I want to run a IDS 24/7. I am using tzsp2pcap to pull in the stream from the router packet sniffer. Im then using SnortALog to generate reports via Cron. This is working pretty well so far. This is my first attempt at doing this. Is this the best way to do a NIDS with Mikrotik ?
Do I need to put a script to start the packet sniffer each time the router boots ?
Do i need the CALEA pkg if I am just streaming ?
What do you use for NIDS ?
Ive noticed that the vast majority of traffic does not get sniffed.
Packets that are processed with hardware offloading enabled bridge will also not be visible
https://wiki.mikrotik.com/wiki/Manual:Tools/Packet_Sniffer
So Fasttrack, Fast Path and Fast Forward all cause a bypass of the packet sniffer tool ? So these packets also bypass CALEA ?
Just asking this again..
So Fasttrack, Fast Path and Fast Forward all cause a bypass of the packet sniffer tool ? So these packets also bypass CALEA ?
So no one has any experience with this tool then ?
( crickets chirping )
Well OK I will let you know what I have experenced so far. Seems to work great. Ive had no issues. Snort is running and the router packet sniffer is set to feed all the interfaces to it except the one feed the FreeBSD server running Snort. You gotta exclude that port or a feedback loop is created.
I assume it is not forwarding packets that are hardware accelerated. This is a obvious issue and I will disable it and see if traffic changes..
Hmmm… Looking at the fasttrack wiki it states if I have sniffer running fasttrack is disabled.
I start sniffer on startup with a script. Doing seems to leave fasttrack running AND packet sniffer running..
If I then stop and then start manually then fasttrack is disabled.
So having fasttrack start with a script on startup DOES NOT SEEM to disable fasttrack and also provides a output from packetsniffer..
See pic.. Note packet sniffer is running and notice fasttrack is enabled.
Hey
When packet sniffer is used, Fast Path is suspended, so that should be the reason for lack of packets:
“sniffer, torch and traffic generator is not running;” → https://wiki.mikrotik.com/wiki/Manual:Fast_Path#IPv4_handler
Fast path / track being enabled is just a flag / toggle: allow it or not. Whether its actually used will depend on factors, such as if sniffer is running.
Also not that switched and hardware bridged traffic will not be seen by router either.
In the above pic, and in the packet stream, I can start up packet sniffer at start up and KEEP fasttrack running. As shown in the example pic. This seems wrong. It produces less packets.
If I then stop and then start packet sniffer the indicator for fasttrack goes off and I get a higher level of traffic sniffed.
Maybe a “race” condition on start-up. Try to adjust the scheduler with initial delay before sniffer start
:delay 5
/tool sniffer start