Community discussions

 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 2:51 pm

You must have MySQL version 5.7.5 or greater. I believe you will need to disable the ONLY_FULL_GROUP_BY sql_mode with the following:
  1. sudo nano /etc/mysql/my.cnf
  2. Add this to the end of the file
    [mysqld]  
    sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
  3. sudo service mysql restart to restart MySQL
Very much I ask - help!
Everything was done step by step.
After creating the table, sigs_to_block and TRIGGER barnyard2 stopped writing to the database.
Ends with an error:
Aug 30 11:43:14 sv-ips-01 barnyard2: FATAL ERROR: database mysql_error: In aggregated query without GROUP BY, expression #2 of SELECT list contains nonaggregated column 'snorby.sigs_to_block.src_or_dst'; this is incompatible with sql_mode=only_full_group_by#012#011SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES (1,22527,1539234099,3274620322,4,5,0,45,0,0,0,0,6,1289);]
ОК.
I turned on the desired mode in mySQL:
mysql> select @@sql_mode;
+------------------------+
| @@sql_mode             |
+------------------------+
| NO_ENGINE_SUBSTITUTION |
+------------------------+
1 row in set (0,00 sec)
It did not help!
How to fix it?
What's my mistake?
There are no answers on the Internet ...
Help me please!
OS: Ubuntu 16.04.3 AMD64
Barnyard2 Version 2.1.14 (Build 337)
As I understand, this is not working properly trigger ..
I created the trigger like this:
mysql -u root -p snorby < trigger_code.sql
trigger_code.sql:
DELIMITER ;;
                      CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr` FOR EACH ROW
                      BEGIN
                        DECLARE this_event INT(11) default 0;
                        DECLARE this_event_signature INT(10) default 0;
                        DECLARE this_event_timestamp TIMESTAMP;
                        DECLARE this_sig INT(10) default 0;
                        DECLARE this_sig_name VARCHAR(256) default "";
                        DECLARE this_sig_gid INT(10) default 0;
                        DECLARE timeout VARCHAR(12) default "";
                        DECLARE interested INT default 0;
                        DECLARE direction VARCHAR(3) default "";
                        DECLARE ip_src VARCHAR(64) default "";
                        DECLARE ip_dst VARCHAR(64) default "";
                        SELECT event.id, event.signature, event.timestamp
                        INTO this_event, this_event_signature, this_event_timestamp
                        FROM event
                        WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
                        SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
                        INTO this_sig, this_sig_gid, this_sig_name
                        FROM signature
                        WHERE signature.sig_id = this_event_signature;
                        SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
                        INTO interested, direction, timeout
                        FROM sigs_to_block
                        WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
                        IF (interested > 0) THEN
                         IF (direction = "src") THEN
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_src,
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          ELSE
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_dst,
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          END IF;
                        END IF;
                      END;;
DELIMITER ;
 
ATROX
newbie
Posts: 44
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 3:25 pm

You must have MySQL version 5.7.5 or greater. I believe you will need to disable the ONLY_FULL_GROUP_BY sql_mode with the following:
  1. sudo nano /etc/mysql/my.cnf
  2. Add this to the end of the file
    [mysqld]  
    sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
  3. sudo service mysql restart to restart MySQL
OK.
I did everything as you wrote.
mysql> select @@sql_mode;
+------------------------------------------------------------------------------------------------------------------------+
| @@sql_mode                                                                                                             |
+------------------------------------------------------------------------------------------------------------------------+
| STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION |
+------------------------------------------------------------------------------------------------------------------------+
1 row in set (0,00 sec)
I create a trigger again:
mysql -u root -p snorby < trigger_code.sql
And run barnyard2...
.......
HM
......
And he does not fall!
It turns out, the trigger should be added only after the mode on:
sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
Note.
In Ubuntu in the settings file to the path:
/etc/mysql/mysql.conf.d/mysqld.cnf
Let's see the created Trigger:
mysql> use snorby;
mysql> SHOW TRIGGERS

| after_iphdr_insert | INSERT | iphdr | BEGIN
....
END | AFTER  | 2017-08-30 15:04:14.71 | STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION | root@localhost | utf8                 | utf8_general_ci      | utf8_unicode_ci
The trigger should be created only after the settings MySQL...

Thank you!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 3:44 pm

Excellent! Glad it worked!
You must have MySQL version 5.7.5 or greater. I believe you will need to disable the ONLY_FULL_GROUP_BY sql_mode with the following:
  1. sudo nano /etc/mysql/my.cnf
  2. Add this to the end of the file
    [mysqld]  
    sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
  3. sudo service mysql restart to restart MySQL
OK.
I did everything as you wrote.
mysql> select @@sql_mode;
+------------------------------------------------------------------------------------------------------------------------+
| @@sql_mode                                                                                                             |
+------------------------------------------------------------------------------------------------------------------------+
| STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION |
+------------------------------------------------------------------------------------------------------------------------+
1 row in set (0,00 sec)
I create a trigger again:
mysql -u root -p snorby < trigger_code.sql
And run barnyard2...
.......
HM
......
And he does not fall!
It turns out, the trigger should be added only after the mode on:
sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
Note.
In Ubuntu in the settings file to the path:
/etc/mysql/mysql.conf.d/mysqld.cnf
Let's see the created Trigger:
mysql> use snorby;
mysql> SHOW TRIGGERS

| after_iphdr_insert | INSERT | iphdr | BEGIN
....
END | AFTER  | 2017-08-30 15:04:14.71 | STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION | root@localhost | utf8                 | utf8_general_ci      | utf8_unicode_ci
The trigger should be created only after the settings MySQL...

Thank you!
 
ATROX
newbie
Posts: 44
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 3:59 pm

It's me again ...
I run suricata_block.pxp from the command line:
php -f /usr/bin/suricata_block.php
He gives me this in the console:
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
Is this normal? Or am I wrong again somewhere?
 
ATROX
newbie
Posts: 44
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 4:05 pm

suricata_block.php adds the following addresses to MikroTik:
But it's not right!
Image
How to fix?
 
ATROX
newbie
Posts: 44
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 5:01 pm

suricata_block.php adds the following addresses to MikroTik:
But it's not right!
Image
How to fix?
I decided it myself.
I did not use the correct trigger.
The correct trigger (the contents of the trigger_code.sql file):
DELIMITER ;;
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr` FOR EACH ROW
BEGIN
  DECLARE this_event INT(11) default 0;
  DECLARE this_event_signature INT(10) default 0;
  DECLARE this_event_timestamp TIMESTAMP;
  DECLARE this_sig INT(10) default 0;
  DECLARE this_sig_name VARCHAR(256) default "";
  DECLARE this_sig_gid INT(10) default 0;
  DECLARE timeout VARCHAR(12) default "";
  DECLARE interested INT default 0;
  DECLARE direction VARCHAR(3) default "";
  DECLARE ip_src VARCHAR(64) default "";
  DECLARE ip_dst VARCHAR(64) default "";
  SELECT event.id, event.signature, event.timestamp
  INTO this_event, this_event_signature, this_event_timestamp
  FROM event
  WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
  SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
  INTO this_sig, this_sig_gid, this_sig_name
  FROM signature
  WHERE signature.sig_id = this_event_signature;
  SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
  INTO interested, direction, timeout
  FROM sigs_to_block
  WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
  IF (interested > 0) THEN
   IF (direction = "src") THEN
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_src),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    ELSE
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_dst),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    END IF;
  END IF;
END;;
DELIMITER ;
Image
 
ATROX
newbie
Posts: 44
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 5:02 pm

It's me again ...
I run suricata_block.pxp from the command line:
php -f /usr/bin/suricata_block.php
He gives me this in the console:
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
Is this normal? Or am I wrong again somewhere?
The same is solved by installing the program, for example Postfix...
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 31, 2017 2:46 am

The warning for mysqli is normal. If you want to send email notifications, then you'll have to change the location to sendmail on your system. Do
whereis sendmail
and modify suricata_block.php as necessary.
It's me again ...
I run suricata_block.pxp from the command line:
php -f /usr/bin/suricata_block.php
He gives me this in the console:
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
Is this normal? Or am I wrong again somewhere?
 
ATROX
newbie
Posts: 44
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Sep 08, 2017 4:32 pm

My great gratitude to tomfisk.
Thanks to his article, I received a powerful and flexible system.
Just what I wanted.
Thank you to the MicroTik team for their RouteOS.
In general, thank you guys!
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Nov 17, 2017 10:55 am

Hi,

How could I add an IP as whitelist?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Nov 17, 2017 11:13 am

Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Nov 17, 2017 12:27 pm

Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Thanks tomfisk! great job as always
 
fosilt
just joined
Posts: 5
Joined: Thu Jan 28, 2016 5:29 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Nov 23, 2017 6:28 am

Thanks for the tutorial.

I had a question, is it possible to combine this scripts with SELKS ? or any guide so I can integrated SELKS with Mikrotik ?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Nov 23, 2017 10:18 am

It is possible to customize and/or build a SELKS distribution and there are guides here https://github.com/StamusNetworks/SELKS ... zing-SELKS and here https://github.com/StamusNetworks/SELKS ... ding-SELKS. Including this functionality into the SELKS distribution would be possible, but it would require analysis of what packages would need to be included in a SELKS distribution and specific instructions on how to configure. I don't know if the suricata implementation in SELKS includes for example, MySQL and barnyard2, or if it is configured as an inline IPS using with linux firewall rule processing.
Thanks for the tutorial.

I had a question, is it possible to combine this scripts with SELKS ? or any guide so I can integrated SELKS with Mikrotik ?
 
fosilt
just joined
Posts: 5
Joined: Thu Jan 28, 2016 5:29 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Nov 23, 2017 10:34 am

It is possible to customize and/or build a SELKS distribution and there are guides here https://github.com/StamusNetworks/SELKS ... zing-SELKS and here https://github.com/StamusNetworks/SELKS ... ding-SELKS. Including this functionality into the SELKS distribution would be possible, but it would require analysis of what packages would need to be included in a SELKS distribution and specific instructions on how to configure. I don't know if the suricata implementation in SELKS includes for example, MySQL and barnyard2, or if it is configured as an inline IPS using with linux firewall rule processing.
Thanks for the tutorial.

I had a question, is it possible to combine this scripts with SELKS ? or any guide so I can integrated SELKS with Mikrotik ?
I had install SELK4.0nodesktop , and try to combine with your scripts with installed library dependencies . How I know if the scripts did worked ? Which mikrotik interface should be sniffed ?

Thank you
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Nov 23, 2017 10:45 am

The Mikrotik interface to sniff should be the one that is connected to your ISP. That is where all of the traffic in/out of your network is. Make sure tzsp2pcap is running. In /var/log/suricata/ check suricata.log to make sure it started successfuly and fast.log to see if events are being flagged.
It is possible to customize and/or build a SELKS distribution and there are guides here https://github.com/StamusNetworks/SELKS ... zing-SELKS and here https://github.com/StamusNetworks/SELKS ... ding-SELKS. Including this functionality into the SELKS distribution would be possible, but it would require analysis of what packages would need to be included in a SELKS distribution and specific instructions on how to configure. I don't know if the suricata implementation in SELKS includes for example, MySQL and barnyard2, or if it is configured as an inline IPS using with linux firewall rule processing.
Thanks for the tutorial.

I had a question, is it possible to combine this scripts with SELKS ? or any guide so I can integrated SELKS with Mikrotik ?
I had install SELK4.0nodesktop , and try to combine with your scripts with installed library dependencies . How I know if the scripts did worked ? Which mikrotik interface should be sniffed ?

Thank you
 
nata1234
just joined
Posts: 1
Joined: Mon Dec 04, 2017 1:02 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Dec 04, 2017 1:16 am

Someone who can help me, I need sent Mikrotik from the Suricata, without MySQl some easy php like https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Dec 08, 2017 9:33 am

I've included a script, fast2mikrotik.php, that will do what I think you are looking for. Check the original post.
Someone who can help me, I need sent Mikrotik from the Suricata, without MySQl some easy php like https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS
 
smolki
just joined
Posts: 2
Joined: Tue Jan 23, 2018 10:28 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 23, 2018 10:33 am

Hi i need help with fast mikrotik.php script. Its only showing Targets but nothing happens. Scripts is not connecting to the Mikrotik.
All necessary services are set in MT.
 
smolki
just joined
Posts: 2
Joined: Tue Jan 23, 2018 10:28 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 23, 2018 10:42 am

Hi i need help with fast mikrotik.php script. Its only showing Targets but nothing happens. Scripts is not connecting to the Mikrotik.
All necessary services are set in MT.

Can anyone confirm that php is working ?
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 12:59 pm

Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Hi, re-open this reply. How could I do a whitelist for all entry for one IP?

I had this: suppress gen_id 1, sig_id 20003XX, track by_src, ip 213.XX.XX.XX

But my IP was banned again with this:
1:20003XX:13] ET P2P BitTorrent peer sync [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.X.X:55618 -> 213.XX.XX.XX:873

Why? Should I use in file 20003XX:13? How maybe my IP can be banned for more causes, I would ask if its possible add my IP as whitelist.

Thanks!!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 1:18 pm

I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address.
Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Hi, re-open this reply. How could I do a whitelist for all entry for one IP?

I had this: suppress gen_id 1, sig_id 20003XX, track by_src, ip 213.XX.XX.XX

But my IP was banned again with this:
1:20003XX:13] ET P2P BitTorrent peer sync [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.X.X:55618 -> 213.XX.XX.XX:873

Why? Should I use in file 20003XX:13? How maybe my IP can be banned for more causes, I would ask if its possible add my IP as whitelist.

Thanks!!
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 1:28 pm

I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address.
Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Hi, re-open this reply. How could I do a whitelist for all entry for one IP?

I had this: suppress gen_id 1, sig_id 20003XX, track by_src, ip 213.XX.XX.XX

But my IP was banned again with this:
1:20003XX:13] ET P2P BitTorrent peer sync [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.X.X:55618 -> 213.XX.XX.XX:873

Why? Should I use in file 20003XX:13? How maybe my IP can be banned for more causes, I would ask if its possible add my IP as whitelist.

Thanks!!
Awesome your fast reply...
this ?
suppress gen_id 0, track_by_src, ip 213.98.XX.XX

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 1:59 pm

This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address.
Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Hi, re-open this reply. How could I do a whitelist for all entry for one IP?

I had this: suppress gen_id 1, sig_id 20003XX, track by_src, ip 213.XX.XX.XX

But my IP was banned again with this:
1:20003XX:13] ET P2P BitTorrent peer sync [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.X.X:55618 -> 213.XX.XX.XX:873

Why? Should I use in file 20003XX:13? How maybe my IP can be banned for more causes, I would ask if its possible add my IP as whitelist.

Thanks!!
Awesome your fast reply...
this ?
suppress gen_id 0, track_by_src, ip 213.98.XX.XX

Thanks.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 2:33 pm

This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 2:39 pm

You'd have to ask the developers that question...just what I found in the documentation :)
This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 10:33 am

You'd have to ask the developers that question...just what I found in the documentation :)
This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
:( With that rule router yet banned my IP again. What am i doing wrong?
I added with both id
suppress gen_id 1, sig_id 0, track_by_src, ip 192.168.XX.XX
suppress gen_id 0, sig_id 0, track_by_src, ip 192.168.XX.XX

Line in fast.log
01/31/2018-09:18:26.904899  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 192.168.XX.XX:58471 -> 213.98.XX.XX:873
BTW: I use suricata 1.4.7, but in his website there are version 2.0.2 and 4.0.3. Anyone test it?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 11:06 am

Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from the IP you want to ignore set that it doesn't get sent to suricata in the first place. Set up a filter to exclude the address from the packet sniffer like this:
set file-limit=3000KiB filter-interface=ether1 filter-ip-address=!192.168.xx.xx/32 filter-stream=\
    yes streaming-enabled=yes streaming-server=192.168.xx.xx
So packets from that address never get into suricata in the first place.
You'd have to ask the developers that question...just what I found in the documentation :)
This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
:( With that rule router yet banned my IP again. What am i doing wrong?
I added with both id
suppress gen_id 1, sig_id 0, track_by_src, ip 192.168.XX.XX
suppress gen_id 0, sig_id 0, track_by_src, ip 192.168.XX.XX

Line in fast.log
01/31/2018-09:18:26.904899  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 192.168.XX.XX:58471 -> 213.98.XX.XX:873
BTW: I use suricata 1.4.7, but in his website there are version 2.0.2 and 4.0.3. Anyone test it?

Thanks.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 11:49 am

Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from the IP you want to ignore set that it doesn't get sent to suricata in the first place. Set up a filter to exclude the address from the packet sniffer like this:
set file-limit=3000KiB filter-interface=ether1 filter-ip-address=!192.168.xx.xx/32 filter-stream=\
    yes streaming-enabled=yes streaming-server=192.168.xx.xx
So packets from that address never get into suricata in the first place.
I can't add that IP. If I try to save the changes, MK doesn't accept it and its reseted to 0.0.0.0 again
I attach picture, maybe I am doing something bad.
Image
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 11:54 am

The "!" goes in the little box before the IP address. Just click on it and it should change to "!".
Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from the IP you want to ignore set that it doesn't get sent to suricata in the first place. Set up a filter to exclude the address from the packet sniffer like this:
set file-limit=3000KiB filter-interface=ether1 filter-ip-address=!192.168.xx.xx/32 filter-stream=\
    yes streaming-enabled=yes streaming-server=192.168.xx.xx
So packets from that address never get into suricata in the first place.
I can't add that IP. If I try to save the changes, MK doesn't accept it and its reseted to 0.0.0.0 again
I attach picture, maybe I am doing something bad.
Image
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 12:04 pm

The "!" goes in the little box before the IP address. Just click on it and it should change to "!".
Im stupid, I know it. Thanks as always tomfisk.
I am going to test new version 4.0.3.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 2:06 pm

I have installed a new VPS with new suricata 4.0.3, its installed correctly and I can start it good:
root@suricatanew:/# trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
31/1/2018 -- 07:01:57 - <Notice> - This is Suricata version 4.0.3 RELEASE
31/1/2018 -- 07:02:02 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
I see traffic on stats.log
Date: 1/31/2018 -- 07:05:53 (uptime: 0d, 00h 00m 16s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 275968
decoder.bytes                              | Total                     | 277270818

I tested new method (with php). I have the script running but MK doesn't add any IP. I have configured details correctly to login API (same I used old suricata).
In MK I only changed Sniffer to old server to new server (I get packets).

When I execute php I only see same logs, example:
root@suricatanew:/etc/init.d# php -f fast2mikrotik.php &
[1] 543
root@suricatanew:/etc/init.d# Target will be: 94.31.29.64
Target will be: 94.31.29.64
Target will be: 94.31.29.64
Target will be: 94.31.29.64
Any idea? Thanks! Maybe I am forgotten any simple thing.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 01, 2018 8:37 am

Oops! Looks like I left some debug code in fast2mikrotik.php :(
  echo "Target will be: " . $target . "\r\n";
  return true;
  try {
      $API->connect($mikrotik_addr, $mikrotik_user, $mikrotik_pwd);
  } catch (Exception $e) {
      die('Unable to connect to RouterOS. Error:' . $e);
  }
Delete the "echo" and "return" lines...should work then :) :)
I have installed a new VPS with new suricata 4.0.3, its installed correctly and I can start it good:
root@suricatanew:/# trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
31/1/2018 -- 07:01:57 - <Notice> - This is Suricata version 4.0.3 RELEASE
31/1/2018 -- 07:02:02 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
I see traffic on stats.log
Date: 1/31/2018 -- 07:05:53 (uptime: 0d, 00h 00m 16s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 275968
decoder.bytes                              | Total                     | 277270818

I tested new method (with php). I have the script running but MK doesn't add any IP. I have configured details correctly to login API (same I used old suricata).
In MK I only changed Sniffer to old server to new server (I get packets).

When I execute php I only see same logs, example:
root@suricatanew:/etc/init.d# php -f fast2mikrotik.php &
[1] 543
root@suricatanew:/etc/init.d# Target will be: 94.31.29.64
Target will be: 94.31.29.64
Target will be: 94.31.29.64
Target will be: 94.31.29.64
Any idea? Thanks! Maybe I am forgotten any simple thing.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 01, 2018 9:39 am

Oops! Looks like I left some debug code in fast2mikrotik.php :(
Delete the "echo" and "return" lines...should work then :) :)
I went to write that too :) I removed it and it works fine. Thanks tomfisk.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 01, 2018 12:10 pm

I am having troubles to create "white list". I create it but IDS continue adding thats IPs to blocks.

suppress gen_id 1, sig_id 2240001
suppress gen_id 1, sig_id 2220006, track by_src, ip 192.168.XX.XX

I added it too in MK in "Packet Sniffer" but not luck neither. MK continue stopping traffic from that IPs. I think that its a bug why I don't understand that I am doing wrong, I followed manual.

NOTE: Maybe someone has my own problem. I had commented line threshold-file: /etc/suricata/threshold.config in file suricata.yaml
Fixed.
 
User avatar
bekax5
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Thu Apr 30, 2015 11:27 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 01, 2018 11:29 pm

I am really tempted on setting Suricata with Mtik integration.
I want to run suricata on a QNAP as a VM and I already bought an Intel NIC for this purpose, however I noticed that the current QNAP versions do not support promiscuous mode for VMs, as such if I try to mirror the WAN interface I end up only getting multicast and broadcast packets.
This sniffer stream appears to be a perfect solution, however it does stop FastPath and FastTrack right?
I'm afraid RB3011 will be struggling with Gigabit WAN.
Apologies for the novice questions =)
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Feb 02, 2018 2:40 am

Yes, sniffer does stop FastPath and FastTrack. I have an RB951G-2HnD running with a sniffer and I am still able to achieve my ISP's full bandwidth of 350mbs. Just my observation...I'm not a networking professional so I can't fully address your concern. Perhaps you can turn on the sniffer and do a bandwidth test?
I am really tempted on setting Suricata with Mtik integration.
I want to run suricata on a QNAP as a VM and I already bought an Intel NIC for this purpose, however I noticed that the current QNAP versions do not support promiscuous mode for VMs, as such if I try to mirror the WAN interface I end up only getting multicast and broadcast packets.
This sniffer stream appears to be a perfect solution, however it does stop FastPath and FastTrack right?
I'm afraid RB3011 will be struggling with Gigabit WAN.
Apologies for the novice questions =)
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Feb 02, 2018 1:24 pm

Definitely Suricata has any bug with threshold.
suppress gen_id 1, sig_id 2020565, track by_src, ip 8.8.8.8
And I receive an alert:
The IP address 8.8.8.8 has been blocked due to the following rule match:

The signature ID is [1:2020565:1] ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
    event timestamp: 02/02/2018-12:18:30.409788 blocked for: 01:00:00

Unfortunately I have to remove that rules from directory rules, if not all time IPs as Google o my own IP are banned,

I don't understand why... but I have threshold uncomment in suricata.yaml... anyone occurs same?

Thanks.
 
swright
just joined
Posts: 1
Joined: Wed Jan 31, 2018 11:44 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Feb 03, 2018 12:36 am

Definitely Suricata has any bug with threshold.
suppress gen_id 1, sig_id 2020565, track by_src, ip 8.8.8.8
And I receive an alert:
The IP address 8.8.8.8 has been blocked due to the following rule match:

The signature ID is [1:2020565:1] ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
    event timestamp: 02/02/2018-12:18:30.409788 blocked for: 01:00:00

Unfortunately I have to remove that rules from directory rules, if not all time IPs as Google o my own IP are banned,

I don't understand why... but I have threshold uncomment in suricata.yaml... anyone occurs same?

Thanks.
Have you tried to create a "pass" rule? Example:
pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:1;)

I am trying out the fast2mikrotik.php, which works great by the way Tomfisk. I have found that this way tends to block rather aggressively. I have been able to white list by using a pass rules, and am getting it toned down. Thanks for all the work Tomfisk!
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 08, 2018 3:33 pm

Maybe for anyone is useful this tool:
https://www.stamus-networks.com/open-source/

Integrate suricata + ELKS in a dashboard. I added Tomfisk's script and my MK ban IPs and I can check logs on a website. Final result is very pretty.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Feb 12, 2018 12:06 pm

Hi,
I am using a Debian 9 (before I used Ubuntu 16 and it works), but with this Debian 9 + php7 , script fas2mikrotik fails with this:
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Line 328:
$STATUS = socket_get_status($this->socket);
if ($LENGTH > 0) {
$this->debug('>>> [' . $LENGTH . ', ' . $STATUS['unread_bytes'] . ']' . $_);
}
Any idea? I am not developer, if not sysadmin and I am stuck in this.

Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Feb 13, 2018 4:57 am

It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters?
$mikrotik_addr = "__someip__";
$mikrotik_user = "admin";
$mikrotik_pwd = "__somesecret__";
Hi,
I am using a Debian 9 (before I used Ubuntu 16 and it works), but with this Debian 9 + php7 , script fas2mikrotik fails with this:
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Line 328:
$STATUS = socket_get_status($this->socket);
if ($LENGTH > 0) {
$this->debug('>>> [' . $LENGTH . ', ' . $STATUS['unread_bytes'] . ']' . $_);
}
Any idea? I am not developer, if not sysadmin and I am stuck in this.

Thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 8:41 am

It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters?
$mikrotik_addr = "__someip__";
$mikrotik_user = "admin";
$mikrotik_pwd = "__somesecret__";
Its strange tomfisk, I am using a new server but in same net and I copied (using SCP) the script which it worked in another server. The difference between both server is that one is Ubuntu 16 and another is Debian 9. In both php installed from repository.
Any idea to debug it?

Thanks as always.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 8:46 am

Since I didn't write that code I'm at a loss as well.
It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters?
$mikrotik_addr = "__someip__";
$mikrotik_user = "admin";
$mikrotik_pwd = "__somesecret__";
Its strange tomfisk, I am using a new server but in same net and I copied (using SCP) the script which it worked in another server. The difference between both server is that one is Ubuntu 16 and another is Debian 9. In both php installed from repository.
Any idea to debug it?

Thanks as always.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 10:05 am

Since I didn't write that code I'm at a loss as well.
I understand, I enabled debug (to test connection) and it works:
Connection attempt #1 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #2 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #3 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #4 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #5 to 192.168.100.1:8728...
<<< [6] /login
Error...
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [31] /ip/firewall/address-list/print
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [14] =.proplist=.id
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] ?address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [29] /ip/firewall/address-list/add
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [13] =list=Blocked
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] =address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [17] =timeout=01:00:00
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [131] =comment=From suricata, [1:2402000:4717] ET DROP Dshield Block Listed Source group 1 => event timestamp: 02/14/2018-08:57:59.910517
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Disconnected...


I will try to solve it :) thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 10:13 am

So it looks like it doesn't get connected :o :o :? :?
Since I didn't write that code I'm at a loss as well.
I understand, I enabled debug (to test connection) and it works:
Connection attempt #1 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #2 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #3 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #4 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #5 to 192.168.100.1:8728...
<<< [6] /login
Error...
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [31] /ip/firewall/address-list/print
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [14] =.proplist=.id
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] ?address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [29] /ip/firewall/address-list/add
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [13] =list=Blocked
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] =address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [17] =timeout=01:00:00
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [131] =comment=From suricata, [1:2402000:4717] ET DROP Dshield Block Listed Source group 1 => event timestamp: 02/14/2018-08:57:59.910517
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Disconnected...


I will try to solve it :) thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 1:45 pm

So it looks like it doesn't get connected :o :o :? :?
Since I didn't write that code I'm at a loss as well.
I understand, I enabled debug (to test connection) and it works:
Connection attempt #1 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #2 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #3 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #4 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #5 to 192.168.100.1:8728...
<<< [6] /login
Error...
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [31] /ip/firewall/address-list/print
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [14] =.proplist=.id
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] ?address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [29] /ip/firewall/address-list/add
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [13] =list=Blocked
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] =address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [17] =timeout=01:00:00
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [131] =comment=From suricata, [1:2402000:4717] ET DROP Dshield Block Listed Source group 1 => event timestamp: 02/14/2018-08:57:59.910517
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Disconnected...


I will try to solve it :) thanks!
Solved! I had a rule in my router to reject connections to API from another subnet. Thanks :D
 
User avatar
Nollitik
Member Candidate
Member Candidate
Posts: 192
Joined: Tue Dec 07, 2010 8:16 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Apr 17, 2018 6:57 am

This is awesome...if only I could get this on a RB450G...is there?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Apr 17, 2018 1:17 pm

This is awesome...if only I could get this on a RB450G...is there?
Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions.
 
User avatar
Nollitik
Member Candidate
Member Candidate
Posts: 192
Joined: Tue Dec 07, 2010 8:16 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 18, 2018 11:04 pm

This is awesome...if only I could get this on a RB450G...is there?
Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions.
So, are you saying one has to have a separate Suricata box for this to work? The RB450G only has 512MB RAM. I already have a Pfsense machine in front of my 450G...was just thinking it would be cool to have at least Intrusion detection on Mikrotik.

Who is online

Users browsing this forum: No registered users and 66 guests