Community discussions

MikroTik App
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 8:09 am

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 8:20 am

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 8:28 am

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 11:44 am

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 1:49 pm

Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 2:51 pm


No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 3:02 pm


There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
Check these settings in php.ini:

http://php.net/manual/en/mail.configuration.php
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Apr 28, 2017 8:28 am


I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
Check these settings in php.ini:

http://php.net/manual/en/mail.configuration.php
I got a test successfully but I don't receive emails from script suricata-block. How could I debug it more? I have alerts on Snorby which I think that I should have an email from script.

Here my test.php which I receive alerts:
<?php
$to = "mydomain@mydomain.com";
$subject = "My subject";
$txt = "Hello world!";
$headers = "From: mydomain@mydomain.com" . "\r\n" .
"CC: mydomain@mydomain.com";

mail($to,$subject,$txt,$headers);
?>
Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Apr 28, 2017 8:33 am


Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
Check these settings in php.ini:

http://php.net/manual/en/mail.configuration.php
I got a test successfully but I don't receive emails from script suricata-block. How could I debug it more? I have alerts on Snorby which I think that I should have an email from script.

Here my test.php which I receive alerts:
<?php
$to = "mydomain@mydomain.com";
$subject = "My subject";
$txt = "Hello world!";
$headers = "From: mydomain@mydomain.com" . "\r\n" .
"CC: mydomain@mydomain.com";

mail($to,$subject,$txt,$headers);
?>
Thanks.
You did update suricata_block.php with the new one? That is the same code as in suricata_block.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Apr 28, 2017 9:26 am


Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
Check these settings in php.ini:

http://php.net/manual/en/mail.configuration.php
I got a test successfully but I don't receive emails from script suricata-block. How could I debug it more? I have alerts on Snorby which I think that I should have an email from script.

Here my test.php which I receive alerts:
<?php
$to = "mydomain@mydomain.com";
$subject = "My subject";
$txt = "Hello world!";
$headers = "From: mydomain@mydomain.com" . "\r\n" .
"CC: mydomain@mydomain.com";

mail($to,$subject,$txt,$headers);
?>
Thanks.
You did update suricata_block.php with the new one? That is the same code as in suricata_block.
Solved! I use Debian and I had to declare variable before with this:

$email_alert = true;

Now I receive emails from alerts. Thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri May 05, 2017 2:12 pm

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat May 06, 2017 5:37 am

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue May 09, 2017 1:06 pm

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue May 09, 2017 3:34 pm

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
If that is the actual contents of the log, "192.168.X.X" then the reason it is failing is because the script can't find a full IP address.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed May 10, 2017 8:40 am

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
If that is the actual contents of the log, "192.168.X.X" then the reason it is failing is because the script can't find a full IP address.
Uhmm so I understand that its works fine, when an event ocurrs script will get full IP I understand, don't?

Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed May 10, 2017 8:57 am

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
If that is the actual contents of the log, "192.168.X.X" then the reason it is failing is because the script can't find a full IP address.
Uhmm so I understand that its works fine, when an event ocurrs script will get full IP I understand, don't?

Thanks!
Yes, if the event from the log file contains the full IP address, it works.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed May 10, 2017 11:57 am


Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
If that is the actual contents of the log, "192.168.X.X" then the reason it is failing is because the script can't find a full IP address.
Uhmm so I understand that its works fine, when an event ocurrs script will get full IP I understand, don't?

Thanks!
Yes, if the event from the log file contains the full IP address, it works.
Nice! So, I feel calmer without see attackers :)

Which it will be your next update? I wait it to test it :D

Thanks (one more time).
 
lorenzo95
just joined
Posts: 3
Joined: Fri May 29, 2015 8:02 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon May 29, 2017 2:04 am

Wow, this is fantastic :) . A great way to do it without having to use an inline IPS.
Just one question: can we do it without snorby? Could you maybe provide a full sql schema instead of just your additions for barnyard to write to?

I usually use suricata with evebox (json api) so I was just trying to think of a way to use this solution without having to install ruby and such.

Edit: would this schema work when imported into a database named snorby?
https://github.com/firnsy/barnyard2/blo ... eate_mysql

Thanks
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon May 29, 2017 10:41 am

Wow, this is fantastic :) . A great way to do it without having to use an inline IPS.
Just one question: can we do it without snorby? Could you maybe provide a full sql schema instead of just your additions for barnyard to write to?

I usually use suricata with evebox (json api) so I was just trying to think of a way to use this solution without having to install ruby and such.

Edit: would this schema work when imported into a database named snorby?
https://github.com/firnsy/barnyard2/blo ... eate_mysql

Thanks
Yes. I use Suricata as well so as long as the alerts get moved into the snorby structure using barnyard2 all should be good. And yes, adding the database structure you linked to is what is needed.

Tom
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Jun 05, 2017 12:44 pm

Hi,

Tried to implement this solution. I use Ubuntu 16.04 with mysql 5.7.18. When I put a trigger in place I get this while loading barnyard2:

Code: Select all

ERROR: database mysql_error: Unknown column 'event.id' in 'field list'
SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES (1,2211,3232235876,3109214298,4,5,0,44,12662,0,0,64,17,46481);]
Fatal Error, Quitting..
Without a trigger my events are exporting fine. It seems my db cannot handle nested querry. Any ideas what is wrong?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Jun 05, 2017 3:09 pm

Hi,

Tried to implement this solution. I use Ubuntu 16.04 with mysql 5.7.18. When I put a trigger in place I get this while loading barnyard2:

Code: Select all

ERROR: database mysql_error: Unknown column 'event.id' in 'field list'
SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES (1,2211,3232235876,3109214298,4,5,0,44,12662,0,0,64,17,46481);]
Fatal Error, Quitting..
Without a trigger my events are exporting fine. It seems my db cannot handle nested querry. Any ideas what is wrong?
Can you check the definition of the event table in the database?
show columns from event;
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Jun 05, 2017 5:28 pm

Code: Select all

+-----------+------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------------+------+-----+---------+-------+
| sid | int(10) unsigned | NO | PRI | NULL | |
| cid | int(10) unsigned | NO | PRI | NULL | |
| signature | int(10) unsigned | NO | MUL | NULL | |
| timestamp | datetime | NO | MUL | NULL | |
+-----------+------------------+------+-----+---------+-------+
4 rows in set (0.00 sec)
It was created using schema in barnyard2 repository.
 
User avatar
mlpaul
just joined
Posts: 13
Joined: Thu Apr 20, 2017 11:02 pm
Location: Ohio, United States

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Jun 05, 2017 7:23 pm

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error.

I am really eager to try this as it seems fairly interesting,

Thanks!
error.JPG
You do not have the required permissions to view the files attached to this post.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 4:38 am

Code: Select all

+-----------+------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------------+------+-----+---------+-------+
| sid | int(10) unsigned | NO | PRI | NULL | |
| cid | int(10) unsigned | NO | PRI | NULL | |
| signature | int(10) unsigned | NO | MUL | NULL | |
| timestamp | datetime | NO | MUL | NULL | |
+-----------+------------------+------+-----+---------+-------+
4 rows in set (0.00 sec)
It was created using schema in barnyard2 repository.
OK, that doesn't match the snort/snorby schema. I've included the snort/snorby schema in the post. Create the database with that schema and all should be good.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 4:41 am

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error.

I am really eager to try this as it seems fairly interesting,

Thanks!
error.JPG
Does my reply from Mon Feb 27, 2017 10:44 am help?
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 12:33 pm

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error.

I am really eager to try this as it seems fairly interesting,

Thanks!
error.JPG
Does my reply from Mon Feb 27, 2017 10:44 am help?
Try with changing delimiter:
DELIMITER ;;
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr`
  FOR EACH ROW BEGIN
  DECLARE this_event INT(11) default 0;
  DECLARE this_event_signature INT(10) default 0;
  DECLARE this_event_timestamp TIMESTAMP;
  DECLARE this_sig INT(10) default 0;
  DECLARE this_sig_name VARCHAR(256) default "";
  DECLARE this_sig_gid INT(10) default 0;
  DECLARE timeout VARCHAR(12) default "";
  DECLARE interested INT default 0;
  DECLARE direction VARCHAR(3) default "";
  DECLARE ip_src VARCHAR(64) default "";
  DECLARE ip_dst VARCHAR(64) default "";
  SELECT event.id, event.signature, event.timestamp
  INTO this_event, this_event_signature, this_event_timestamp
  FROM event
  WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
  SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
  INTO this_sig, this_sig_gid, this_sig_name
  FROM signature
  WHERE signature.sig_id = this_event_signature;
  SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
  INTO interested, direction, timeout
  FROM sigs_to_block
  WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
  IF (interested > 0) THEN
   IF (direction = "src") THEN
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_src),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    ELSE
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_dst),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    END IF;
  END IF;
END;;
DELIMITER ;
Last edited by rapiertg on Tue Jun 06, 2017 3:39 pm, edited 1 time in total.
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 2:26 pm

Ok, new record are added to firewall's access list. One issue with it, is that they are added as unsigned long. Somehow they are not converted to addresses.
You do not have the required permissions to view the files attached to this post.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 2:44 pm

Ok, new record are added to firewall's access list. One issue with it, is that they are added as unsigned long. Somehow they are not converted to addresses.
Check the records in the block_queue table. Should be populated with IP v4 addresses. They are converted from numeric to IP v4 address by the trigger with inet_ntoa function.
 
User avatar
mlpaul
just joined
Posts: 13
Joined: Thu Apr 20, 2017 11:02 pm
Location: Ohio, United States

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 3:56 pm

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error.

I am really eager to try this as it seems fairly interesting,

Thanks!
error.JPG
Does my reply from Mon Feb 27, 2017 10:44 am help?
Try with changing delimiter:
DELIMITER ;;
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr`
  FOR EACH ROW BEGIN
  DECLARE this_event INT(11) default 0;
  DECLARE this_event_signature INT(10) default 0;
  DECLARE this_event_timestamp TIMESTAMP;
  DECLARE this_sig INT(10) default 0;
  DECLARE this_sig_name VARCHAR(256) default "";
  DECLARE this_sig_gid INT(10) default 0;
  DECLARE timeout VARCHAR(12) default "";
  DECLARE interested INT default 0;
  DECLARE direction VARCHAR(3) default "";
  DECLARE ip_src VARCHAR(64) default "";
  DECLARE ip_dst VARCHAR(64) default "";
  SELECT event.id, event.signature, event.timestamp
  INTO this_event, this_event_signature, this_event_timestamp
  FROM event
  WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
  SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
  INTO this_sig, this_sig_gid, this_sig_name
  FROM signature
  WHERE signature.sig_id = this_event_signature;
  SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
  INTO interested, direction, timeout
  FROM sigs_to_block
  WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
  IF (interested > 0) THEN
   IF (direction = "src") THEN
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_src),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    ELSE
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_dst),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    END IF;
  END IF;
END;;
DELIMITER ;
Thanks for the reply! I tried this and got a new error,
ERROR 1054 (42S22) at line 2: Unknown column 'sid' in 'NEW'
Also tomfisk, i tried adding it straight to the triggers tab in phpMyAdmin, but i get the same error that is presented on the command line. I think it may have something to do with the iphdr table. Is there anything specific i have to do with that to get it to work?

Thanks guys!
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 4:31 pm

Ok, new record are added to firewall's access list. One issue with it, is that they are added as unsigned long. Somehow they are not converted to addresses.
Check the records in the block_queue table. Should be populated with IP v4 addresses. They are converted from numeric to IP v4 address by the trigger with inet_ntoa function.
Working great. Somehow I had maximan's trigger instead of Yours, which handle conversion elsewhere. Thanks!
 
User avatar
mlpaul
just joined
Posts: 13
Joined: Thu Apr 20, 2017 11:02 pm
Location: Ohio, United States

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 8:38 pm

I figured out my mistake, sorry guys im kinda stupid lol, i had to install barnyard2... -_-
 
User avatar
mlpaul
just joined
Posts: 13
Joined: Thu Apr 20, 2017 11:02 pm
Location: Ohio, United States

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 11:38 pm

Hey tom, i think there is an issue with the routeros_api.class.php file i got. Is there a dedicated link to the one you used? I got mine from https://github.com/BenMenking/routeros- ... .class.php and when i run it, i get errors such as:
PHP Warning:  fwrite() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 332
PHP Warning:  fwrite() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 339
PHP Warning:  fread() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 255
PHP Warning:  socket_get_status() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 302
PHP Notice:  Undefined offset: 0 in /usr/local/bin/suricata_block.php on line 125
Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jun 07, 2017 5:05 am

Hey tom, i think there is an issue with the routeros_api.class.php file i got. Is there a dedicated link to the one you used? I got mine from https://github.com/BenMenking/routeros- ... .class.php and when i run it, i get errors such as:
PHP Warning:  fwrite() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 332
PHP Warning:  fwrite() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 339
PHP Warning:  fread() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 255
PHP Warning:  socket_get_status() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 302
PHP Notice:  Undefined offset: 0 in /usr/local/bin/suricata_block.php on line 125
Thanks!
Here's the comment block at the top of my routeros_api.class.php file and my reference for the file is https://github.com/BenMenking/routeros- ... master.zip
/*****************************
 *
 * RouterOS PHP API class v1.6
 * Author: Denis Basta
 * Contributors:
 *    Nick Barnes
 *    Ben Menking (ben [at] infotechsc [dot] com)
 *    Jeremy Jefferson (http://jeremyj.com)
 *    Cristian Deluxe (djcristiandeluxe [at] gmail [dot] com)
 *    Mikhail Moskalev (mmv.rus [at] gmail [dot] com)
 *
 * http://www.mikrotik.com
 * http://wiki.mikrotik.com/wiki/API_PHP_class
 *
 ******************************/
 
SystemErrorMessage
Member
Member
Posts: 383
Joined: Sat Dec 22, 2012 9:04 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Jun 29, 2017 8:39 am

This looks like one of the things i've been searching for however i would like to know how much CPU is needed for this. Would using a quad core ARM A17 with gigabit ethernet would be sufficient for gigabit speeds? I would like to keep things as low power as possible and my routerboard has a usb port which can power it.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Jun 29, 2017 9:17 am

This looks like one of the things i've been searching for however i would like to know how much CPU is needed for this. Would using a quad core ARM A17 with gigabit ethernet would be sufficient for gigabit speeds? I would like to keep things as low power as possible and my routerboard has a usb port which can power it.
When it comes to running suricata it really depends on your traffic mix. If you have lots of users on your network then you'll have more unique sessions to keep track of. In general, the more memory you have available, the better off you will be. I'm running on a quad core ARM A9 with gigabit ethernet (4gb memory) with loads peaking around 200mbs and with typically less than 100 sessions. The A17 is supposed to be 60% higher performance. So I'd give it a qualified "yes" if you have the memory to support your sessions. There is an entire chapter on suricata performance in their documentation which might be worth a read: http://suricata.readthedocs.io/en/lates ... index.html
 
SystemErrorMessage
Member
Member
Posts: 383
Joined: Sat Dec 22, 2012 9:04 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Jun 29, 2017 3:30 pm

This looks like one of the things i've been searching for however i would like to know how much CPU is needed for this. Would using a quad core ARM A17 with gigabit ethernet would be sufficient for gigabit speeds? I would like to keep things as low power as possible and my routerboard has a usb port which can power it.
When it comes to running suricata it really depends on your traffic mix. If you have lots of users on your network then you'll have more unique sessions to keep track of. In general, the more memory you have available, the better off you will be. I'm running on a quad core ARM A9 with gigabit ethernet (4gb memory) with loads peaking around 200mbs and with typically less than 100 sessions. The A17 is supposed to be 60% higher performance. So I'd give it a qualified "yes" if you have the memory to support your sessions. There is an entire chapter on suricata performance in their documentation which might be worth a read: http://suricata.readthedocs.io/en/lates ... index.html
Thanks, so basically its all down to how many thousands of torrent connections i want to be able to support for memory usage or how many fps gamers there'll be on the network (a lot of fps games send many minimal sized packets) for cpu usage. I might need a better machine.
 
Guram
just joined
Posts: 1
Joined: Tue Jul 04, 2017 2:09 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jul 04, 2017 2:17 pm

Hello, I'm try to implement this one, but I don't know how to test it, works or not. Please help my!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jul 04, 2017 2:56 pm

Hello, I'm try to implement this one, but I don't know how to test it, works or not. Please help my!
There are several tutorials on testing the alerts on Suricata. For example, look at paragraph 1.5 of this tutorial to test if the rules are firing.

https://web.nsrc.org/workshops/2015/pac ... g-test.htm
 
Percanta
newbie
Posts: 39
Joined: Tue Feb 24, 2009 1:00 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 10, 2017 5:48 pm

Good day
Thank you for sharing this , my comments:
looking the blocked ips (public) i notice the most times are caused by the same clients (ip private) so i decided not send this traffic again to suricata during the blocked time, then i stopped packet sniff and i use mangle
/ip fi ma
add action=sniff-tzsp out-interface=LAN chain=forward sniff-target=172.18.1.4 sniff-target-port=37008 src-address-list=!Blocked

Maybe it'd be great to know lan ip in the comment of the address list and/or telegram, i know i could search it on snorby web but it'd more practical like this
/ip firewall address-list> pr wh list =Blocked
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 D ;;; From suricata, ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 397 => 1:2522792 => event timestamp: 2017-08-10 08:28:38, Address=192.168.X.X
Blocked 46.28.110.244 aug/10/2017 13:28:41 3m12s

ive' added this to mikrotik-fw.sh for send telegram message (ossec active response)
rm $tmpfile
curl --data chat_id=-0000000 --data-urlencode "text="'"'"OSSEC HIDS >> $LOGLINE"'"'", Timeout 23:59:59" https://api.telegram.org/bot00000:ewrj4lrjlrkj5lwrfwjrj5/sendMessage
Regards
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Aug 14, 2017 6:08 am

Thanks for your comments Percanta. I will look at adding in the IP of the internal source/destination to the comment.

Tom
 
Percanta
newbie
Posts: 39
Joined: Tue Feb 24, 2009 1:00 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Aug 14, 2017 4:48 pm

Good day
i've made this,
added a new column for queue_block table
ALTER TABLE block_queue ADD que_ip_adrlan VARCHAR(64) COLLATE utf8_unicode_ci NOT NULL;
modify trigger
                         
....                         
                           INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_src,
                               `que_ip_adrlan = NEW.ip_dst,`
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          ELSE
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_dst,
                               `que_ip_adrlan = NEW.ip_src,`
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          END IF;
                        END IF;
                      END;;
                      DELIMITER ;
Now we can use the other ip address, for example
$API->comm("/ip/firewall/address-list/add", array(
      "list" => "Blocked",
      "address" => $thisrow['que_ip_adr'],
      "timeout" => $timeremaining,
      "comment" => "From suricata, " . $thisrow[ 'que_ip_adrlan' ] .    $thisrow['que_sig_name'] . " => " . $thisrow['que_sig_gid'] . ":" . $thisrow['que_sig_sid'] .
         " => event timestamp: " . $thisrow['que_event_timestamp'],));
Tom i have a doubt, how did u choose the 20 signatures to block?? i see around 1000 in signature table :lol: :lol: :lol: , or where can i get info about how to choose them, thank you

regards
 
User avatar
otgooneo
Trainer
Trainer
Posts: 581
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Aug 15, 2017 5:07 am

Sorry for being lazy. But does any one have pre-configured image, which supports to install it and change minor configurations like IP address, username and password?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Aug 15, 2017 5:18 am

Good day
i've made this,
added a new column for queue_block table
ALTER TABLE block_queue ADD que_ip_adrlan VARCHAR(64) COLLATE utf8_unicode_ci NOT NULL;
modify trigger
                         
....                         
                           INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_src,
                               `que_ip_adrlan = NEW.ip_dst,`
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          ELSE
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_dst,
                               `que_ip_adrlan = NEW.ip_src,`
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          END IF;
                        END IF;
                      END;;
                      DELIMITER ;
Now we can use the other ip address, for example
$API->comm("/ip/firewall/address-list/add", array(
      "list" => "Blocked",
      "address" => $thisrow['que_ip_adr'],
      "timeout" => $timeremaining,
      "comment" => "From suricata, " . $thisrow[ 'que_ip_adrlan' ] .    $thisrow['que_sig_name'] . " => " . $thisrow['que_sig_gid'] . ":" . $thisrow['que_sig_sid'] .
         " => event timestamp: " . $thisrow['que_event_timestamp'],));
Tom i have a doubt, how did u choose the 20 signatures to block?? i see around 1000 in signature table :lol: :lol: :lol: , or where can i get info about how to choose them, thank you

regards
Thanks for the code updates Percanta!

With regard to the number of signatures I block...this is on a home "lab" network so instead of blocking all activity, I wait to see what activity is coming in and then block specific signatures or blocks of signatures. If this was on a corporate network, I would take the other approach...block every signature and then look at excluding specific activity that is valid.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 23, 2017 2:40 pm

A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 24, 2017 7:31 am

In my nightly process to update the rules, I issue the following command to suricata:
pkill -USR2 -u snort -f /usr/bin/suricata
This might help with the problem.
A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 24, 2017 12:22 pm

In my nightly process to update the rules, I issue the following command to suricata:
pkill -USR2 -u snort -f /usr/bin/suricata
This might help with the problem.
A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
Yes, It can help, do you start after process again with any particular script or with normal script?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 24, 2017 12:29 pm

I do it in my oinkupdate.sh script.
#!/bin/bash                                             
/usr/local/bin/oinkmaster.pl -C /etc/suricata/oinkmaster.conf -o /etc/suricata/rules                            
chown snort:snort /etc/suricata/rules/*                 
pkill -USR2 -u snort -f /usr/bin/suricata               
/etc/init.d/aanval restart                              
/etc/init.d/barnyard2 stop                              
sleep 5                                                 
/etc/init.d/barnyard2 start
In my nightly process to update the rules, I issue the following command to suricata:
pkill -USR2 -u snort -f /usr/bin/suricata
This might help with the problem.
A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
Yes, It can help, do you start after process again with any particular script or with normal script?

Thanks.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 24, 2017 1:42 pm

I do it in my oinkupdate.sh script.
#!/bin/bash                                             
/usr/local/bin/oinkmaster.pl -C /etc/suricata/oinkmaster.conf -o /etc/suricata/rules                            
chown snort:snort /etc/suricata/rules/*                 
pkill -USR2 -u snort -f /usr/bin/suricata               
/etc/init.d/aanval restart                              
/etc/init.d/barnyard2 stop                              
sleep 5                                                 
/etc/init.d/barnyard2 start
In my nightly process to update the rules, I issue the following command to suricata:
pkill -USR2 -u snort -f /usr/bin/suricata
This might help with the problem.
A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
Yes, It can help, do you start after process again with any particular script or with normal script?

Thanks.
Good idea, done too :) thanks!
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 12:46 pm

Very much I ask - help!
Everything was done step by step.
After creating the table, sigs_to_block and TRIGGER barnyard2 stopped writing to the database.
Ends with an error:
Aug 30 11:43:14 sv-ips-01 barnyard2: FATAL ERROR: database mysql_error: In aggregated query without GROUP BY, expression #2 of SELECT list contains nonaggregated column 'snorby.sigs_to_block.src_or_dst'; this is incompatible with sql_mode=only_full_group_by#012#011SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES (1,22527,1539234099,3274620322,4,5,0,45,0,0,0,0,6,1289);]
ОК.
I turned on the desired mode in mySQL:
mysql> select @@sql_mode;
+------------------------+
| @@sql_mode             |
+------------------------+
| NO_ENGINE_SUBSTITUTION |
+------------------------+
1 row in set (0,00 sec)
It did not help!
How to fix it?
What's my mistake?
There are no answers on the Internet ...
Help me please!
OS: Ubuntu 16.04.3 AMD64
Barnyard2 Version 2.1.14 (Build 337)
As I understand, this is not working properly trigger ..
I created the trigger like this:
mysql -u root -p snorby < trigger_code.sql
trigger_code.sql:
DELIMITER ;;
                      CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr` FOR EACH ROW
                      BEGIN
                        DECLARE this_event INT(11) default 0;
                        DECLARE this_event_signature INT(10) default 0;
                        DECLARE this_event_timestamp TIMESTAMP;
                        DECLARE this_sig INT(10) default 0;
                        DECLARE this_sig_name VARCHAR(256) default "";
                        DECLARE this_sig_gid INT(10) default 0;
                        DECLARE timeout VARCHAR(12) default "";
                        DECLARE interested INT default 0;
                        DECLARE direction VARCHAR(3) default "";
                        DECLARE ip_src VARCHAR(64) default "";
                        DECLARE ip_dst VARCHAR(64) default "";
                        SELECT event.id, event.signature, event.timestamp
                        INTO this_event, this_event_signature, this_event_timestamp
                        FROM event
                        WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
                        SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
                        INTO this_sig, this_sig_gid, this_sig_name
                        FROM signature
                        WHERE signature.sig_id = this_event_signature;
                        SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
                        INTO interested, direction, timeout
                        FROM sigs_to_block
                        WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
                        IF (interested > 0) THEN
                         IF (direction = "src") THEN
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_src,
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          ELSE
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_dst,
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          END IF;
                        END IF;
                      END;;
DELIMITER ;
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 2:33 pm

OK.
I drop trigger:
mysql> use snorby;
mysql> drop trigger `after_iphdr_insert`;
run barnyard2.
Everything is great. He works!
Aug 30 14:22:47 sv-ips-01 barnyard2:         --== Initialization Complete ==--
Aug 30 14:22:47 sv-ips-01 barnyard2: Barnyard2 initialization completed successfully (pid=11329)
Aug 30 14:22:47 sv-ips-01 barnyard2: Using waldo file '/var/log/suricata/suricata.waldo':#012    spool directory = /var/log/suricata/#012
Aug 30 14:22:47 sv-ips-01 barnyard2: Opened spool file '/var/log/suricata//unified2.alert.1504074207'
......
Aug 30 14:25:08 sv-ips-01 barnyard2: INFO [dbProcessSignatureInformation()]: [Event: 2633] with [gid: 1] [sid: 2522988] [rev: 3068] [classif...
Aug 30 14:30:26 sv-ips-01 barnyard2: INFO [dbProcessSignatureInformation()]: [Event: 2685] with [gid: 1] [sid: 2403336] [rev: 3794] [classif...
What's wrong with the trigger?
How should its code be written correctly?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 2:51 pm

You must have MySQL version 5.7.5 or greater. I believe you will need to disable the ONLY_FULL_GROUP_BY sql_mode with the following:
  1. sudo nano /etc/mysql/my.cnf
  2. Add this to the end of the file
    [mysqld]  
    sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
  3. sudo service mysql restart to restart MySQL
Very much I ask - help!
Everything was done step by step.
After creating the table, sigs_to_block and TRIGGER barnyard2 stopped writing to the database.
Ends with an error:
Aug 30 11:43:14 sv-ips-01 barnyard2: FATAL ERROR: database mysql_error: In aggregated query without GROUP BY, expression #2 of SELECT list contains nonaggregated column 'snorby.sigs_to_block.src_or_dst'; this is incompatible with sql_mode=only_full_group_by#012#011SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES (1,22527,1539234099,3274620322,4,5,0,45,0,0,0,0,6,1289);]
ОК.
I turned on the desired mode in mySQL:
mysql> select @@sql_mode;
+------------------------+
| @@sql_mode             |
+------------------------+
| NO_ENGINE_SUBSTITUTION |
+------------------------+
1 row in set (0,00 sec)
It did not help!
How to fix it?
What's my mistake?
There are no answers on the Internet ...
Help me please!
OS: Ubuntu 16.04.3 AMD64
Barnyard2 Version 2.1.14 (Build 337)
As I understand, this is not working properly trigger ..
I created the trigger like this:
mysql -u root -p snorby < trigger_code.sql
trigger_code.sql:
DELIMITER ;;
                      CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr` FOR EACH ROW
                      BEGIN
                        DECLARE this_event INT(11) default 0;
                        DECLARE this_event_signature INT(10) default 0;
                        DECLARE this_event_timestamp TIMESTAMP;
                        DECLARE this_sig INT(10) default 0;
                        DECLARE this_sig_name VARCHAR(256) default "";
                        DECLARE this_sig_gid INT(10) default 0;
                        DECLARE timeout VARCHAR(12) default "";
                        DECLARE interested INT default 0;
                        DECLARE direction VARCHAR(3) default "";
                        DECLARE ip_src VARCHAR(64) default "";
                        DECLARE ip_dst VARCHAR(64) default "";
                        SELECT event.id, event.signature, event.timestamp
                        INTO this_event, this_event_signature, this_event_timestamp
                        FROM event
                        WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
                        SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
                        INTO this_sig, this_sig_gid, this_sig_name
                        FROM signature
                        WHERE signature.sig_id = this_event_signature;
                        SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
                        INTO interested, direction, timeout
                        FROM sigs_to_block
                        WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
                        IF (interested > 0) THEN
                         IF (direction = "src") THEN
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_src,
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          ELSE
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_dst,
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          END IF;
                        END IF;
                      END;;
DELIMITER ;
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 3:25 pm

You must have MySQL version 5.7.5 or greater. I believe you will need to disable the ONLY_FULL_GROUP_BY sql_mode with the following:
  1. sudo nano /etc/mysql/my.cnf
  2. Add this to the end of the file
    [mysqld]  
    sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
  3. sudo service mysql restart to restart MySQL
OK.
I did everything as you wrote.
mysql> select @@sql_mode;
+------------------------------------------------------------------------------------------------------------------------+
| @@sql_mode                                                                                                             |
+------------------------------------------------------------------------------------------------------------------------+
| STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION |
+------------------------------------------------------------------------------------------------------------------------+
1 row in set (0,00 sec)
I create a trigger again:
mysql -u root -p snorby < trigger_code.sql
And run barnyard2...
.......
HM
......
And he does not fall!
It turns out, the trigger should be added only after the mode on:
sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
Note.
In Ubuntu in the settings file to the path:
/etc/mysql/mysql.conf.d/mysqld.cnf
Let's see the created Trigger:
mysql> use snorby;
mysql> SHOW TRIGGERS

| after_iphdr_insert | INSERT | iphdr | BEGIN
....
END | AFTER  | 2017-08-30 15:04:14.71 | STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION | root@localhost | utf8                 | utf8_general_ci      | utf8_unicode_ci
The trigger should be created only after the settings MySQL...

Thank you!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 3:44 pm

Excellent! Glad it worked!
You must have MySQL version 5.7.5 or greater. I believe you will need to disable the ONLY_FULL_GROUP_BY sql_mode with the following:
  1. sudo nano /etc/mysql/my.cnf
  2. Add this to the end of the file
    [mysqld]  
    sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
  3. sudo service mysql restart to restart MySQL
OK.
I did everything as you wrote.
mysql> select @@sql_mode;
+------------------------------------------------------------------------------------------------------------------------+
| @@sql_mode                                                                                                             |
+------------------------------------------------------------------------------------------------------------------------+
| STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION |
+------------------------------------------------------------------------------------------------------------------------+
1 row in set (0,00 sec)
I create a trigger again:
mysql -u root -p snorby < trigger_code.sql
And run barnyard2...
.......
HM
......
And he does not fall!
It turns out, the trigger should be added only after the mode on:
sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
Note.
In Ubuntu in the settings file to the path:
/etc/mysql/mysql.conf.d/mysqld.cnf
Let's see the created Trigger:
mysql> use snorby;
mysql> SHOW TRIGGERS

| after_iphdr_insert | INSERT | iphdr | BEGIN
....
END | AFTER  | 2017-08-30 15:04:14.71 | STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION | root@localhost | utf8                 | utf8_general_ci      | utf8_unicode_ci
The trigger should be created only after the settings MySQL...

Thank you!
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 3:59 pm

It's me again ...
I run suricata_block.pxp from the command line:
php -f /usr/bin/suricata_block.php
He gives me this in the console:
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
Is this normal? Or am I wrong again somewhere?
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 4:05 pm

suricata_block.php adds the following addresses to MikroTik:
But it's not right!
Image
How to fix?
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 5:01 pm

suricata_block.php adds the following addresses to MikroTik:
But it's not right!
Image
How to fix?
I decided it myself.
I did not use the correct trigger.
The correct trigger (the contents of the trigger_code.sql file):
DELIMITER ;;
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr` FOR EACH ROW
BEGIN
  DECLARE this_event INT(11) default 0;
  DECLARE this_event_signature INT(10) default 0;
  DECLARE this_event_timestamp TIMESTAMP;
  DECLARE this_sig INT(10) default 0;
  DECLARE this_sig_name VARCHAR(256) default "";
  DECLARE this_sig_gid INT(10) default 0;
  DECLARE timeout VARCHAR(12) default "";
  DECLARE interested INT default 0;
  DECLARE direction VARCHAR(3) default "";
  DECLARE ip_src VARCHAR(64) default "";
  DECLARE ip_dst VARCHAR(64) default "";
  SELECT event.id, event.signature, event.timestamp
  INTO this_event, this_event_signature, this_event_timestamp
  FROM event
  WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
  SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
  INTO this_sig, this_sig_gid, this_sig_name
  FROM signature
  WHERE signature.sig_id = this_event_signature;
  SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
  INTO interested, direction, timeout
  FROM sigs_to_block
  WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
  IF (interested > 0) THEN
   IF (direction = "src") THEN
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_src),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    ELSE
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_dst),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    END IF;
  END IF;
END;;
DELIMITER ;
Image
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 5:02 pm

It's me again ...
I run suricata_block.pxp from the command line:
php -f /usr/bin/suricata_block.php
He gives me this in the console:
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
Is this normal? Or am I wrong again somewhere?
The same is solved by installing the program, for example Postfix...
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 31, 2017 2:46 am

The warning for mysqli is normal. If you want to send email notifications, then you'll have to change the location to sendmail on your system. Do
whereis sendmail
and modify suricata_block.php as necessary.
It's me again ...
I run suricata_block.pxp from the command line:
php -f /usr/bin/suricata_block.php
He gives me this in the console:
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
Is this normal? Or am I wrong again somewhere?
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Sep 08, 2017 4:32 pm

My great gratitude to tomfisk.
Thanks to his article, I received a powerful and flexible system.
Just what I wanted.
Thank you to the MicroTik team for their RouteOS.
In general, thank you guys!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Nov 17, 2017 10:55 am

Hi,

How could I add an IP as whitelist?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Nov 17, 2017 11:13 am

Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Nov 17, 2017 12:27 pm

Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Thanks tomfisk! great job as always
 
fosilt
just joined
Posts: 5
Joined: Thu Jan 28, 2016 5:29 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Nov 23, 2017 6:28 am

Thanks for the tutorial.

I had a question, is it possible to combine this scripts with SELKS ? or any guide so I can integrated SELKS with Mikrotik ?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Nov 23, 2017 10:18 am

It is possible to customize and/or build a SELKS distribution and there are guides here https://github.com/StamusNetworks/SELKS ... zing-SELKS and here https://github.com/StamusNetworks/SELKS ... ding-SELKS. Including this functionality into the SELKS distribution would be possible, but it would require analysis of what packages would need to be included in a SELKS distribution and specific instructions on how to configure. I don't know if the suricata implementation in SELKS includes for example, MySQL and barnyard2, or if it is configured as an inline IPS using with linux firewall rule processing.
Thanks for the tutorial.

I had a question, is it possible to combine this scripts with SELKS ? or any guide so I can integrated SELKS with Mikrotik ?
 
fosilt
just joined
Posts: 5
Joined: Thu Jan 28, 2016 5:29 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Nov 23, 2017 10:34 am

It is possible to customize and/or build a SELKS distribution and there are guides here https://github.com/StamusNetworks/SELKS ... zing-SELKS and here https://github.com/StamusNetworks/SELKS ... ding-SELKS. Including this functionality into the SELKS distribution would be possible, but it would require analysis of what packages would need to be included in a SELKS distribution and specific instructions on how to configure. I don't know if the suricata implementation in SELKS includes for example, MySQL and barnyard2, or if it is configured as an inline IPS using with linux firewall rule processing.
Thanks for the tutorial.

I had a question, is it possible to combine this scripts with SELKS ? or any guide so I can integrated SELKS with Mikrotik ?
I had install SELK4.0nodesktop , and try to combine with your scripts with installed library dependencies . How I know if the scripts did worked ? Which mikrotik interface should be sniffed ?

Thank you
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Nov 23, 2017 10:45 am

The Mikrotik interface to sniff should be the one that is connected to your ISP. That is where all of the traffic in/out of your network is. Make sure tzsp2pcap is running. In /var/log/suricata/ check suricata.log to make sure it started successfuly and fast.log to see if events are being flagged.
It is possible to customize and/or build a SELKS distribution and there are guides here https://github.com/StamusNetworks/SELKS ... zing-SELKS and here https://github.com/StamusNetworks/SELKS ... ding-SELKS. Including this functionality into the SELKS distribution would be possible, but it would require analysis of what packages would need to be included in a SELKS distribution and specific instructions on how to configure. I don't know if the suricata implementation in SELKS includes for example, MySQL and barnyard2, or if it is configured as an inline IPS using with linux firewall rule processing.
Thanks for the tutorial.

I had a question, is it possible to combine this scripts with SELKS ? or any guide so I can integrated SELKS with Mikrotik ?
I had install SELK4.0nodesktop , and try to combine with your scripts with installed library dependencies . How I know if the scripts did worked ? Which mikrotik interface should be sniffed ?

Thank you
 
nata1234
just joined
Posts: 1
Joined: Mon Dec 04, 2017 1:02 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Dec 04, 2017 1:16 am

Someone who can help me, I need sent Mikrotik from the Suricata, without MySQl some easy php like https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Dec 08, 2017 9:33 am

I've included a script, fast2mikrotik.php, that will do what I think you are looking for. Check the original post.
Someone who can help me, I need sent Mikrotik from the Suricata, without MySQl some easy php like https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS
 
smolki
just joined
Posts: 3
Joined: Tue Jan 23, 2018 10:28 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 23, 2018 10:33 am

Hi i need help with fast mikrotik.php script. Its only showing Targets but nothing happens. Scripts is not connecting to the Mikrotik.
All necessary services are set in MT.
 
smolki
just joined
Posts: 3
Joined: Tue Jan 23, 2018 10:28 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 23, 2018 10:42 am

Hi i need help with fast mikrotik.php script. Its only showing Targets but nothing happens. Scripts is not connecting to the Mikrotik.
All necessary services are set in MT.

Can anyone confirm that php is working ?
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 12:59 pm

Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Hi, re-open this reply. How could I do a whitelist for all entry for one IP?

I had this: suppress gen_id 1, sig_id 20003XX, track by_src, ip 213.XX.XX.XX

But my IP was banned again with this:
1:20003XX:13] ET P2P BitTorrent peer sync [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.X.X:55618 -> 213.XX.XX.XX:873

Why? Should I use in file 20003XX:13? How maybe my IP can be banned for more causes, I would ask if its possible add my IP as whitelist.

Thanks!!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 1:18 pm

I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address.
Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Hi, re-open this reply. How could I do a whitelist for all entry for one IP?

I had this: suppress gen_id 1, sig_id 20003XX, track by_src, ip 213.XX.XX.XX

But my IP was banned again with this:
1:20003XX:13] ET P2P BitTorrent peer sync [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.X.X:55618 -> 213.XX.XX.XX:873

Why? Should I use in file 20003XX:13? How maybe my IP can be banned for more causes, I would ask if its possible add my IP as whitelist.

Thanks!!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 1:28 pm

I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address.
Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Hi, re-open this reply. How could I do a whitelist for all entry for one IP?

I had this: suppress gen_id 1, sig_id 20003XX, track by_src, ip 213.XX.XX.XX

But my IP was banned again with this:
1:20003XX:13] ET P2P BitTorrent peer sync [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.X.X:55618 -> 213.XX.XX.XX:873

Why? Should I use in file 20003XX:13? How maybe my IP can be banned for more causes, I would ask if its possible add my IP as whitelist.

Thanks!!
Awesome your fast reply...
this ?
suppress gen_id 0, track_by_src, ip 213.98.XX.XX

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 1:59 pm

This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address.
Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Hi, re-open this reply. How could I do a whitelist for all entry for one IP?

I had this: suppress gen_id 1, sig_id 20003XX, track by_src, ip 213.XX.XX.XX

But my IP was banned again with this:
1:20003XX:13] ET P2P BitTorrent peer sync [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.X.X:55618 -> 213.XX.XX.XX:873

Why? Should I use in file 20003XX:13? How maybe my IP can be banned for more causes, I would ask if its possible add my IP as whitelist.

Thanks!!
Awesome your fast reply...
this ?
suppress gen_id 0, track_by_src, ip 213.98.XX.XX

Thanks.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 2:33 pm

This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 2:39 pm

You'd have to ask the developers that question...just what I found in the documentation :)
This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 10:33 am

You'd have to ask the developers that question...just what I found in the documentation :)
This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
:( With that rule router yet banned my IP again. What am i doing wrong?
I added with both id
suppress gen_id 1, sig_id 0, track_by_src, ip 192.168.XX.XX
suppress gen_id 0, sig_id 0, track_by_src, ip 192.168.XX.XX

Line in fast.log
01/31/2018-09:18:26.904899  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 192.168.XX.XX:58471 -> 213.98.XX.XX:873
BTW: I use suricata 1.4.7, but in his website there are version 2.0.2 and 4.0.3. Anyone test it?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 11:06 am

Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from the IP you want to ignore set that it doesn't get sent to suricata in the first place. Set up a filter to exclude the address from the packet sniffer like this:
set file-limit=3000KiB filter-interface=ether1 filter-ip-address=!192.168.xx.xx/32 filter-stream=\
    yes streaming-enabled=yes streaming-server=192.168.xx.xx
So packets from that address never get into suricata in the first place.
You'd have to ask the developers that question...just what I found in the documentation :)
This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
:( With that rule router yet banned my IP again. What am i doing wrong?
I added with both id
suppress gen_id 1, sig_id 0, track_by_src, ip 192.168.XX.XX
suppress gen_id 0, sig_id 0, track_by_src, ip 192.168.XX.XX

Line in fast.log
01/31/2018-09:18:26.904899  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 192.168.XX.XX:58471 -> 213.98.XX.XX:873
BTW: I use suricata 1.4.7, but in his website there are version 2.0.2 and 4.0.3. Anyone test it?

Thanks.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 11:49 am

Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from the IP you want to ignore set that it doesn't get sent to suricata in the first place. Set up a filter to exclude the address from the packet sniffer like this:
set file-limit=3000KiB filter-interface=ether1 filter-ip-address=!192.168.xx.xx/32 filter-stream=\
    yes streaming-enabled=yes streaming-server=192.168.xx.xx
So packets from that address never get into suricata in the first place.
I can't add that IP. If I try to save the changes, MK doesn't accept it and its reseted to 0.0.0.0 again
I attach picture, maybe I am doing something bad.
Image
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 11:54 am

The "!" goes in the little box before the IP address. Just click on it and it should change to "!".
Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from the IP you want to ignore set that it doesn't get sent to suricata in the first place. Set up a filter to exclude the address from the packet sniffer like this:
set file-limit=3000KiB filter-interface=ether1 filter-ip-address=!192.168.xx.xx/32 filter-stream=\
    yes streaming-enabled=yes streaming-server=192.168.xx.xx
So packets from that address never get into suricata in the first place.
I can't add that IP. If I try to save the changes, MK doesn't accept it and its reseted to 0.0.0.0 again
I attach picture, maybe I am doing something bad.
Image
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 12:04 pm

The "!" goes in the little box before the IP address. Just click on it and it should change to "!".
Im stupid, I know it. Thanks as always tomfisk.
I am going to test new version 4.0.3.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 2:06 pm

I have installed a new VPS with new suricata 4.0.3, its installed correctly and I can start it good:
root@suricatanew:/# trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
31/1/2018 -- 07:01:57 - <Notice> - This is Suricata version 4.0.3 RELEASE
31/1/2018 -- 07:02:02 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
I see traffic on stats.log
Date: 1/31/2018 -- 07:05:53 (uptime: 0d, 00h 00m 16s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 275968
decoder.bytes                              | Total                     | 277270818

I tested new method (with php). I have the script running but MK doesn't add any IP. I have configured details correctly to login API (same I used old suricata).
In MK I only changed Sniffer to old server to new server (I get packets).

When I execute php I only see same logs, example:
root@suricatanew:/etc/init.d# php -f fast2mikrotik.php &
[1] 543
root@suricatanew:/etc/init.d# Target will be: 94.31.29.64
Target will be: 94.31.29.64
Target will be: 94.31.29.64
Target will be: 94.31.29.64
Any idea? Thanks! Maybe I am forgotten any simple thing.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 01, 2018 8:37 am

Oops! Looks like I left some debug code in fast2mikrotik.php :(
  echo "Target will be: " . $target . "\r\n";
  return true;
  try {
      $API->connect($mikrotik_addr, $mikrotik_user, $mikrotik_pwd);
  } catch (Exception $e) {
      die('Unable to connect to RouterOS. Error:' . $e);
  }
Delete the "echo" and "return" lines...should work then :) :)
I have installed a new VPS with new suricata 4.0.3, its installed correctly and I can start it good:
root@suricatanew:/# trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
31/1/2018 -- 07:01:57 - <Notice> - This is Suricata version 4.0.3 RELEASE
31/1/2018 -- 07:02:02 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
I see traffic on stats.log
Date: 1/31/2018 -- 07:05:53 (uptime: 0d, 00h 00m 16s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 275968
decoder.bytes                              | Total                     | 277270818

I tested new method (with php). I have the script running but MK doesn't add any IP. I have configured details correctly to login API (same I used old suricata).
In MK I only changed Sniffer to old server to new server (I get packets).

When I execute php I only see same logs, example:
root@suricatanew:/etc/init.d# php -f fast2mikrotik.php &
[1] 543
root@suricatanew:/etc/init.d# Target will be: 94.31.29.64
Target will be: 94.31.29.64
Target will be: 94.31.29.64
Target will be: 94.31.29.64
Any idea? Thanks! Maybe I am forgotten any simple thing.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 01, 2018 9:39 am

Oops! Looks like I left some debug code in fast2mikrotik.php :(
Delete the "echo" and "return" lines...should work then :) :)
I went to write that too :) I removed it and it works fine. Thanks tomfisk.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 01, 2018 12:10 pm

I am having troubles to create "white list". I create it but IDS continue adding thats IPs to blocks.

suppress gen_id 1, sig_id 2240001
suppress gen_id 1, sig_id 2220006, track by_src, ip 192.168.XX.XX

I added it too in MK in "Packet Sniffer" but not luck neither. MK continue stopping traffic from that IPs. I think that its a bug why I don't understand that I am doing wrong, I followed manual.

NOTE: Maybe someone has my own problem. I had commented line threshold-file: /etc/suricata/threshold.config in file suricata.yaml
Fixed.
 
User avatar
bekax5
Member Candidate
Member Candidate
Posts: 110
Joined: Thu Apr 30, 2015 11:27 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 01, 2018 11:29 pm

I am really tempted on setting Suricata with Mtik integration.
I want to run suricata on a QNAP as a VM and I already bought an Intel NIC for this purpose, however I noticed that the current QNAP versions do not support promiscuous mode for VMs, as such if I try to mirror the WAN interface I end up only getting multicast and broadcast packets.
This sniffer stream appears to be a perfect solution, however it does stop FastPath and FastTrack right?
I'm afraid RB3011 will be struggling with Gigabit WAN.
Apologies for the novice questions =)
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Feb 02, 2018 2:40 am

Yes, sniffer does stop FastPath and FastTrack. I have an RB951G-2HnD running with a sniffer and I am still able to achieve my ISP's full bandwidth of 350mbs. Just my observation...I'm not a networking professional so I can't fully address your concern. Perhaps you can turn on the sniffer and do a bandwidth test?
I am really tempted on setting Suricata with Mtik integration.
I want to run suricata on a QNAP as a VM and I already bought an Intel NIC for this purpose, however I noticed that the current QNAP versions do not support promiscuous mode for VMs, as such if I try to mirror the WAN interface I end up only getting multicast and broadcast packets.
This sniffer stream appears to be a perfect solution, however it does stop FastPath and FastTrack right?
I'm afraid RB3011 will be struggling with Gigabit WAN.
Apologies for the novice questions =)
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Feb 02, 2018 1:24 pm

Definitely Suricata has any bug with threshold.
suppress gen_id 1, sig_id 2020565, track by_src, ip 8.8.8.8
And I receive an alert:
The IP address 8.8.8.8 has been blocked due to the following rule match:

The signature ID is [1:2020565:1] ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
    event timestamp: 02/02/2018-12:18:30.409788 blocked for: 01:00:00

Unfortunately I have to remove that rules from directory rules, if not all time IPs as Google o my own IP are banned,

I don't understand why... but I have threshold uncomment in suricata.yaml... anyone occurs same?

Thanks.
 
swright
just joined
Posts: 1
Joined: Wed Jan 31, 2018 11:44 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Feb 03, 2018 12:36 am

Definitely Suricata has any bug with threshold.
suppress gen_id 1, sig_id 2020565, track by_src, ip 8.8.8.8
And I receive an alert:
The IP address 8.8.8.8 has been blocked due to the following rule match:

The signature ID is [1:2020565:1] ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
    event timestamp: 02/02/2018-12:18:30.409788 blocked for: 01:00:00

Unfortunately I have to remove that rules from directory rules, if not all time IPs as Google o my own IP are banned,

I don't understand why... but I have threshold uncomment in suricata.yaml... anyone occurs same?

Thanks.
Have you tried to create a "pass" rule? Example:
pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:1;)

I am trying out the fast2mikrotik.php, which works great by the way Tomfisk. I have found that this way tends to block rather aggressively. I have been able to white list by using a pass rules, and am getting it toned down. Thanks for all the work Tomfisk!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 08, 2018 3:33 pm

Maybe for anyone is useful this tool:
https://www.stamus-networks.com/open-source/

Integrate suricata + ELKS in a dashboard. I added Tomfisk's script and my MK ban IPs and I can check logs on a website. Final result is very pretty.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Feb 12, 2018 12:06 pm

Hi,
I am using a Debian 9 (before I used Ubuntu 16 and it works), but with this Debian 9 + php7 , script fas2mikrotik fails with this:
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Line 328:
$STATUS = socket_get_status($this->socket);
if ($LENGTH > 0) {
$this->debug('>>> [' . $LENGTH . ', ' . $STATUS['unread_bytes'] . ']' . $_);
}
Any idea? I am not developer, if not sysadmin and I am stuck in this.

Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Feb 13, 2018 4:57 am

It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters?
$mikrotik_addr = "__someip__";
$mikrotik_user = "admin";
$mikrotik_pwd = "__somesecret__";
Hi,
I am using a Debian 9 (before I used Ubuntu 16 and it works), but with this Debian 9 + php7 , script fas2mikrotik fails with this:
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Line 328:
$STATUS = socket_get_status($this->socket);
if ($LENGTH > 0) {
$this->debug('>>> [' . $LENGTH . ', ' . $STATUS['unread_bytes'] . ']' . $_);
}
Any idea? I am not developer, if not sysadmin and I am stuck in this.

Thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 8:41 am

It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters?
$mikrotik_addr = "__someip__";
$mikrotik_user = "admin";
$mikrotik_pwd = "__somesecret__";
Its strange tomfisk, I am using a new server but in same net and I copied (using SCP) the script which it worked in another server. The difference between both server is that one is Ubuntu 16 and another is Debian 9. In both php installed from repository.
Any idea to debug it?

Thanks as always.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 8:46 am

Since I didn't write that code I'm at a loss as well.
It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters?
$mikrotik_addr = "__someip__";
$mikrotik_user = "admin";
$mikrotik_pwd = "__somesecret__";
Its strange tomfisk, I am using a new server but in same net and I copied (using SCP) the script which it worked in another server. The difference between both server is that one is Ubuntu 16 and another is Debian 9. In both php installed from repository.
Any idea to debug it?

Thanks as always.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 10:05 am

Since I didn't write that code I'm at a loss as well.
I understand, I enabled debug (to test connection) and it works:
Connection attempt #1 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #2 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #3 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #4 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #5 to 192.168.100.1:8728...
<<< [6] /login
Error...
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [31] /ip/firewall/address-list/print
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [14] =.proplist=.id
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] ?address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [29] /ip/firewall/address-list/add
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [13] =list=Blocked
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] =address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [17] =timeout=01:00:00
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [131] =comment=From suricata, [1:2402000:4717] ET DROP Dshield Block Listed Source group 1 => event timestamp: 02/14/2018-08:57:59.910517
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Disconnected...


I will try to solve it :) thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 10:13 am

So it looks like it doesn't get connected :o :o :? :?
Since I didn't write that code I'm at a loss as well.
I understand, I enabled debug (to test connection) and it works:
Connection attempt #1 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #2 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #3 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #4 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #5 to 192.168.100.1:8728...
<<< [6] /login
Error...
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [31] /ip/firewall/address-list/print
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [14] =.proplist=.id
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] ?address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [29] /ip/firewall/address-list/add
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [13] =list=Blocked
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] =address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [17] =timeout=01:00:00
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [131] =comment=From suricata, [1:2402000:4717] ET DROP Dshield Block Listed Source group 1 => event timestamp: 02/14/2018-08:57:59.910517
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Disconnected...


I will try to solve it :) thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 1:45 pm

So it looks like it doesn't get connected :o :o :? :?
Since I didn't write that code I'm at a loss as well.
I understand, I enabled debug (to test connection) and it works:
Connection attempt #1 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #2 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #3 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #4 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #5 to 192.168.100.1:8728...
<<< [6] /login
Error...
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [31] /ip/firewall/address-list/print
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [14] =.proplist=.id
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] ?address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [29] /ip/firewall/address-list/add
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [13] =list=Blocked
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] =address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [17] =timeout=01:00:00
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [131] =comment=From suricata, [1:2402000:4717] ET DROP Dshield Block Listed Source group 1 => event timestamp: 02/14/2018-08:57:59.910517
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Disconnected...


I will try to solve it :) thanks!
Solved! I had a rule in my router to reject connections to API from another subnet. Thanks :D
 
User avatar
Nollitik
Member Candidate
Member Candidate
Posts: 257
Joined: Tue Dec 07, 2010 8:16 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Apr 17, 2018 6:57 am

This is awesome...if only I could get this on a RB450G...is there?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Apr 17, 2018 1:17 pm

This is awesome...if only I could get this on a RB450G...is there?
Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions.
 
User avatar
Nollitik
Member Candidate
Member Candidate
Posts: 257
Joined: Tue Dec 07, 2010 8:16 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 18, 2018 11:04 pm

This is awesome...if only I could get this on a RB450G...is there?
Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions.
So, are you saying one has to have a separate Suricata box for this to work? The RB450G only has 512MB RAM. I already have a Pfsense machine in front of my 450G...was just thinking it would be cool to have at least Intrusion detection on Mikrotik.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 18, 2018 11:33 pm

This is awesome...if only I could get this on a RB450G...is there?
Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions.
So, are you saying one has to have a separate Suricata box for this to work? The RB450G only has 512MB RAM. I already have a Pfsense machine in front of my 450G...was just thinking it would be cool to have at least Intrusion detection on Mikrotik.
Yep, that's the deal with this implementation. I'm not sure you could run a decent intrusion detection in a metarouter.
 
Faceless
just joined
Posts: 18
Joined: Sat Mar 03, 2018 4:03 pm
Location: Ukraine
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 26, 2018 7:19 pm

Do I need calea packege to restream packets .Snort need calea. Alsa will hap ac2 4 core cPU handle suricata+ few qos+25filter rules?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Apr 27, 2018 1:08 am

Do I need calea packege to restream packets .Snort need calea. Alsa will hap ac2 4 core cPU handle suricata+ few qos+25filter rules?
No, just stream packets with the sniffer tool to the suricata host. Yes, I don't see any problem with the ability to handle that configuration.
 
fosilt
just joined
Posts: 5
Joined: Thu Jan 28, 2016 5:29 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 23, 2018 11:34 am

Maybe for anyone is useful this tool:
https://www.stamus-networks.com/open-source/

Integrate suricata + ELKS in a dashboard. I added Tomfisk's script and my MK ban IPs and I can check logs on a website. Final result is very pretty.
Hi , aarango
Do you have tried SELKs from stamus network ?
 
halimzhz
newbie
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Sep 15, 2018 7:00 pm

Dear All,

I have few question about this script:

1- I would like to know this script is running on background or i have to run with cron ?
2- Is it any output log for any activity sending to Mikrotik?

Currently i'm running with logstash + python for filtering fast.log and its very slow and too much delay

Please advice and thank you so much
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Sep 16, 2018 8:16 am

1. These scripts are running in the background and are started as a service.
2. You can get an email alert when an IP address has been blocked by changing the $email_alert variable in suricata_block.php
Dear All,

I have few question about this script:

1- I would like to know this script is running on background or i have to run with cron ?
2- Is it any output log for any activity sending to Mikrotik?

Currently i'm running with logstash + python for filtering fast.log and its very slow and too much delay

Please advice and thank you so much
 
halimzhz
newbie
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Sep 17, 2018 1:48 am

Dear Tomfisk,

Thank you so much to answer my question, actually i have so many question to ask, any possiblity if i can direct with you on Whatsapp or Skype ? Or can you enable your private message on this forum ?

Please help. Thank you so much
 
halimzhz
newbie
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Sep 18, 2018 4:17 pm

Hi,

What i understand the packet sniffer capturing from Mikrotik are the packet before the firewall rules, so is it possible to get any packet only after get thru the firewall rules ?

Please advice, TQ
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Sep 18, 2018 5:17 pm

Hi Halimzhz,

I don't think it is possible to get the packets only after they've gone through the firewall. The first firewall rule drops all packets from blocked IP addresses. I've look to see if the next rule could run the traffic through a virtual interface (possible), but then you'd have to get the traffic back into the firewall chain (I'm not sure how this would happen).

With regard to your request for some help, my day job keeps me pretty busy but I can try the best I can to provide some help. I don't see a PM option. I really don't want to post my contact info here, but if you want to share your WA I'll contact you.
Hi,

What i understand the packet sniffer capturing from Mikrotik are the packet before the firewall rules, so is it possible to get any packet only after get thru the firewall rules ?

Please advice, TQ
 
halimzhz
newbie
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Sep 18, 2018 6:06 pm

Dear Tomfisk,

Thank you so much to reply me, for your information the concept of forward packet to suricata is so nice and suricata will filter the packet with some rules, but that seem fine when you have a very minimal suricata rules, but when u filter the suricata with tons of rules for example u filter by blocklist.de, your suricata will keep receive the same packet again and again, that make the the script keep sending again and again to mikrotik and the process become slow and too much delay, that why i'm asking is it possible to get the packet just after get thru the mikrotik firewall rules, someone advice me to buy 2nd mikrotik device and make it as secondary, the first mikrotik will do a job of firewall and the secondary will do a packet sniffer process to suricata, i hope that is not good idea because i have to spend more.

Please advice. TQ so much
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Sep 19, 2018 5:36 am

I understand what you are saying. Have you looked at the number of packets that would be blocked vs. the total volume? There would be a threshold where passing the packets after the firewall would make sense. I'm not sure what that threshold would be, but I would suspect that it would have to be a "significant" volume to make a difference. If you've implemented suricata and the firewall rules then you should be able to look at the packets dropped by the firewall rule vs. the total number of packets.

If the volume is significant, I agree with the advice you received, the only real option is the get another Mikrotik to handle the post-firewall filtering.
Dear Tomfisk,

Thank you so much to reply me, for your information the concept of forward packet to suricata is so nice and suricata will filter the packet with some rules, but that seem fine when you have a very minimal suricata rules, but when u filter the suricata with tons of rules for example u filter by blocklist.de, your suricata will keep receive the same packet again and again, that make the the script keep sending again and again to mikrotik and the process become slow and too much delay, that why i'm asking is it possible to get the packet just after get thru the mikrotik firewall rules, someone advice me to buy 2nd mikrotik device and make it as secondary, the first mikrotik will do a job of firewall and the secondary will do a packet sniffer process to suricata, i hope that is not good idea because i have to spend more.

Please advice. TQ so much
 
halimzhz
newbie
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Sep 19, 2018 5:51 pm

Dear Tomfisk,

I have another idea but before that i feel so sorry because my bad english, but i will try to explain what i'm thinking about, i dont know is this possible or not, let say when the script start, the script will look first or grab from Mikrotik the list of banned ip and keep on script memory or as log, then the script will start looking into fast.log and doing filtering and before submit to Mikrotik for ban the IP, the script look first what on memory, on that way the script will not keep submitting to Mikrotik just to get the answer the ip is added or not, or maybe another way as u did on mysql database but everytime u restart the script, have to make sure the record on both Mikrotik and mysql database are clean, this is crazy, but main point is to make not too much delay on busy network

Please advice and thank you for your time
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Sep 20, 2018 6:22 am

OK, I thought you wanted to stop scanning traffic that was already blocked by a firewall rule.

So you're saying don't delete and re-add a firewall rule if it already exists for in IP address? Let me look at suricata_block.php and see if that can be added as an option.
Dear Tomfisk,

I have another idea but before that i feel so sorry because my bad english, but i will try to explain what i'm thinking about, i dont know is this possible or not, let say when the script start, the script will look first or grab from Mikrotik the list of banned ip and keep on script memory or as log, then the script will start looking into fast.log and doing filtering and before submit to Mikrotik for ban the IP, the script look first what on memory, on that way the script will not keep submitting to Mikrotik just to get the answer the ip is added or not, or maybe another way as u did on mysql database but everytime u restart the script, have to make sure the record on both Mikrotik and mysql database are clean, this is crazy, but main point is to make not too much delay on busy network

Please advice and thank you for your time
 
halimzhz
newbie
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Sep 21, 2018 3:37 am

Dear Tomfisk

I would like to ask you a favor, for your information my fast.log a look a bit different, let me show you:

09/21/2018-08:08:15.059030 [wDrop] [**] [1:207:1] Suricata Rules [**] [Classification: (null)] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:36610 -> nnn.nnn.nnn.nnn:993

For your information i have 2 type of rules, first is alert and second is drop, 'alert' purpose just for monitoring and drop is what i plan to send out to Mikrotik, so for any drop rules will notify on fast.log as 'wDrop', so i need a script to monitor the line with word 'wDrop' and ignore for 'alert', actually i run this kind of script since years ago but its run by Logstash + Python, i'm so frustrated because too much delay for ban any IP because Logstash are cpu/memory hunger even my machine is dual xeon and 32GB RAM.

Seriously i willing to pay if you have time to spend for this. feel shame to put my mobile number here, but please skype me live:8f0c760bc11cde9

Thank you so much
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Sep 25, 2018 6:23 am

Hi Halimzhz,
Sorry for the delayed reply. I'm sorry but I really don't have time to be able to help you with this. This solution uses the insert trigger from barnyard2 to grab events that subsequently get processed. It only processes those rules that match what is in the sigs_to_block table in mysql. So the fast.log processing is done by barnyard2. So if you put your wDrop rule description in sigs_to_block table, it should work?

Tom
Dear Tomfisk

I would like to ask you a favor, for your information my fast.log a look a bit different, let me show you:

09/21/2018-08:08:15.059030 [wDrop] [**] [1:207:1] Suricata Rules [**] [Classification: (null)] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:36610 -> nnn.nnn.nnn.nnn:993

For your information i have 2 type of rules, first is alert and second is drop, 'alert' purpose just for monitoring and drop is what i plan to send out to Mikrotik, so for any drop rules will notify on fast.log as 'wDrop', so i need a script to monitor the line with word 'wDrop' and ignore for 'alert', actually i run this kind of script since years ago but its run by Logstash + Python, i'm so frustrated because too much delay for ban any IP because Logstash are cpu/memory hunger even my machine is dual xeon and 32GB RAM.

Seriously i willing to pay if you have time to spend for this. feel shame to put my mobile number here, but please skype me live:8f0c760bc11cde9

Thank you so much
 
tomeks11
just joined
Posts: 6
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Nov 06, 2018 5:03 pm

Do I have to run suricata through trafr?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 2:18 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
 
tomeks11
just joined
Posts: 6
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 9:15 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
I found this information in threads about Snort. I wonder how Suricata receives packets from the mikrotik sniffer with the Tazmen Sniffer Protocol (TZSP)
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 10:08 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
I found this information in threads about Snort. I wonder how Suricata receives packets from the mikrotik sniffer with the Tazmen Sniffer Protocol (TZSP)
1. Packet sniffer on Mikrotik is used, streaming output to specific IP address.
2. tzsp2pcap is used to receive stream (/usr/local/bin/tzsp2pcap -f)
3. Output from tzsp2pcap goes to suricata (/usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -)
 
tomeks11
just joined
Posts: 6
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 1:56 pm

1. Packet sniffer on Mikrotik is used, streaming output to specific IP address.
2. tzsp2pcap is used to receive stream (/usr/local/bin/tzsp2pcap -f)
3. Output from tzsp2pcap goes to suricata (/usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -)
Thank you. This image was not found in the description.
I made it so that the suricata reads from the interface and also worked.

So I have a suricate to run like this :
/usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -
?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 3:46 pm

1. Packet sniffer on Mikrotik is used, streaming output to specific IP address.
2. tzsp2pcap is used to receive stream (/usr/local/bin/tzsp2pcap -f)
3. Output from tzsp2pcap goes to suricata (/usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -)
Thank you. This image was not found in the description.
I made it so that the suricata reads from the interface and also worked.

So I have a suricate to run like this :
/usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -
?
Yes, that's correct.
 
tomeks11
just joined
Posts: 6
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Nov 26, 2018 2:43 pm

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked
you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web server would not have to support the SYN
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Nov 27, 2018 1:51 am

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked
you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web server would not have to support the SYN
So this is to stop any traffic from going back to a blocked address. There is already a rule to stop any inbound traffic from a blocked address as well.
 
tomeks11
just joined
Posts: 6
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Nov 27, 2018 9:31 am

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked
you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web server would not have to support the SYN
So this is to stop any traffic from going back to a blocked address. There is already a rule to stop any inbound traffic from a blocked address as well.
The rule "ip firewall add action = drop chain = input comment =" Block bad actors" src-address-list = Blocked it does not stop the dstnat traffic eg to the web server inside the network. I checked on the web server, 'syn' packets are still coming
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Nov 27, 2018 10:24 pm

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked
you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web server would not have to support the SYN
So this is to stop any traffic from going back to a blocked address. There is already a rule to stop any inbound traffic from a blocked address as well.
The rule "ip firewall add action = drop chain = input comment =" Block bad actors" src-address-list = Blocked it does not stop the dstnat traffic eg to the web server inside the network. I checked on the web server, 'syn' packets are still coming
Oh...yes, I'm not attempting to block internet network traffic.
 
Matthew1471
just joined
Posts: 9
Joined: Wed Feb 20, 2019 1:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 21, 2019 11:37 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
Can't find trafr officially listed on the MikroTik downloads page either. It's referenced on the Wiki but looks pulled?

Presumably "tzsp2pcap" is the drop in replacement and MikroTik moved to the TZSP protocol..
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 21, 2019 11:46 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
Can't find trafr officially listed on the MikroTik downloads page either. It's referenced on the Wiki but looks pulled?

Presumably "tzsp2pcap" is the drop in replacement and MikroTik moved to the TZSP protocol..
That would most likely be a correct assumption.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Mar 02, 2019 9:05 pm

Hi Tom,
Just trying to understand what all this work is LOL.
I gather you are using a computer with linux OS, that is performing some functions on incoming wan data?
So what is the architecture - modem to router to computer back to router?

What are you trying to stop? Presumably most people do not allow unsolicited traffic in (such traffic is dropped).
Thus are you simply scanning outgoing traffic???

What are you scanning, looking for bad IPs? suspicious packet traffic ???
Im a bit bamboozled by what is actually going on here?

Thanks in advance for answering such basic questions..........
With such info, I will know whether or not for a homeowner the investment in resources is worth it. ;-)
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Mar 03, 2019 8:49 am

Hi,

First of all, I think it is important for you to understand what a network threat detection engine, like Suricata, does. It ingests network packets, runs those packets against a set of rules, and then reports on those packets which match the rules. Suricata also provides the ability to do intrusion prevention (IPS) against those IP's where the rules matched. So in a typical installation, you'd dedicate a system that would sit on your network perimeter and do this work.

But with the Mikrotik router being more capable than most, then we can use the Mikrotik as a component in the solution. First of all, using the packet sniffer capability of the Mikrotik we can capture packets and send them to Suricata. Which packets you send is up to you, but I send only inbound packets. Suricata does it's thing and the triggered packets and the associated rules end up in a MySQL database. When this occurs, a trigger writes the needed info in a table that is constantly scanned by a php program. When this happens, the php program sends the necessary info to write a firewall entry to the Mikrotik. So now the Mikrotik now plays the role of IPS.

In the end, it depends on how much IDS/IPS your ISP does in catching the bad actors on their perimeter as to whether or not this effort is worth it. Here in Indonesia, my ISP doesn't do any IDS/IPS on their perimeter, so it all comes to my network. So in my case, it's a vital piece of keeping bad actors off my systems.

Hope this helps.

Tom
Hi Tom,
Just trying to understand what all this work is LOL.
I gather you are using a computer with linux OS, that is performing some functions on incoming wan data?
So what is the architecture - modem to router to computer back to router?

What are you trying to stop? Presumably most people do not allow unsolicited traffic in (such traffic is dropped).
Thus are you simply scanning outgoing traffic???

What are you scanning, looking for bad IPs? suspicious packet traffic ???
Im a bit bamboozled by what is actually going on here?

Thanks in advance for answering such basic questions..........
With such info, I will know whether or not for a homeowner the investment in resources is worth it. ;-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Mar 03, 2019 10:31 pm

Great explanation Tom, it sounds a bit of what layer7 firewall does on the Mikrotik, looking for a pattern of packets etc..........
I have read that using layer7 rules really loads the MT CPU so what you in affect are doing is offloading such work and using the MT at the very front end and to implement the outcome(filter rules) (bad IPs). I imagine the time lag to sniff a packet and have the MT put up a rule or add IPs to an existing rule is very short?

Don't laugh but if I have my basic rules setup.
establish related
drop invalid
(my specific allow rules)
drop all else.

Q1. Do I really need all this IDS IDP, synflood, tarpit, blacklists etc etc etc........
In other words, I don't expect anybody to gain access to my router or on my devices based on unsolicited incoming traffic (inbound as you state).

However,. what I don't have control over is folks accessing sites or clicking on emails with bad stuff without knowing it.
Thus where I see the router coming into play is stopping bad outbound traffic (because returns from the bad actor will be allowed back in (established related) and thus one had to nip this before the traffic is allowed out. Thus some layer7 rules are probably a good idea here.
Q2. Does your program or methods address this aspect?

Q3. What is the difference between all the stuff you are managing and my simple technique of:
- adding raw rules to capture all probes on common ports (that I dont use, so prerouting capture has no negative effects).
- adding filter rules to capture all probes common ports I do use, but in order so after they have met my needs (for example DST port,,,,,,,,,,, - I only port forward with known WANIPs allowed source-address-list and to devices on own VLAN). Then in raw, I drop all those captured IPs. My logic good or bad is that I will stop the majority of bad actors for a set time be it 4hours or 2days and that is just as effective as any other set of blacklists etc...........
However, why bother when I already have drop rules on my router (other than stopping repeated attempts or multi port attempts at router).

Any input or clarification or guidance most appreciated as I know very little on this front and always willing to learn.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Mar 04, 2019 5:23 am

Yes, time lag is very short. Less than 2 seconds.

Q1. Simple answer, of course, is "that depends". I do have services that I have open to the wild, so in my case I do want to stop someone trying to gain access through those services. If you don't have any services published, and are just a consumer of the internet, then certainly that removes a big reason for doing so. Just be sure that you really don't have any services published...like IOT devices.

Q2. Yes, Suricata can be used to scan outbound traffic looking for potential threats. I do some of this, minimal, but it is supported. Just make sure your filter on the sniffer is passing outbound traffic to Suricata.

Q3. You don't know what you don't know. Before I implemented this I ran suricata against my traffic to see what what happening. Like I said, in Indonesia I was seeing hundreds of hits an hour. On my server that is in the US, I was seeing maybe a dozen soft hits in a day, that the Mikrotik could handle with the basic firewall rules.
Great explanation Tom, it sounds a bit of what layer7 firewall does on the Mikrotik, looking for a pattern of packets etc..........
I have read that using layer7 rules really loads the MT CPU so what you in affect are doing is offloading such work and using the MT at the very front end and to implement the outcome(filter rules) (bad IPs). I imagine the time lag to sniff a packet and have the MT put up a rule or add IPs to an existing rule is very short?

Don't laugh but if I have my basic rules setup.
establish related
drop invalid
(my specific allow rules)
drop all else.

Q1. Do I really need all this IDS IDP, synflood, tarpit, blacklists etc etc etc........
In other words, I don't expect anybody to gain access to my router or on my devices based on unsolicited incoming traffic (inbound as you state).

However,. what I don't have control over is folks accessing sites or clicking on emails with bad stuff without knowing it.
Thus where I see the router coming into play is stopping bad outbound traffic (because returns from the bad actor will be allowed back in (established related) and thus one had to nip this before the traffic is allowed out. Thus some layer7 rules are probably a good idea here.
Q2. Does your program or methods address this aspect?

Q3. What is the difference between all the stuff you are managing and my simple technique of:
- adding raw rules to capture all probes on common ports (that I dont use, so prerouting capture has no negative effects).
- adding filter rules to capture all probes common ports I do use, but in order so after they have met my needs (for example DST port,,,,,,,,,,, - I only port forward with known WANIPs allowed source-address-list and to devices on own VLAN). Then in raw, I drop all those captured IPs. My logic good or bad is that I will stop the majority of bad actors for a set time be it 4hours or 2days and that is just as effective as any other set of blacklists etc...........
However, why bother when I already have drop rules on my router (other than stopping repeated attempts or multi port attempts at router).

Any input or clarification or guidance most appreciated as I know very little on this front and always willing to learn.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Mar 04, 2019 4:17 pm

Good points.
Yes I have ports open for septic device and solar device with source address list for static company IPs to access.
Having a source address list in my NAT rule renders the port invisible on scans
Yes I have iot devices but they are all on vlans and not on the same vlan and only have access to the internet.

By the way I was subscribing to MOAB (very decent service for pennies) but since i can write this off for taxes using
this service at the moment, since I know I am not savvy and the additional security shouldnt hurt..
https://axiomcyber.com/shield/

So the question becomes, is it worth it for me to wander down the suricata (ossec) route??
 
haj
just joined
Posts: 3
Joined: Tue Jun 04, 2019 11:32 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 04, 2019 11:45 am

Hey,

Currently we don't have Mikrotik. We have some "homebuilt" Linux routers running our internal routing and firewalling, along with Suricata.
We block bad IPs with a couple of ipset sets and iptables rules.

How does Mikrotik's perform when they have to block a list of say 200.000 IPs?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jun 05, 2019 2:08 pm

Hey,

Currently we don't have Mikrotik. We have some "homebuilt" Linux routers running our internal routing and firewalling, along with Suricata.
We block bad IPs with a couple of ipset sets and iptables rules.

How does Mikrotik's perform when they have to block a list of say 200.000 IPs?
Hi Haj,

I really can't answer the question about performance. I'd pose that to one of the Mikrotik engineers.

But I would question why you'd be blocking 200,000 IPs? I have looked at my list of frequent offenders and have found that I've been able to consolidate some of the IP addresses into ranges. If you have 200,000 IP addresses then I'd assume that you could identify some pretty significant ranges and block the range rather than individual addresses.

Tom
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Dec 13, 2019 3:05 am

Hi all,
Could someone please point me to a resource that shows me how to set up Suricata from scratch? I have a server running Ubuntu 19.10 and a mikrotik RB751g-2hnd router. The router is the gateway to my home network. It handles PPPOE authentication with my ISP. I already have the firewall configured and have open dns configured too. I want to add some more network layer detection and prevention now.

Pranav
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Dec 13, 2019 5:14 am

Hi all,
Could someone please point me to a resource that shows me how to set up Suricata from scratch? I have a server running Ubuntu 19.10 and a mikrotik RB751g-2hnd router. The router is the gateway to my home network. It handles PPPOE authentication with my ISP. I already have the firewall configured and have open dns configured too. I want to add some more network layer detection and prevention now.

Pranav
I guess I would start here https://redmine.openinfosecfoundation.o ... stallation. The Wiki does provide some good basic information on getting all set up. With regard to specific rules configuration, you may have to dig a little more deeply with Google to find examples that match what you want to do.
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Dec 14, 2019 3:57 pm

Hi,
I have suricata setup on my Linux machine. I have enabled the Mikrotik to stream like this.
[pranav1@ConShield] /tool> sniffer
[pranav1@ConShield] /tool sniffer> print
only-headers: no
memory-limit: 100KiB
memory-scroll: yes
file-name:
file-limit: 1000KiB
streaming-enabled: yes
streaming-server: xxx.xxx.x.x
filter-stream: yes
filter-interface: airtel #This is the pppoe interface for my broadband connection
filter-mac-address:
filter-mac-protocol:
filter-ip-address:
filter-ipv6-address:
filter-ip-protocol:
filter-port:
filter-cpu:
filter-size:
filter-direction: any
filter-operator-between-entries: or
running: yes

I do not see any activity in suricata. What am I missing?
Pranav
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Dec 15, 2019 4:26 am

You have tzsp2pcap running to capture stream and send to suricata? Here are my processes on my suricata host:
snort      656     1  0 Nov18 ?        05:27:05 /usr/local/bin/tzsp2pcap -f
snort      658     1  4 Nov18 ?        1-02:37:00 /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin
snort    24966     1  8 00:01 ?        00:45:40 /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -l /var/log/suricata -d /var/log/suricata -f unified2.alert -w /var/log/suricata/barnyard2.waldo -D
snort    26872     1  0 Nov21 ?        00:06:14 /usr/bin/php -f /usr/local/bin/suricata_block.php
Hi,
I have suricata setup on my Linux machine. I have enabled the Mikrotik to stream like this.
[pranav1@ConShield] /tool> sniffer
[pranav1@ConShield] /tool sniffer> print
only-headers: no
memory-limit: 100KiB
memory-scroll: yes
file-name:
file-limit: 1000KiB
streaming-enabled: yes
streaming-server: xxx.xxx.x.x
filter-stream: yes
filter-interface: airtel #This is the pppoe interface for my broadband connection
filter-mac-address:
filter-mac-protocol:
filter-ip-address:
filter-ipv6-address:
filter-ip-protocol:
filter-port:
filter-cpu:
filter-size:
filter-direction: any
filter-operator-between-entries: or
running: yes

I do not see any activity in suricata. What am I missing?
Pranav
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Dec 15, 2019 5:50 pm

Hi,
I am sending the stream from the sniffer tool directly to a Linux box on which I have installed suricata. Do I need an intermediate tool?

Pranav
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Dec 16, 2019 3:07 am

Yes, the format from the sniffer stream needs to be converted with tzsp2pcap.
Hi,
I am sending the stream from the sniffer tool directly to a Linux box on which I have installed suricata. Do I need an intermediate tool?

Pranav
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Dec 16, 2019 11:49 am

Hi Tom,
Thanks for confirming the use of tzsp2pcap. Is there any documentation on how to get it going? I have cloned its source and see the make file but I suspect I need to install headers etc., to build the program.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Dec 16, 2019 1:09 pm

Hi Tom,
Thanks for confirming the use of tzsp2pcap. Is there any documentation on how to get it going? I have cloned its source and see the make file but I suspect I need to install headers etc., to build the program.
Check this blog entry for instructions on compiling [url]https://bløgg.no/2015/03/ids-with-mikrotik-and-snort/[/url]. It's pretty straight-forward once you have the build-essential installed and the required library. build-essential pulls everything needed for your platform.
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Dec 16, 2019 6:29 pm

Hi Tom,
https://bløgg.no/2015/03/ids-with-mikrotik-and-snort/ did the trick in terms of getting packets. I believe my streaming is working but now, do I use snort and then send to suricata? Sorry, I remain puzzled about the pipeline here. I plan to implement the IPS functionality but will use IDS and tune it first.

What I have done so far is to have the tzsp2pcap utility log packets to a directory and have suricata read the packets from that directory.
sudo tzsp2pcap -o "/home/pranav/pcap/file_%s.pcap" -G 10
I have then run suricata like this.
sudo suricata -c /etc/suricata/suricata.yaml -r /home/pranav/pcap --pcap-file-continuous --pcap-file-delete

I am ok with the writing to disk but am open to other ways of doing this. How do I test this installation? The ideal way would be for me to run an exploit but I do not have that capability. I did try a port scan but did not see any alerts. I may not have suricata configured correctly so am happy to ask in the appropriate forum.
Pranav
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Dec 17, 2019 5:09 am

I believe that will work going through a file...here is how I start my instance of suricata:

nohup /usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin &

So pipe the output of tzsp2pcap into suricata through stdin.

If you ran a port scan, and those ports are open at the mikrotik, you should see suricata fire a rule. Maybe open up one or more of the of the ports during the time you are running the port scan?
Hi Tom,
https://bløgg.no/2015/03/ids-with-mikrotik-and-snort/ did the trick in terms of getting packets. I believe my streaming is working but now, do I use snort and then send to suricata? Sorry, I remain puzzled about the pipeline here. I plan to implement the IPS functionality but will use IDS and tune it first.

What I have done so far is to have the tzsp2pcap utility log packets to a directory and have suricata read the packets from that directory.
sudo tzsp2pcap -o "/home/pranav/pcap/file_%s.pcap" -G 10
I have then run suricata like this.
sudo suricata -c /etc/suricata/suricata.yaml -r /home/pranav/pcap --pcap-file-continuous --pcap-file-delete

I am ok with the writing to disk but am open to other ways of doing this. How do I test this installation? The ideal way would be for me to run an exploit but I do not have that capability. I did try a port scan but did not see any alerts. I may not have suricata configured correctly so am happy to ask in the appropriate forum.
Pranav
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Dec 17, 2019 5:28 pm

Hi Tom,
Many thanks. I tried reading the output of tzsp2pcap from the command line and suricata launched without a problem How have you defined your network? I went to /interface on my mikrotik, and specified the different address ranges I have. Something like
192.168.88.0/24, 192.168.3.0/24

I ask because I have tried port scanning and no alert has been triggered. Moreover, the stats.log file is also empty so something is not working.
Pranav
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Dec 18, 2019 2:27 am

Your sniffer streaming from the mikrotik is set up and you are seeing data? Your streaming server is your suricata host? The interface is the port connected to your ISP?

/tool sniffer set filter-interface=ether1 filter-ip-address=!1.2.3.4/32 filter-stream=yes streaming-enabled=yes streaming-server=192.168.3.1
Hi Tom,
Many thanks. I tried reading the output of tzsp2pcap from the command line and suricata launched without a problem How have you defined your network? I went to /interface on my mikrotik, and specified the different address ranges I have. Something like
192.168.88.0/24, 192.168.3.0/24

I ask because I have tried port scanning and no alert has been triggered. Moreover, the stats.log file is also empty so something is not working.
Pranav
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Dec 18, 2019 4:41 pm

Hi Tom,
Your sniffer streaming from the mikrotik is set up and you are seeing data?
PL] Yes.
Your streaming server is your suricata host?
PL] Yes.
The interface is the port connected to your ISP?
PL] Ahem, I have a pppoe connection so that is the interface I have defined for sniffing. Should I define the physical port instead?

[pranav1@ConShield] /tool sniffer> print
only-headers: no
memory-limit: 100KiB
memory-scroll: yes
file-name:
file-limit: 1000KiB
streaming-enabled: yes
streaming-server: 192.168.3.2
filter-stream: yes
filter-interface: airtel
filter-mac-address:
filter-mac-protocol:
filter-ip-address:
filter-ipv6-address:
filter-ip-protocol:
filter-port:
filter-cpu:
filter-size:
filter-direction: any
filter-operator-between-entries: or
running: yes
[pranav1@ConShield] /tool sniffer>
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Dec 19, 2019 2:13 am

Hi Tom,
Your sniffer streaming from the mikrotik is set up and you are seeing data?
PL] Yes.
Your streaming server is your suricata host?
PL] Yes.
The interface is the port connected to your ISP?
PL] Ahem, I have a pppoe connection so that is the interface I have defined for sniffing. Should I define the physical port instead?

[pranav1@ConShield] /tool sniffer> print
only-headers: no
memory-limit: 100KiB
memory-scroll: yes
file-name:
file-limit: 1000KiB
streaming-enabled: yes
streaming-server: 192.168.3.2
filter-stream: yes
filter-interface: airtel
filter-mac-address:
filter-mac-protocol:
filter-ip-address:
filter-ipv6-address:
filter-ip-protocol:
filter-port:
filter-cpu:
filter-size:
filter-direction: any
filter-operator-between-entries: or
running: yes
[pranav1@ConShield] /tool sniffer>
OK, just wanted to make sure you are getting data. Which version of suricata are you running?
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Dec 19, 2019 7:35 pm

Hi Tom,
I suspect the problem was that I was using the pppoe interface. https://groups.google.com/forum/#!topic ... UUNgIGqsv4
gave me a clue;
I have run the test script mentioned at the above URL and am getting alerts ever since I set the sniffer interface to ether1 on the Mikrotik.

Many thanks for your help.
Pranav
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Dec 20, 2019 3:24 am

Glad you got it working Pranav!
Hi Tom,
I suspect the problem was that I was using the pppoe interface. https://groups.google.com/forum/#!topic ... UUNgIGqsv4
gave me a clue;
I have run the test script mentioned at the above URL and am getting alerts ever since I set the sniffer interface to ether1 on the Mikrotik.

Many thanks for your help.
Pranav
 
G00dm4n
newbie
Posts: 35
Joined: Sat Oct 20, 2018 1:07 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Jun 14, 2020 3:17 am

Hi guys,

I find here some info for using Suricata IDS/IPS with Mikrotik.
I also found there's a good build from Stamus Networks who is good and stable - SELKS.
Can someone post more straight and updated manual of using Microtik together with SELKS5 or SELKS6 RC1.
I prefer we get straight to latest - SELKS6 Release Candidate 1. All is same as SELKS5, just some names and places of the scripts can be different.
(Later we can do extended manual how to build proper and efficient Suricata instlation for users who not prefer using SELKS ISO.)
Since Sniffer tool in Mikrotik is pretty straight forward to set up we can just skip this... but here it is:
tool sniffer
set file-limit=0KiB filter-interface=<THE_INTERFACE_WHICH_TRAFFIC_YOU_WILL_SEND> memory-limit=0KiB streaming-enabled=yes streaming-server=<IP_OF_YOUR_SELKS_SERVER>

The SELKS part from another side is a bit more foggy to be set.
The installation is straight forward, but nobody care to explain a good way and method how to use it together with Mikrotik.
So why we don't make it?

What I have get straight until now is:
1. Install SELKS on VM/x86/RaspberyPI B
Suggested minimum configuration is with 2 core CPU, 8GB RAM and at least 50GB Disk space.
2. Do inital SELKS setup by the scripts
2.1. First time run: selks-first-time-setup_stamus
2.2. Upgrade: selks-upgrade_stamus
3. Check and modify the configs by your needs regarding page below
https://github.com/StamusNetworks/SELKS ... time-setup
4. Install the converter from TZSP to PCAP so Surikata understand the stream from Mikrotik
4.1. Using trafr (just consider this is written ib 2004 and is 32bit)
dpkg --add-architecture i386
cd /usr/local/sbin
wget http://www.mikrotik.com/download/trafr.tgz
tar -xf /usr/local/sbin/trafr.tgz
chmod u+x trafr
chown root.root trafr

4.2. Using tzsp2pcap
apt-get install build-essential libpcap0.8-dev
cd /usr/local/sbin
git clone https://github.com/thefloweringash/tzsp2pcap
cd /usr/local/sbin/tzsp2pcap
cc -std=gnu99 -o tzsp2pcap -Wall -Wextra -pedantic -O2 -lpcap tzsp2pcap.c
mv tzsp2pcap /usr/local/sbin/

5. Start capturing the data
5.1. Using trafr
/usr/local/sbin/trafr -s | suricata -c /etc/suricata/suricata.yaml --runmode autofp -v -r /dev/stdin
5.2. Using tzsp2pcap
nohup /usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin &

Here I come to the point I have to put this command in a bash script which supposed to run on startup. (will update it)

From this onward I don't get the clear picture what and how to do it.
By this I meant,
-in which mode to set Suricata initially,
-where to create files for the rules that to be send to Mikrotik router,
-what to do so capturing to start proper after reboot,
-does SELKS6 indeed need the data stream conversion,


I know there's some posts here by TomFisk but they are not very clear and have plenty of "jump here and there".
Also please put your comments and suggestions how we can do this better and more agile.
My idea is to avoid using any cumbersome hardware and keep good performance.
If we can go down to something as NUC or ALIX PC or even RaspberyPI - the smaller, the better.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Jun 14, 2020 4:26 am

Hi,

So what problem are you trying to solve? SELKS is an IDS/IPS reporting/visualization and management platform that uses Suricata to implement network firewall rules. There is nothing inherent in Suricata to implement the firewall rules through a Microtik device. SELKS doesn't change that. That is why I developed the method described in this post.

Tom
Hi guys,

I find here some info for using Suricata IDS/IPS with Mikrotik.
I also found there's a good build from Stamus Networks who is good and stable - SELKS.
Can someone post more straight and updated manual of using Microtik together with SELKS5 or SELKS6 RC1.
I prefer we get straight to latest - SELKS6 Release Candidate 1. All is same as SELKS5, just some names and places of the scripts can be different.
(Later we can do extended manual how to build proper and efficient Suricata instlation for users who not prefer using SELKS ISO.)
Since Sniffer tool in Mikrotik is pretty straight forward to set up we can just skip this... but here it is:
tool sniffer
set file-limit=0KiB filter-interface=<THE_INTERFACE_WHICH_TRAFFIC_YOU_WILL_SEND> memory-limit=0KiB streaming-enabled=yes streaming-server=<IP_OF_YOUR_SELKS_SERVER>

The SELKS part from another side is a bit more foggy to be set.
The installation is straight forward, but nobody care to explain a good way and method how to use it together with Mikrotik.
So why we don't make it?

What I have get straight until now is:
1. Install SELKS on VM/x86/RaspberyPI B
Suggested minimum configuration is with 2 core CPU, 8GB RAM and at least 50GB Disk space.
2. Do inital SELKS setup by the scripts
2.1. First time run: selks-first-time-setup_stamus
2.2. Upgrade: selks-upgrade_stamus
3. Check and modify the configs by your needs regarding page below
https://github.com/StamusNetworks/SELKS ... time-setup
4. Install the converter from TZSP to PCAP so Surikata understand the stream from Mikrotik
4.1. Using trafr (just consider this is written ib 2004 and is 32bit)
dpkg --add-architecture i386
cd /usr/local/sbin
wget http://www.mikrotik.com/download/trafr.tgz
tar -xf /usr/local/sbin/trafr.tgz
chmod u+x trafr
chown root.root trafr

4.2. Using tzsp2pcap
apt-get install build-essential libpcap0.8-dev
cd /usr/local/sbin
git clone https://github.com/thefloweringash/tzsp2pcap
cd /usr/local/sbin/tzsp2pcap
cc -std=gnu99 -o tzsp2pcap -Wall -Wextra -pedantic -O2 -lpcap tzsp2pcap.c
mv tzsp2pcap /usr/local/sbin/

5. Start capturing the data
5.1. Using trafr
/usr/local/sbin/trafr -s | suricata -c /etc/suricata/suricata.yaml --runmode autofp -v -r /dev/stdin
5.2. Using tzsp2pcap
nohup /usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin &

Here I come to the point I have to put this command in a bash script which supposed to run on startup. (will update it)

From this onward I don't get the clear picture what and how to do it.
By this I meant,
-in which mode to set Suricata initially,
-where to create files for the rules that to be send to Mikrotik router,
-what to do so capturing to start proper after reboot,
-does SELKS6 indeed need the data stream conversion,


I know there's some posts here by TomFisk but they are not very clear and have plenty of "jump here and there".
Also please put your comments and suggestions how we can do this better and more agile.
My idea is to avoid using any cumbersome hardware and keep good performance.
If we can go down to something as NUC or ALIX PC or even RaspberyPI - the smaller, the better.
 
G00dm4n
newbie
Posts: 35
Joined: Sat Oct 20, 2018 1:07 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Jun 14, 2020 12:01 pm

Hi TomFisk,

I see your point.
Maybe you can help me to do step-by-step list what and how to use your methid with SELKS.
As you pointed additional components in SELKS really add lot of load.
I am also interested to use minimum install - just Suricata + necessary interfaces so this can be implemented on low power PC as RaspberyPi and NUC.
Can you help me with this?
The issue is that in the thread here you guys jump directly to solving practical issues. Even I know pretty much how the IDS works and so I miss your points why some things are done.
Also I will appreciate to know exact minimal install configuration, where to set some of files and so on.
Sorry if I look a bit crazy with my demands. But we really need more straight forward method.
I have some resources and at the moment I have time to help with testings.
So why we not try?
Maybe not only Suricata/SELKS... we can try anything useful.
I just need some guidance as I am not getting why and what to do with this Python/PHP ...
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 16, 2020 12:12 pm

There is someone who used this work as the basis of a github project, https://github.com/elmaxid/ips-mikrotik-suricata
Hi TomFisk,

I see your point.
Maybe you can help me to do step-by-step list what and how to use your methid with SELKS.
As you pointed additional components in SELKS really add lot of load.
I am also interested to use minimum install - just Suricata + necessary interfaces so this can be implemented on low power PC as RaspberyPi and NUC.
Can you help me with this?
The issue is that in the thread here you guys jump directly to solving practical issues. Even I know pretty much how the IDS works and so I miss your points why some things are done.
Also I will appreciate to know exact minimal install configuration, where to set some of files and so on.
Sorry if I look a bit crazy with my demands. But we really need more straight forward method.
I have some resources and at the moment I have time to help with testings.
So why we not try?
Maybe not only Suricata/SELKS... we can try anything useful.
I just need some guidance as I am not getting why and what to do with this Python/PHP ...
 
zbe
just joined
Posts: 1
Joined: Wed Oct 16, 2019 10:13 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 16, 2020 7:58 pm

As a part of my python-learning process I tried to make something similar to your fast2mikrotik but in python. All you need is python-librouteros, python-pyinotify and python-ujson.
It's reading from separate eve-log named alerts.json instead of fast.log. So you need to add that in suricata.yaml. It's also checking for router's uptime and adds whole file in case router has been up for less than 10 minutes. I'm just testing this on raspberry pi where I'm port-mirroring.
Anyway, there's probably some stupid code in here, so if anyone needs it - take it for what it's worth. :P

Edit: Need to add some kind of checking if api connection is already open or else it keeps opening new ones. (added api.close() for now)
#!/usr/bin/env python3

#
# Script for adding alerts from Suricata to Mikrotik routers. 
#
# In suricata.yaml add another eve-log:  
#  - eve-log:
#      enabled: yes
#      filetype: regular
#      filename: alerts.json
#      types:
#        - alert
#

import ssl
import librouteros
from librouteros import connect
from librouteros.query import Key
import ujson
import pyinotify
import re
from time import sleep
from datetime import datetime as dt, timedelta as td, timezone as tz
import os

# Edit these settings:
USERNAME = "suricata"
PASSWORD = "suricata123"
ROUTER_IP = "192.168.88.1"
TIMEOUT = "1d"
PORT = 8729  # api-ssl port
FILEPATH = os.path.abspath("/var/log/suricata/alerts.json")
ROUTER_LIST_NAME = "Suricata"
WAN_IP = "n/a"  # You can add your WAN IP if you are port-mirroring, so it doesn't get mistakenly added. (don't leave empty string)
LOCAL_IP_PREFIX = "192.168."
WHITELIST_IPS = (WAN_IP, LOCAL_IP_PREFIX, "127.0.0.1")
COMMENT_TIME_FORMAT = "%-d %b %Y %H:%M:%S.%f"  # Check datetime strftime formats

# Add all alerts from alerts.json on start?
# Setting this to True will start reading alerts.json from beginning
# and will add whole file to firewall when pyinotify is triggered.
# Just for testing purposes, i.e. not good for systemd service.
ADD_ON_START = False


class EventHandler(pyinotify.ProcessEvent):
    def process_IN_MODIFY(self, event):
        add_to_tik(read_json(FILEPATH))
        check_truncated(FILEPATH)

def check_truncated(fpath):  # Check if logrotate truncated file. (Use 'copytruncate' option for this to work I guess.)
    global last_pos
    
    if last_pos > os.path.getsize(fpath):
        last_pos = 0
    
def seek_to_end(fpath):
    global last_pos
    
    if not ADD_ON_START:
        while True:
            try:
                last_pos = os.path.getsize(fpath)
                return

            except(FileNotFoundError):
                print(f"File: {fpath} not found. Re-trying in 10 seconds..")
                sleep(10)
                continue

def read_json(fpath):
    global last_pos
    
    while True:
        try:
            with open(fpath, "r") as f:
                f.seek(last_pos)
                alerts = [ujson.loads(line) for line in f.readlines()]
                last_pos = f.tell()
                return alerts

        except(FileNotFoundError):
            print(f"File: {fpath} not found. Re-trying in 10 seconds..")
            sleep(10)
            continue
        
def add_to_tik(alerts):
    global last_pos
    global time
    
    ctx = ssl.create_default_context()
    ctx.check_hostname = False
    ctx.set_ciphers('ADH:@SECLEVEL=0')
    
    _address = Key("address")
    _id = Key(".id")
    _list = Key("list")
    
    while True:
        try:
            api = connect(username=USERNAME, password=PASSWORD, host=ROUTER_IP, ssl_wrapper=ctx.wrap_socket, port=PORT)
            break
        
        except librouteros.exceptions.TrapError as e:
            if "invalid user name or password" in str(e):
                print("Invalid username or password.")
            else:
                raise
                
        except ConnectionRefusedError:
            print("Connection refused. (api-ssl disabled in router?)")
        
        except OSError as e:
            if "[Errno 113] No route to host" in str(e):
                print("No route to host. Re-trying in 10 seconds..")
                sleep(10)
                continue
            else:
                raise

    address_list = api.path("/ip/firewall/address-list")
    resources = api.path("system/resource")

    for event in { item['src_ip'] : item for item in alerts }.values():  # Remove duplicate src_ips.
        timestamp = dt.strptime(event["timestamp"], "%Y-%m-%dT%H:%M:%S.%f%z").strftime(COMMENT_TIME_FORMAT)
        
        if event["src_ip"].startswith(WHITELIST_IPS):  # If you are source ip, then add destination ip.
            if event["dest_ip"].startswith(WHITELIST_IPS):  
                continue  # Skip adding anything if both source and destination ips are from WHITELIST_IPS. (just in case)
            
            try:
                address_list.add(list=ROUTER_LIST_NAME, address=event["dest_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: SPort: {event.get('src_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
            except librouteros.exceptions.TrapError as e:
                if "failure: already have such entry" in str(e):  # If such entry already exists, delete it and re-add.
                    for row in address_list.select(_id, _list, _address).where(_address == event["dest_ip"], _list == ROUTER_LIST_NAME):
                        address_list.remove(row[".id"])
                
                    address_list.add(list=ROUTER_LIST_NAME, address=event["dest_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: SPort: {event.get('src_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
                else:
                    raise
            
        else:  # Add source ip.
            try:
                address_list.add(list=ROUTER_LIST_NAME, address=event["src_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: DPort: {event.get('dest_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
            except librouteros.exceptions.TrapError as e:
                if "failure: already have such entry" in str(e):
                    for row in address_list.select(_id, _list, _address).where(_address == event["src_ip"], _list == ROUTER_LIST_NAME):
                        address_list.remove(row[".id"])
                        
                    address_list.add(list=ROUTER_LIST_NAME, address=event["src_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: DPort: {event.get('dest_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
                else:
                    raise
    # If router has been rebooted in past 10 minutes, add whole file, then wait for 10 minutes. (so rules don't get constantly re-added for 10 minutes)
    if check_tik_uptime(resources) and (dt.now(tz.utc) - time) / td(minutes=1) > 10:
        time = dt.now(tz.utc)
        last_pos = 0
        add_to_tik(read_json(FILEPATH))

    api.close()
        
def check_tik_uptime(resources):  # Check if router has been up for less than 10 minutes
    for row in resources:
        uptime = row["uptime"]
   
    if any(letter in uptime for letter in "wdh"):  # If "w", "d" or "h" is in uptime then router is obviously up for more than 10 minutes.
        return False
    
    if "m" in uptime:
        minutes = int(re.search("(\A|\D)(\d*)m", uptime).group(2))  # Find numbers in front of "m".
    else:
        minutes = 0
        
    if minutes >= 10:
        return False
    
    return True

if __name__ == "__main__":
    time = dt.now(tz.utc) - td(minutes=10)  # Set time to 10 minutes before now, so "(dt.now(tz.utc) - time) / td(minutes=1) > 10" is True the first time around.
    last_pos = 0
    seek_to_end(FILEPATH)

    wm = pyinotify.WatchManager()
    handler = EventHandler()
    notifier = pyinotify.Notifier(wm, handler)
    wm.add_watch(FILEPATH, pyinotify.IN_MODIFY)
    notifier.loop()
Edit 2: Ok I changed it a bit so it doesn't pollute log with 'logged in' 'logged out' - it stays connected. Hope this is last edit. :p
#!/usr/bin/env python3

#
# Script for adding alerts from Suricata to Mikrotik routers. 
#
# In suricata.yaml add another eve-log:  
#  - eve-log:
#      enabled: yes
#      filetype: regular
#      filename: alerts.json
#      types:
#        - alert
#

import ssl
import librouteros
from librouteros import connect
from librouteros.query import Key
import ujson
import pyinotify
import re
from time import sleep
from datetime import datetime as dt, timedelta as td, timezone as tz
import os

# Edit these settings:
USERNAME = "suricata"
PASSWORD = "suricata123"
ROUTER_IP = "192.168.88.1"
TIMEOUT = "1d"
PORT = 8729  # api-ssl port
FILEPATH = os.path.abspath("/var/log/suricata/alerts.json")
ROUTER_LIST_NAME = "Suricata"
WAN_IP = "n/a"  # You can add your WAN IP if you are port-mirroring, so it doesn't get mistakenly added. (don't leave empty string)
LOCAL_IP_PREFIX = "192.168."
WHITELIST_IPS = (WAN_IP, LOCAL_IP_PREFIX, "127.0.0.1")  # You can expand this list 
COMMENT_TIME_FORMAT = "%-d %b %Y %H:%M:%S.%f"  # Check datetime strftime formats

# Add all alerts from alerts.json on start?
# Setting this to True will start reading alerts.json from beginning
# and will add whole file to firewall when pyinotify is triggered.
# Just for testing purposes, i.e. not good for systemd service.
ADD_ON_START = False

class EventHandler(pyinotify.ProcessEvent):
    def process_IN_MODIFY(self, event):
        try:
            add_to_tik(read_json(FILEPATH))            
        except ConnectionError:
            connect_to_tik()
            
        check_truncated(FILEPATH)

def check_truncated(fpath):  # Check if logrotate truncated file. (Use 'copytruncate' option for this to work I guess.)
    global last_pos
    
    if last_pos > os.path.getsize(fpath):
        last_pos = 0
    
def seek_to_end(fpath):
    global last_pos
    
    if not ADD_ON_START:
        while True:
            try:
                last_pos = os.path.getsize(fpath)
                return

            except(FileNotFoundError):
                print(f"File: {fpath} not found. Re-trying in 10 seconds..")
                sleep(10)
                continue

def read_json(fpath):
    global last_pos
    
    while True:
        try:
            with open(fpath, "r") as f:
                f.seek(last_pos)
                alerts = [ujson.loads(line) for line in f.readlines()]
                last_pos = f.tell()
                return alerts

        except(FileNotFoundError):
            print(f"File: {fpath} not found. Re-trying in 10 seconds..")
            sleep(10)
            continue
        
def add_to_tik(alerts):
    global last_pos
    global time
    global api
    
    _address = Key("address")
    _id = Key(".id")
    _list = Key("list")
 
    address_list = api.path("/ip/firewall/address-list")
    resources = api.path("system/resource")

    for event in { item['src_ip'] : item for item in alerts }.values():  # Remove duplicate src_ips.
        timestamp = dt.strptime(event["timestamp"], "%Y-%m-%dT%H:%M:%S.%f%z").strftime(COMMENT_TIME_FORMAT)
        
        if event["src_ip"].startswith(WHITELIST_IPS):  # If you are source ip, then add destination ip.
            if event["dest_ip"].startswith(WHITELIST_IPS):  
                continue  # Skip adding anything if both source and destination ips are from WHITELIST_IPS. (just in case)
            
            try:
                address_list.add(list=ROUTER_LIST_NAME, address=event["dest_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: SPort: {event.get('src_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
            except librouteros.exceptions.TrapError as e:
                if "failure: already have such entry" in str(e):  # If such entry already exists, delete it and re-add.
                    for row in address_list.select(_id, _list, _address).where(_address == event["dest_ip"], _list == ROUTER_LIST_NAME):
                        address_list.remove(row[".id"])
                
                    address_list.add(list=ROUTER_LIST_NAME, address=event["dest_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: SPort: {event.get('src_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
                else:
                    raise
            
        else:  # Add source ip.
            try:
                address_list.add(list=ROUTER_LIST_NAME, address=event["src_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: DPort: {event.get('dest_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
            except librouteros.exceptions.TrapError as e:
                if "failure: already have such entry" in str(e):
                    for row in address_list.select(_id, _list, _address).where(_address == event["src_ip"], _list == ROUTER_LIST_NAME):
                        address_list.remove(row[".id"])
                        
                    address_list.add(list=ROUTER_LIST_NAME, address=event["src_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: DPort: {event.get('dest_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
                else:
                    raise
    # If router has been rebooted in past 10 minutes, add whole file, then wait for 10 minutes. (so rules don't get constantly re-added for 10 minutes)
    if check_tik_uptime(resources) and (dt.now(tz.utc) - time) / td(minutes=1) > 10:
        time = dt.now(tz.utc)
        last_pos = 0
        add_to_tik(read_json(FILEPATH))


def check_tik_uptime(resources):  # Check if router has been up for less than 10 minutes
    for row in resources:
        uptime = row["uptime"]
   
    if any(letter in uptime for letter in "wdh"):  # If "w", "d" or "h" is in uptime then router is obviously up for more than 10 minutes.
        return False
    
    if "m" in uptime:
        minutes = int(re.search("(\A|\D)(\d*)m", uptime).group(2))  # Find numbers in front of "m".
    else:
        minutes = 0
        
    if minutes >= 10:
        return False
    
    return True

def connect_to_tik():
    global api
    ctx = ssl.create_default_context()
    ctx.check_hostname = False
    ctx.set_ciphers('ADH:@SECLEVEL=0')

    while True:
        try:
            api = connect(username=USERNAME, password=PASSWORD, host=ROUTER_IP, ssl_wrapper=ctx.wrap_socket, port=PORT)
            break
        
        except librouteros.exceptions.TrapError as e:
            if "invalid user name or password" in str(e):
                print("Invalid username or password.")
            else:
                raise
                
        except ConnectionRefusedError:
            print("Connection refused. (api-ssl disabled in router?)")
        
        except OSError as e:
            if "[Errno 113] No route to host" in str(e):
                print("No route to host. Re-trying in 10 seconds..")
                sleep(10)
                continue
            else:
                raise

if __name__ == "__main__":
    time = dt.now(tz.utc) - td(minutes=10)  # Set time to 10 minutes before now, so "(dt.now(tz.utc) - time) / td(minutes=1) > 10" is True the first time around.
    last_pos = 0
    seek_to_end(FILEPATH)    
    connect_to_tik()

    wm = pyinotify.WatchManager()
    handler = EventHandler()
    notifier = pyinotify.Notifier(wm, handler)
    wm.add_watch(FILEPATH, pyinotify.IN_MODIFY)
    notifier.loop()

Edit 3.1: Here is github link: https://github.com/zzbe/mikrocata Fixed/edited few things. Added option to add other lists you might have after reboot, added ignore.conf for ignoring rules.
Last edited by zbe on Wed Aug 05, 2020 6:37 am, edited 5 times in total.
 
G00dm4n
newbie
Posts: 35
Joined: Sat Oct 20, 2018 1:07 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Jun 20, 2020 3:30 am

Thanks,

I will do some testing when I have time.
In this funny times I have been summoned to join with my team.
After listening that we will start probably at September or so I was requested to join in few days.
Have to put on hold some of my projects for a while.
Will reply ASAP.
 
MTv
just joined
Posts: 9
Joined: Tue Oct 20, 2020 9:39 am
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Oct 24, 2020 10:19 pm

Thanks zbe for your script. I wrote a mini instruction for setting up Suricata in conjunction with ROS+Mikrocata on Debian Buster.
 
pitterbrayn
just joined
Posts: 2
Joined: Tue Jan 12, 2021 3:24 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 12, 2021 3:27 pm

Sorry for being lazy. But does any one have pre-configured image, which supports to install it and change minor configurations like IP address, username and password?
 
pingpong1428
just joined
Posts: 4
Joined: Tue May 04, 2021 11:00 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue May 11, 2021 5:59 pm

Hello Im using instructions from Tom script fast2 and it works nice, i can writte to mikrotik adress list perfectly.
Im using Por sniffer as instructed, but i cannot when y try to trigger some alerts from other computers on the network, nothing happens.
Only the test i made from server.

i dont know if im making a mistake with the sniffer or what.

any help would be apreciate

Regards
 
pingpong1428
just joined
Posts: 4
Joined: Tue May 04, 2021 11:00 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue May 11, 2021 10:04 pm

ok after reading more i use this https://robert.penz.name/849/howto-setu ... ta-as-ids/

and finally been able to install trafr

now if i made trafr -s | tcpdump -r - -n

im seeing lots of info coming from mikrotik packer sniffer

but when i try to run.

trafr -s | suricata -c /etc/suricata/suricata.yaml -r -

i reiceve

root@suricata1:~# trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
11/5/2021 -- 16:03:42 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - ERROR: Pcap file does not exist


any help, thanks.
 
foresthus
just joined
Posts: 4
Joined: Mon Apr 12, 2021 12:02 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Jul 16, 2021 2:38 pm

Are there admins who can share an actual docomentation for this issue. It would be nice if it is in english.

thnx
 
MTv
just joined
Posts: 9
Joined: Tue Oct 20, 2020 9:39 am
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 04, 2021 2:56 pm

Made a simple script that processes the generated Suricata eve-log in real time and, based on alerts, adds an ip-address to the MikroTik Address Lists for a specified time for subsequent blocking.
#!/usr/bin/env bash

# Bashcata Variables;
router="" # mikrotik ip;
login="" # user for connect to mikrotik;
privatekey="/root/.ssh/mik_rsa" # private key for ssh;
fw_list="idps_alert" # name firewall list;
fw_timeout="7" # days ban ip;

# - #
script_dir="$(dirname "$(readlink -f "$0")")"
alerts_file="/var/log/suricata/alerts.json"
pid_suricata="$(pidof suricata)"
white_list="${script_dir}/white.list"
mark_ip="${script_dir}/mark.ip"
# - #

# Check files;
if [ ! -e "${white_list}" ]; then touch "${white_list}" ; echo -e "# src_ip\n\n# signature_id" > "${white_list}" ; fi
if [ ! -e "${mark_ip}" ]; then touch "${mark_ip}" ; fi

# Setting the logger utility function;
function logger() {
    find "${script_dir}"/ -maxdepth 1 -name "*.log" -size +100k -exec rm -f {} \;
    echo -e "[$(date "+%d.%m.%Y / %H:%M:%S")]: $1" >> "${script_dir}"/"bash_cata.log"
}

# Tail Conveyor;
tail -q -f "${alerts_file}" --pid="$pid_suricata" -n 500 | while read -r LINE; do

# Parsing Json file via jq;
alerts="$(echo "${LINE}" | jq -c '[.timestamp, .src_ip, .dest_ip, .dest_port, .proto, .alert .signature_id, .alert .signature, .alert .category]' | sed 's/^.//g; s/"//g; s/]//g')"

# White List;
check_list () {
    wl="false"
    if grep -q -E "${src_ip}|${signature_id}" "${white_list}"; then wl="true" ; fi
}

# Mark IP;
check_ip () {
    new_ip="false"
    check_timestamp="$(awk -v t=$(date -d"-${fw_timeout} day" +%Y-%m-%dT%H:%M:%S) '$2<t' "${mark_ip}")"
    for ct in $check_timestamp ; do
        sed -i "/${ct}/d" "${mark_ip}"
    done
    if ! grep -q "${src_ip}" "${mark_ip}"; then new_ip="true" ; echo "${src_ip}, ${timestamp::-12}" >> "${mark_ip}" ; fi
}

# Ban IP;
mik_ban_ip () {
    if [ "$new_ip" = "true" ]; then
        #echo ":: $src_ip :: $dest_ip:$dest_port/$proto :: $signature_id ::"
        comment_mbi=":: $dest_ip:$dest_port/$proto :: [$signature_id] :: $signature :: $category ::"
        cmd_mbi='/ip firewall address-list add list="'${fw_list}'" address="'${src_ip}'" timeout="'${fw_timeout}d'" comment="'$comment_mbi'"'
        if ! else_error_mbi="$(ssh -n -o ConnectTimeout=3 "${login}"@"${router}" -i "${privatekey}" "${cmd_mbi}" 2>&1)"; then
            logger "[!] [@mik_ban_ip] — [:: $src_ip :: $dest_ip:$dest_port/$proto :: $signature_id ::] — Ошибка - ${else_error_mbi}."
            sed -i "/${src_ip}/d" "${mark_ip}"
        fi
    fi
}

for alert in $alerts; do
    IFS=$'\n'
    IFS="," read -r timestamp src_ip dest_ip dest_port proto signature_id signature category <<< "$alert"
    check_list ; if [ "$wl" = "true" ] ; then continue ; fi
    check_ip
    mik_ban_ip
done

done
https://github.com/isMTv/bash_cata
 
OlofL
Member Candidate
Member Candidate
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Feb 13, 2022 12:58 pm

I have not tested RoS7 and containers since they pulled before hitting stable?

But this seems a bit overkill now that Suricata can be ran inside containers and hopefully containers will be back in RoS7 soon? :)
 
OlofL
Member Candidate
Member Candidate
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 21, 2022 11:59 am

Anyone tested this with 7.4beta4 and containers?
 
fewdenis
just joined
Posts: 3
Joined: Fri Apr 26, 2019 1:00 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 30, 2022 6:17 pm

Maybe this can help u:
https://github.com/angolo40/mikrocata2selks
I created this script (based on https://github.com/zzbe/mikrocata ) to help install TZSP interface on debian for connection between Mikrotik and Suricata.
It uses a debian distro from Selks (Suricata and Elk stack).
Also will send Telegram notification.
 
ffries
Member Candidate
Member Candidate
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Dec 30, 2022 5:22 pm

Hello,

Thank you for the hard work and happy new year.

I would like to set up SELKS IDS to monitor a Mikrotik CR2004 router (without active response).
I am planning to run a dedicated server for SELKS with KVM.

Before anything, I need to understand:
1) Should I install a complete Debian system with SELKS on KVM vitualisation or should I use Docker?
2) How to integrate Mikrotik sniffer with SELKS using pcap?
https://help.mikrotik.com/docs/display/ ... et+Sniffer
packets are streamed using Tazmen Sniffer Protocol (TZSP) stream receiver.
So I need https://github.com/thefloweringash/tzsp2pcap with SELKS.
Will tzsp2pcap run inside Docker?

Thank you for your kind answer.
 
An5teifo
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 09, 2023 2:41 pm

Hello there,

yesterday I installed SELKS and connected it with my Mikrotik --> viewtopic.php?t=193417

Who is online

Users browsing this forum: Bing [Bot], gkoleff, GoogleOther [Bot], outtahere and 59 guests