The subject is slightly misleading. Desired behavior (feel free to attack the logic of my desired behavior BTW):
If one of our desktops is attempting too much outbound SMB traffic, I want to quarantine it from the Internet.
Unfortunately, malformed URLs in HTML can lead to accidental SMB traffic (i.e. “google” will because the http/https is missing).
I therefore, was hoping to write some rules that say, “If we see more than ‘x’ packets in ‘y’ time occurring from ‘z’ internal IP address, add the IP to the quarantine”
This is what I am using:
add action=log chain=forwardFromPrivate comment=
“Allow some SMB traffic from non-servers without penalty” disabled=no dst-address-list=
!local-addr dst-port=445
in-interface=Private log-prefix=“warn SMB out” protocol=tcp \
add action=drop chain=forwardFromPrivate comment=“” disabled=no
dst-address-list=!local-addr dst-limit=1/1m,2,src-and-dst-addresses/1m
dst-port=445 in-interface=Private protocol=tcp
add action=log chain=forwardFromPrivate comment=
“Log and quarantine excessive outbound Windows SMB traffic from non-servers”
disabled=no dst-address-list=!local-addr dst-port=445 in-interface=Private log-prefix=
ATTACKING protocol=tcp
add action=add-src-to-address-list address-list=Infected
address-list-timeout=1d chain=forwardFromPrivate comment=“” disabled=no
dst-address-list=!local-addr
dst-port=445 in-interface=Private protocol=tcp
add action=drop chain=forwardFromPrivate comment=“Drop infected traffic”
disabled=no src-address-list=Infected
This seems to be working for pairs of internal/external IPs, but ideally, I’d like the rule/counts to apply to just internal IPs.
This works if a single internal IP makes too many SMB connections to the a single external IP, but I really want the rule to work ig a single internal IP makes too many SMB connections to an external IP addreses period (i.e. if it is effectively scanning for open SMB / exhibiting behavior indicating that it is being used to attack/probe machines)
I’m trying to understand what the dst-limit limit-by options mean. They don’t even seem to be documented here:
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
I saw an example of someone doing something similar but they used Connection Limits and Limits