Mikrotik Router OS / RouterBoard and Snort IDS/IPS

RouterOS General
1

How to send traffic from Mikrotik to Snort

Send all traffic from input and forward chain to Snort

#/ip firewall calea print
/ip firewall calea add action=sniff chain=forward sniff-target=192.168.0.2 sniff-target-port=37008
/ip firewall calea add action=sniff chain=input sniff-target=192.168.0.2 sniff-target-port=37008

How to capture sent traffic
Get trafr

wget http://www.mikrotik.com/download/trafr.tgz

Unpack trafr

tar -zvxf trafr.tgz

On x64 Linux system install additionaly package

# CentOS 6.2 x64
yum install glibc.i686
# Ubuntu x64
sudo apt-get install libc6-i386
# ArcLinux x64
pacman -S lib32-glibc

Create on Linux iptables rule to accept traffic from RouterBoard

#iptables -L --line-numbers
iptables -I INPUT 13 -p udp --dport 37008 -j ACCEPT -m comment --comment "Accept Sniffed traffic from RouterBoard"

Test if trafr receiving data

./trafr -s | tcpdump -r - -n

Test if Snort receiving data

./trafr -s | snort -r -

Copy trafr to appropiate location

cp trafr /usr/local/bin/

How start trafr and snort at start-up
Install screen

yum install screen




# attach trafr to screen:
screen -dmS mytrafr /usr/local/bin/trafr
#
# list started screens
screen -list
#
# connect to screen
screen -r mytrafr
#
# destroy screen session
Ctrl+D

Currently not working for me

trafr -s | snort > -D > -r -

I dont know how to start Snort as daemon with trafr. Does someone know how to do this ?


Related topics
Streaming Server with Snort
Cloning traffic for monitoring
Snort IDS ?
Snort IDS and Mitrotik
anybody got trafr to run on os x?
trafr binary for *bsd?
trafr doesn’t work
New trafr
Using Packet Sniffer with streaming-server
Mirror all traffic from one user to server
CALEA and Remote Log Server
CALEA compliance? Will the packet sniffer tool work?
Post subject: Packet Sniffing with Streaming Goes crazy
Port Mirroring ?
Help dissecting TZSP protocol
interface wireless sniffing
wireless sniffer
IDS snort

Wiki Posts
CALEA
System independent trafr script

Other Resources
MUM_CALEA.pdf

Snort IDS on Ubuntu with packet sniffer MikroTik
2

perfect post! thanks! give karma everyone

3

Hello,


im having problems trying to run trafr on, is there any other alternative apart form the perl
script published on other post ??



This is what strace sees during the running, seems to be a problem at the very
beggining. System is a arch linux.

3.2.12-1-ARCH #1 SMP PREEMPT Mon Mar 19 17:50:01 CET 2012 x86_64 Intel(R) Core™ i5 CPU M 460 @ 2.53GHz GenuineIntel GNU/Linux


Strace output.


[root@barbaroja ~]# strace ./trafr
execve(“./trafr”, [“./trafr”], [/* 26 vars */]) = -1 ENOENT (No such file or directory)
dup(2) = 3
fcntl(3, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE)
fstat(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), …}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2ae8437000
lseek(3, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
write(3, “strace: exec: No such file or di”…, 40strace: exec: No such file or directory
) = 40
close(3) = 0
munmap(0x7f2ae8437000, 4096) = 0
exit_group(1)



Thank you

4

On x64 Ubuntu:
sudo apt-get install libc6-i386

5

TangaRUS
Thank you.
Added in the first post.
Any idea how to start trafr with snort at start-up ?

6

On archlinux

pacman -S lib32-glibc

7

Hello all,

im afraid you cannot start snort as a daemon. At some point after snort has initialized its attack lists
and other stuff, another thread is launched and that one wont get any data form the unix cmd pipe .-(

After some tests with ossim and snort, im planning to use a dedicated ap with 9 ports and port mirroring
rulesets, could find any good binary or usefull app for tzsp.



Javi

8

im afraid you cannot start snort as a daemon. At some point after snort has initialized its attack lists
and other stuff, another thread is launched and that one wont get any data form the unix cmd pipe .-(

This is right only if Snort started as daemon. If snort is started without -D key, it can receive data from pipe.

In my environment I have VmWare cluster with multiple VM and I have 2 solution:

  1. Dedicated port or Vlan on VmWare side with port mirroring on RouterOS.
  2. Send stream using calea.

I will try to make a start-up script using screen.

9

I have made some tests, and the problem with my configuration (the ossim default one), is located on
the preprocessor configuration, is i load the config like this its ok.

/root/trafr -s | /usr/sbin/snort_eth0 --disable-attribute-reload-thread -m 027 -d -l /var/log/snort -u snort -g snort -r -

But if i add the config file that reflect the preprocessor config no packets are processed. ( -c /etc/snort/snort.eth0.conf )
Ill make some test but having a look onto the cfg, guess its related to the preprocessors.


###################################################

This file contains a sample snort configuration.

You should take the following steps to create your own custom configuration:

1) Set the network variables.

2) Configure the decoder

3) Configure the base detection engine

4) Configure dynamic loaded libraries

5) Configure preprocessors

6) Configure output plugins

7) Customize your rule set

:sunglasses: Customize preprocessor and decoder rule set

9) Customize shared object rule set

###################################################


Is anybody using trafr on ossim installations ?? How ??
Im considering using tcprewrite or some solution like this, but with no modifications
to the headers, at least its working rigth now rewriting the packets to loopback
but withe source and destination set to 127.0.0.1. Got to figure out if a direct rewrite
with no modifications exists, does anybody know ?


Thank you

10

Here is an open source program I created to take a TZSP stream and save the encapsulated data to a PCAP file. The TZSP protocol is stripped away, making it easy to import this data into many traffic analysis programs such as Wireshark and aircrack.

**edit:

this code is now hosted at Google code. Please feel free to make changes and support the project.
http://code.google.com/p/tzsp2cap/

Wireless Sniffer streaming and @#$%@ TZSP
11

Hi,
I have developed an IDS/IPS system for RouterOS.
It is here : http://sourceforge.net/projects/mt-fw-attack/

You need a linux machine to compile and run it.
It collects syslog messages from your’s routeros device (there are instructions on how to use it) and adds the attackers on an address list which you can use to block them.
:slight_smile:

12

Use Snort’s -r option to read a pcap capture file, whether from Snort, TCPDump, Ethereal, or any other program that creates a libpcap format file
you can use sniffer (traffr) in background with screen (you said urself) and then with -r switch of snort analyse the files but you need a timer script for check new files created by traffr

13

I think node.js is useful in this scenario, it will make a daemon for you by listening on ports and do your commands
http://www.nodejs.org/

14

hi, Snort releas package for windows OS, maybe run ips on mikrotik and windows?

15

Hello,

Thanks you a lot for this topic. With it and the help of Noah Dietrich, from Snort Technology, I m now able to use Snort with my Mikrotik.
I m using tmux for launching the commands.
As my snort vm use ubuntu, this is the command I m using : sudo trafr -s |sudo snort -c /etc/snort/snort.conf -l /var/log/snort/ -r - -A console
Snort is not daemonized anymore as recommended by the topic.

I still have a question : Does Barnyard2 needs to be launched manually, like snort ? Each times I launch it by SystemD, barnyard stop working after an undefined moment ( coud be 1 hour, but could be less ) ?

Thanks you,

Vincent

EDIT : 284 000+ events filled in my database, Snorby seems to being stuck, even if Snort and Barnyard are still running.

16

Hi, I configured correctly (I think) IDS/IPS this https://sourceforge.net/projects/mt-fw-attack/

But I can’t test if its works or not, how could I do it? Any test?

Thanks.