I am trying to get Mikrotik Rb2011 to work with Security Onion IDS without having to use port mirroring.
trafr should do it but I am running into a problem getting it to work.
I have followed the article from Rob Penz but it is for Suricata alone, and SOnion has a slightly different than standard Suricata setup, but it shouldnt matter too much.
http://robert.penz.name/849/howto-setup-a-mikrotik-routeros-with-suricata-as-ids/
where I have got to in testing it is that I run the following process from command line on SO. I thought it was working but apparently not as I have not collected any data today that relates to the network according to the Sguil and ELSA logs, but I am certain the sniffed data is arriving successfully.
sudo trafr -s | sudo suricata -c /etc/nsm/testonion-eth1/suricata.yaml --pfring=eth1 -l /nsm/sensor_data/testonion-eth1
I have not yet been able to really confirm if the tzsp is actually being stripped from the header by trafr in this process. The above line runs ok, and I can see trafr and suricata processes and I can see logs being created, but they are full of symbols which is odd. I thought they should be readable.
if anyone has succeeded in getting SOnion working in this way would appreciate knowing how you did it. If I find out I will add it in here.