Hi guys,
I find here some info for using Suricata IDS/IPS with Mikrotik.
I also found there's a good build from Stamus Networks who is good and stable - SELKS.
Can someone post more straight and updated manual of using Microtik together with SELKS5 or SELKS6 RC1.
I prefer we get straight to latest - SELKS6 Release Candidate 1. All is same as SELKS5, just some names and places of the scripts can be different.
(Later we can do extended manual how to build proper and efficient Suricata instlation for users who not prefer using SELKS ISO.)
Since Sniffer tool in Mikrotik is pretty straight forward to set up we can just skip this... but here it is:
tool sniffer
set file-limit=0KiB filter-interface=<THE_INTERFACE_WHICH_TRAFFIC_YOU_WILL_SEND> memory-limit=0KiB streaming-enabled=yes streaming-server=<IP_OF_YOUR_SELKS_SERVER>
The SELKS part from another side is a bit more foggy to be set.
The installation is straight forward, but nobody care to explain a good way and method how to use it together with Mikrotik.
So why we don't make it?
What I have get straight until now is:
1. Install SELKS on VM/x86/RaspberyPI B
Suggested minimum configuration is with 2 core CPU, 8GB RAM and at least 50GB Disk space.
2. Do inital SELKS setup by the scripts
2.1. First time run:
selks-first-time-setup_stamus
2.2. Upgrade:
selks-upgrade_stamus
3. Check and modify the configs by your needs regarding page below
https://github.com/StamusNetworks/SELKS ... time-setup
4. Install the converter from TZSP to PCAP so Surikata understand the stream from Mikrotik
4.1. Using trafr (just consider this is written ib 2004 and is 32bit)
dpkg --add-architecture i386
cd /usr/local/sbin
wget http://www.mikrotik.com/download/trafr.tgz
tar -xf /usr/local/sbin/trafr.tgz
chmod u+x trafr
chown root.root trafr
4.2. Using tzsp2pcap
apt-get install build-essential libpcap0.8-dev
cd /usr/local/sbin
git clone https://github.com/thefloweringash/tzsp2pcap
cd /usr/local/sbin/tzsp2pcap
cc -std=gnu99 -o tzsp2pcap -Wall -Wextra -pedantic -O2 -lpcap tzsp2pcap.c
mv tzsp2pcap /usr/local/sbin/
5. Start capturing the data
5.1. Using trafr
/usr/local/sbin/trafr -s | suricata -c /etc/suricata/suricata.yaml --runmode autofp -v -r /dev/stdin
5.2. Using tzsp2pcap
nohup /usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin &
Here I come to the point I have to put this command in a bash script which supposed to run on startup. (will update it)
From this onward I don't get the clear picture what and how to do it.
By this I meant,
-in which mode to set Suricata initially,
-where to create files for the rules that to be send to Mikrotik router,
-what to do so capturing to start proper after reboot,
-does SELKS6 indeed need the data stream conversion,
I know there's some posts here by TomFisk but they are not very clear and have plenty of "jump here and there".
Also please put your comments and suggestions how we can do this better and more agile.
My idea is to avoid using any cumbersome hardware and keep good performance.
If we can go down to something as NUC or ALIX PC or even RaspberyPI - the smaller, the better.