibility libraries. To verify that you can use following command:

file ./trafr
./trafr: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.0, stripped

On Ubuntu 14.04 you can that simple by doing following:

sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install libc6:i386

With that package you can receive traffic, test it using this:
trafr -s | snort -r -

You should get traffic now.

Now, I want to go ahead with Snort. How could I have graphics from that stats? I get a lot of traffic but I would like to see it on GUI or similar.

Thanks.

maximan · March 27, 2017, 7:26pm

Hello

I use it creating a dummy interface and replay the tzsp traffic to it with tcpreplay.

modprobe dummy
ip link set name eth10 dev dummy0
ifconfig eth10 192.168.42.42
trafr -s | tcpreplay --topspeed -i eth10 -
python sensor.py 
python server.py

and chan chan chan chan…you can use maltrail using eth10

HTH

M.

aarango · March 28, 2017, 5:47am

maximan:

Hello

I use it creating a dummy interface and replay the tzsp traffic to it with tcpreplay.
modprobe dummy
ip link set name eth10 dev dummy0
ifconfig eth10 192.168.42.42
trafr -s | tcpreplay --topspeed -i eth10 -
python sensor.py 
python server.py
and chan chan chan chan…you can use maltrail using eth10

HTH

M.

Thanks you for share that, its sounds really good, but I have a problem. I am running under openvz container and I can’t load module dummy, do you know how could I do it?

modprobe dummy

modprobe: ERROR: ../libkmod/libkmod.c:507 kmod_lookup_alias_from_builtin_file() could not open builtin file ‘/lib/modules/2.6.32-openvz-042stab120.18-amd64/modules.builtin.bin’
modprobe: FATAL: Module dummy not found.

I tried loading iptables modules, netfilter… not luck.

=======================================================

I tried doing it in a VirtualBox server and I get this:

./trafr -s | tcpreplay --topspeed -i eth10 -

sending out eth10
processing file: -

Fatal Error in tcpreplay.c:replay_file() line 252:
Error opening pcap file: unknown file format

Thanks.