Community discussions

 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 18, 2018 11:33 pm

This is awesome...if only I could get this on a RB450G...is there?
Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions.
So, are you saying one has to have a separate Suricata box for this to work? The RB450G only has 512MB RAM. I already have a Pfsense machine in front of my 450G...was just thinking it would be cool to have at least Intrusion detection on Mikrotik.
Yep, that's the deal with this implementation. I'm not sure you could run a decent intrusion detection in a metarouter.
 
Faceless
just joined
Posts: 18
Joined: Sat Mar 03, 2018 4:03 pm
Location: Ukraine
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 26, 2018 7:19 pm

Do I need calea packege to restream packets .Snort need calea. Alsa will hap ac2 4 core cPU handle suricata+ few qos+25filter rules?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Apr 27, 2018 1:08 am

Do I need calea packege to restream packets .Snort need calea. Alsa will hap ac2 4 core cPU handle suricata+ few qos+25filter rules?
No, just stream packets with the sniffer tool to the suricata host. Yes, I don't see any problem with the ability to handle that configuration.
 
fosilt
just joined
Posts: 5
Joined: Thu Jan 28, 2016 5:29 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 23, 2018 11:34 am

Maybe for anyone is useful this tool:
https://www.stamus-networks.com/open-source/

Integrate suricata + ELKS in a dashboard. I added Tomfisk's script and my MK ban IPs and I can check logs on a website. Final result is very pretty.
Hi , aarango
Do you have tried SELKs from stamus network ?
 
halimzhz
newbie
Posts: 26
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Sep 15, 2018 7:00 pm

Dear All,

I have few question about this script:

1- I would like to know this script is running on background or i have to run with cron ?
2- Is it any output log for any activity sending to Mikrotik?

Currently i'm running with logstash + python for filtering fast.log and its very slow and too much delay

Please advice and thank you so much
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Sep 16, 2018 8:16 am

1. These scripts are running in the background and are started as a service.
2. You can get an email alert when an IP address has been blocked by changing the $email_alert variable in suricata_block.php
Dear All,

I have few question about this script:

1- I would like to know this script is running on background or i have to run with cron ?
2- Is it any output log for any activity sending to Mikrotik?

Currently i'm running with logstash + python for filtering fast.log and its very slow and too much delay

Please advice and thank you so much
 
halimzhz
newbie
Posts: 26
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Sep 17, 2018 1:48 am

Dear Tomfisk,

Thank you so much to answer my question, actually i have so many question to ask, any possiblity if i can direct with you on Whatsapp or Skype ? Or can you enable your private message on this forum ?

Please help. Thank you so much
 
halimzhz
newbie
Posts: 26
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Sep 18, 2018 4:17 pm

Hi,

What i understand the packet sniffer capturing from Mikrotik are the packet before the firewall rules, so is it possible to get any packet only after get thru the firewall rules ?

Please advice, TQ
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Sep 18, 2018 5:17 pm

Hi Halimzhz,

I don't think it is possible to get the packets only after they've gone through the firewall. The first firewall rule drops all packets from blocked IP addresses. I've look to see if the next rule could run the traffic through a virtual interface (possible), but then you'd have to get the traffic back into the firewall chain (I'm not sure how this would happen).

With regard to your request for some help, my day job keeps me pretty busy but I can try the best I can to provide some help. I don't see a PM option. I really don't want to post my contact info here, but if you want to share your WA I'll contact you.
Hi,

What i understand the packet sniffer capturing from Mikrotik are the packet before the firewall rules, so is it possible to get any packet only after get thru the firewall rules ?

Please advice, TQ
 
halimzhz
newbie
Posts: 26
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Sep 18, 2018 6:06 pm

Dear Tomfisk,

Thank you so much to reply me, for your information the concept of forward packet to suricata is so nice and suricata will filter the packet with some rules, but that seem fine when you have a very minimal suricata rules, but when u filter the suricata with tons of rules for example u filter by blocklist.de, your suricata will keep receive the same packet again and again, that make the the script keep sending again and again to mikrotik and the process become slow and too much delay, that why i'm asking is it possible to get the packet just after get thru the mikrotik firewall rules, someone advice me to buy 2nd mikrotik device and make it as secondary, the first mikrotik will do a job of firewall and the secondary will do a packet sniffer process to suricata, i hope that is not good idea because i have to spend more.

Please advice. TQ so much
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Sep 19, 2018 5:36 am

I understand what you are saying. Have you looked at the number of packets that would be blocked vs. the total volume? There would be a threshold where passing the packets after the firewall would make sense. I'm not sure what that threshold would be, but I would suspect that it would have to be a "significant" volume to make a difference. If you've implemented suricata and the firewall rules then you should be able to look at the packets dropped by the firewall rule vs. the total number of packets.

If the volume is significant, I agree with the advice you received, the only real option is the get another Mikrotik to handle the post-firewall filtering.
Dear Tomfisk,

Thank you so much to reply me, for your information the concept of forward packet to suricata is so nice and suricata will filter the packet with some rules, but that seem fine when you have a very minimal suricata rules, but when u filter the suricata with tons of rules for example u filter by blocklist.de, your suricata will keep receive the same packet again and again, that make the the script keep sending again and again to mikrotik and the process become slow and too much delay, that why i'm asking is it possible to get the packet just after get thru the mikrotik firewall rules, someone advice me to buy 2nd mikrotik device and make it as secondary, the first mikrotik will do a job of firewall and the secondary will do a packet sniffer process to suricata, i hope that is not good idea because i have to spend more.

Please advice. TQ so much
 
halimzhz
newbie
Posts: 26
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Sep 19, 2018 5:51 pm

Dear Tomfisk,

I have another idea but before that i feel so sorry because my bad english, but i will try to explain what i'm thinking about, i dont know is this possible or not, let say when the script start, the script will look first or grab from Mikrotik the list of banned ip and keep on script memory or as log, then the script will start looking into fast.log and doing filtering and before submit to Mikrotik for ban the IP, the script look first what on memory, on that way the script will not keep submitting to Mikrotik just to get the answer the ip is added or not, or maybe another way as u did on mysql database but everytime u restart the script, have to make sure the record on both Mikrotik and mysql database are clean, this is crazy, but main point is to make not too much delay on busy network

Please advice and thank you for your time
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Sep 20, 2018 6:22 am

OK, I thought you wanted to stop scanning traffic that was already blocked by a firewall rule.

So you're saying don't delete and re-add a firewall rule if it already exists for in IP address? Let me look at suricata_block.php and see if that can be added as an option.
Dear Tomfisk,

I have another idea but before that i feel so sorry because my bad english, but i will try to explain what i'm thinking about, i dont know is this possible or not, let say when the script start, the script will look first or grab from Mikrotik the list of banned ip and keep on script memory or as log, then the script will start looking into fast.log and doing filtering and before submit to Mikrotik for ban the IP, the script look first what on memory, on that way the script will not keep submitting to Mikrotik just to get the answer the ip is added or not, or maybe another way as u did on mysql database but everytime u restart the script, have to make sure the record on both Mikrotik and mysql database are clean, this is crazy, but main point is to make not too much delay on busy network

Please advice and thank you for your time
 
halimzhz
newbie
Posts: 26
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Sep 21, 2018 3:37 am

Dear Tomfisk

I would like to ask you a favor, for your information my fast.log a look a bit different, let me show you:

09/21/2018-08:08:15.059030 [wDrop] [**] [1:207:1] Suricata Rules [**] [Classification: (null)] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:36610 -> nnn.nnn.nnn.nnn:993

For your information i have 2 type of rules, first is alert and second is drop, 'alert' purpose just for monitoring and drop is what i plan to send out to Mikrotik, so for any drop rules will notify on fast.log as 'wDrop', so i need a script to monitor the line with word 'wDrop' and ignore for 'alert', actually i run this kind of script since years ago but its run by Logstash + Python, i'm so frustrated because too much delay for ban any IP because Logstash are cpu/memory hunger even my machine is dual xeon and 32GB RAM.

Seriously i willing to pay if you have time to spend for this. feel shame to put my mobile number here, but please skype me live:8f0c760bc11cde9

Thank you so much
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Sep 25, 2018 6:23 am

Hi Halimzhz,
Sorry for the delayed reply. I'm sorry but I really don't have time to be able to help you with this. This solution uses the insert trigger from barnyard2 to grab events that subsequently get processed. It only processes those rules that match what is in the sigs_to_block table in mysql. So the fast.log processing is done by barnyard2. So if you put your wDrop rule description in sigs_to_block table, it should work?

Tom
Dear Tomfisk

I would like to ask you a favor, for your information my fast.log a look a bit different, let me show you:

09/21/2018-08:08:15.059030 [wDrop] [**] [1:207:1] Suricata Rules [**] [Classification: (null)] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:36610 -> nnn.nnn.nnn.nnn:993

For your information i have 2 type of rules, first is alert and second is drop, 'alert' purpose just for monitoring and drop is what i plan to send out to Mikrotik, so for any drop rules will notify on fast.log as 'wDrop', so i need a script to monitor the line with word 'wDrop' and ignore for 'alert', actually i run this kind of script since years ago but its run by Logstash + Python, i'm so frustrated because too much delay for ban any IP because Logstash are cpu/memory hunger even my machine is dual xeon and 32GB RAM.

Seriously i willing to pay if you have time to spend for this. feel shame to put my mobile number here, but please skype me live:8f0c760bc11cde9

Thank you so much
 
tomeks11
just joined
Posts: 5
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Nov 06, 2018 5:03 pm

Do I have to run suricata through trafr?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 2:18 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
 
tomeks11
just joined
Posts: 5
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 9:15 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
I found this information in threads about Snort. I wonder how Suricata receives packets from the mikrotik sniffer with the Tazmen Sniffer Protocol (TZSP)
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 10:08 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
I found this information in threads about Snort. I wonder how Suricata receives packets from the mikrotik sniffer with the Tazmen Sniffer Protocol (TZSP)
1. Packet sniffer on Mikrotik is used, streaming output to specific IP address.
2. tzsp2pcap is used to receive stream (/usr/local/bin/tzsp2pcap -f)
3. Output from tzsp2pcap goes to suricata (/usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -)
 
tomeks11
just joined
Posts: 5
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 1:56 pm

1. Packet sniffer on Mikrotik is used, streaming output to specific IP address.
2. tzsp2pcap is used to receive stream (/usr/local/bin/tzsp2pcap -f)
3. Output from tzsp2pcap goes to suricata (/usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -)
Thank you. This image was not found in the description.
I made it so that the suricata reads from the interface and also worked.

So I have a suricate to run like this :
/usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -
?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 3:46 pm

1. Packet sniffer on Mikrotik is used, streaming output to specific IP address.
2. tzsp2pcap is used to receive stream (/usr/local/bin/tzsp2pcap -f)
3. Output from tzsp2pcap goes to suricata (/usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -)
Thank you. This image was not found in the description.
I made it so that the suricata reads from the interface and also worked.

So I have a suricate to run like this :
/usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -
?
Yes, that's correct.
 
tomeks11
just joined
Posts: 5
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Nov 26, 2018 2:43 pm

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked
you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web server would not have to support the SYN
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Nov 27, 2018 1:51 am

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked
you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web server would not have to support the SYN
So this is to stop any traffic from going back to a blocked address. There is already a rule to stop any inbound traffic from a blocked address as well.
 
tomeks11
just joined
Posts: 5
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Nov 27, 2018 9:31 am

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked
you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web server would not have to support the SYN
So this is to stop any traffic from going back to a blocked address. There is already a rule to stop any inbound traffic from a blocked address as well.
The rule "ip firewall add action = drop chain = input comment =" Block bad actors" src-address-list = Blocked it does not stop the dstnat traffic eg to the web server inside the network. I checked on the web server, 'syn' packets are still coming
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Nov 27, 2018 10:24 pm

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked
you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web server would not have to support the SYN
So this is to stop any traffic from going back to a blocked address. There is already a rule to stop any inbound traffic from a blocked address as well.
The rule "ip firewall add action = drop chain = input comment =" Block bad actors" src-address-list = Blocked it does not stop the dstnat traffic eg to the web server inside the network. I checked on the web server, 'syn' packets are still coming
Oh...yes, I'm not attempting to block internet network traffic.
 
Matthew1471
just joined
Posts: 6
Joined: Wed Feb 20, 2019 1:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 21, 2019 11:37 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
Can't find trafr officially listed on the MikroTik downloads page either. It's referenced on the Wiki but looks pulled?

Presumably "tzsp2pcap" is the drop in replacement and MikroTik moved to the TZSP protocol..
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 21, 2019 11:46 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
Can't find trafr officially listed on the MikroTik downloads page either. It's referenced on the Wiki but looks pulled?

Presumably "tzsp2pcap" is the drop in replacement and MikroTik moved to the TZSP protocol..
That would most likely be a correct assumption.
 
anav
Forum Guru
Forum Guru
Posts: 2894
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Mar 02, 2019 9:05 pm

Hi Tom,
Just trying to understand what all this work is LOL.
I gather you are using a computer with linux OS, that is performing some functions on incoming wan data?
So what is the architecture - modem to router to computer back to router?

What are you trying to stop? Presumably most people do not allow unsolicited traffic in (such traffic is dropped).
Thus are you simply scanning outgoing traffic???

What are you scanning, looking for bad IPs? suspicious packet traffic ???
Im a bit bamboozled by what is actually going on here?

Thanks in advance for answering such basic questions..........
With such info, I will know whether or not for a homeowner the investment in resources is worth it. ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Mar 03, 2019 8:49 am

Hi,

First of all, I think it is important for you to understand what a network threat detection engine, like Suricata, does. It ingests network packets, runs those packets against a set of rules, and then reports on those packets which match the rules. Suricata also provides the ability to do intrusion prevention (IPS) against those IP's where the rules matched. So in a typical installation, you'd dedicate a system that would sit on your network perimeter and do this work.

But with the Mikrotik router being more capable than most, then we can use the Mikrotik as a component in the solution. First of all, using the packet sniffer capability of the Mikrotik we can capture packets and send them to Suricata. Which packets you send is up to you, but I send only inbound packets. Suricata does it's thing and the triggered packets and the associated rules end up in a MySQL database. When this occurs, a trigger writes the needed info in a table that is constantly scanned by a php program. When this happens, the php program sends the necessary info to write a firewall entry to the Mikrotik. So now the Mikrotik now plays the role of IPS.

In the end, it depends on how much IDS/IPS your ISP does in catching the bad actors on their perimeter as to whether or not this effort is worth it. Here in Indonesia, my ISP doesn't do any IDS/IPS on their perimeter, so it all comes to my network. So in my case, it's a vital piece of keeping bad actors off my systems.

Hope this helps.

Tom
Hi Tom,
Just trying to understand what all this work is LOL.
I gather you are using a computer with linux OS, that is performing some functions on incoming wan data?
So what is the architecture - modem to router to computer back to router?

What are you trying to stop? Presumably most people do not allow unsolicited traffic in (such traffic is dropped).
Thus are you simply scanning outgoing traffic???

What are you scanning, looking for bad IPs? suspicious packet traffic ???
Im a bit bamboozled by what is actually going on here?

Thanks in advance for answering such basic questions..........
With such info, I will know whether or not for a homeowner the investment in resources is worth it. ;-)
 
anav
Forum Guru
Forum Guru
Posts: 2894
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Mar 03, 2019 10:31 pm

Great explanation Tom, it sounds a bit of what layer7 firewall does on the Mikrotik, looking for a pattern of packets etc..........
I have read that using layer7 rules really loads the MT CPU so what you in affect are doing is offloading such work and using the MT at the very front end and to implement the outcome(filter rules) (bad IPs). I imagine the time lag to sniff a packet and have the MT put up a rule or add IPs to an existing rule is very short?

Don't laugh but if I have my basic rules setup.
establish related
drop invalid
(my specific allow rules)
drop all else.

Q1. Do I really need all this IDS IDP, synflood, tarpit, blacklists etc etc etc........
In other words, I don't expect anybody to gain access to my router or on my devices based on unsolicited incoming traffic (inbound as you state).

However,. what I don't have control over is folks accessing sites or clicking on emails with bad stuff without knowing it.
Thus where I see the router coming into play is stopping bad outbound traffic (because returns from the bad actor will be allowed back in (established related) and thus one had to nip this before the traffic is allowed out. Thus some layer7 rules are probably a good idea here.
Q2. Does your program or methods address this aspect?

Q3. What is the difference between all the stuff you are managing and my simple technique of:
- adding raw rules to capture all probes on common ports (that I dont use, so prerouting capture has no negative effects).
- adding filter rules to capture all probes common ports I do use, but in order so after they have met my needs (for example DST port,,,,,,,,,,, - I only port forward with known WANIPs allowed source-address-list and to devices on own VLAN). Then in raw, I drop all those captured IPs. My logic good or bad is that I will stop the majority of bad actors for a set time be it 4hours or 2days and that is just as effective as any other set of blacklists etc...........
However, why bother when I already have drop rules on my router (other than stopping repeated attempts or multi port attempts at router).

Any input or clarification or guidance most appreciated as I know very little on this front and always willing to learn.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Mar 04, 2019 5:23 am

Yes, time lag is very short. Less than 2 seconds.

Q1. Simple answer, of course, is "that depends". I do have services that I have open to the wild, so in my case I do want to stop someone trying to gain access through those services. If you don't have any services published, and are just a consumer of the internet, then certainly that removes a big reason for doing so. Just be sure that you really don't have any services published...like IOT devices.

Q2. Yes, Suricata can be used to scan outbound traffic looking for potential threats. I do some of this, minimal, but it is supported. Just make sure your filter on the sniffer is passing outbound traffic to Suricata.

Q3. You don't know what you don't know. Before I implemented this I ran suricata against my traffic to see what what happening. Like I said, in Indonesia I was seeing hundreds of hits an hour. On my server that is in the US, I was seeing maybe a dozen soft hits in a day, that the Mikrotik could handle with the basic firewall rules.
Great explanation Tom, it sounds a bit of what layer7 firewall does on the Mikrotik, looking for a pattern of packets etc..........
I have read that using layer7 rules really loads the MT CPU so what you in affect are doing is offloading such work and using the MT at the very front end and to implement the outcome(filter rules) (bad IPs). I imagine the time lag to sniff a packet and have the MT put up a rule or add IPs to an existing rule is very short?

Don't laugh but if I have my basic rules setup.
establish related
drop invalid
(my specific allow rules)
drop all else.

Q1. Do I really need all this IDS IDP, synflood, tarpit, blacklists etc etc etc........
In other words, I don't expect anybody to gain access to my router or on my devices based on unsolicited incoming traffic (inbound as you state).

However,. what I don't have control over is folks accessing sites or clicking on emails with bad stuff without knowing it.
Thus where I see the router coming into play is stopping bad outbound traffic (because returns from the bad actor will be allowed back in (established related) and thus one had to nip this before the traffic is allowed out. Thus some layer7 rules are probably a good idea here.
Q2. Does your program or methods address this aspect?

Q3. What is the difference between all the stuff you are managing and my simple technique of:
- adding raw rules to capture all probes on common ports (that I dont use, so prerouting capture has no negative effects).
- adding filter rules to capture all probes common ports I do use, but in order so after they have met my needs (for example DST port,,,,,,,,,,, - I only port forward with known WANIPs allowed source-address-list and to devices on own VLAN). Then in raw, I drop all those captured IPs. My logic good or bad is that I will stop the majority of bad actors for a set time be it 4hours or 2days and that is just as effective as any other set of blacklists etc...........
However, why bother when I already have drop rules on my router (other than stopping repeated attempts or multi port attempts at router).

Any input or clarification or guidance most appreciated as I know very little on this front and always willing to learn.
 
anav
Forum Guru
Forum Guru
Posts: 2894
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Mar 04, 2019 4:17 pm

Good points.
Yes I have ports open for septic device and solar device with source address list for static company IPs to access.
Having a source address list in my NAT rule renders the port invisible on scans
Yes I have iot devices but they are all on vlans and not on the same vlan and only have access to the internet.

By the way I was subscribing to MOAB (very decent service for pennies) but since i can write this off for taxes using
this service at the moment, since I know I am not savvy and the additional security shouldnt hurt..
https://axiomcyber.com/shield/

So the question becomes, is it worth it for me to wander down the suricata (ossec) route??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
haj
just joined
Posts: 1
Joined: Tue Jun 04, 2019 11:32 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 04, 2019 11:45 am

Hey,

Currently we don't have Mikrotik. We have some "homebuilt" Linux routers running our internal routing and firewalling, along with Suricata.
We block bad IPs with a couple of ipset sets and iptables rules.

How does Mikrotik's perform when they have to block a list of say 200.000 IPs?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jun 05, 2019 2:08 pm

Hey,

Currently we don't have Mikrotik. We have some "homebuilt" Linux routers running our internal routing and firewalling, along with Suricata.
We block bad IPs with a couple of ipset sets and iptables rules.

How does Mikrotik's perform when they have to block a list of say 200.000 IPs?
Hi Haj,

I really can't answer the question about performance. I'd pose that to one of the Mikrotik engineers.

But I would question why you'd be blocking 200,000 IPs? I have looked at my list of frequent offenders and have found that I've been able to consolidate some of the IP addresses into ranges. If you have 200,000 IP addresses then I'd assume that you could identify some pretty significant ranges and block the range rather than individual addresses.

Tom

Who is online

Users browsing this forum: Google [Bot] and 66 guests