Community discussions

 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 8:09 am

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 8:20 am

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 8:28 am

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 11:44 am

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 1:49 pm

Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 2:51 pm


No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 3:02 pm


There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
Check these settings in php.ini:

http://php.net/manual/en/mail.configuration.php
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Apr 28, 2017 8:28 am


I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
Check these settings in php.ini:

http://php.net/manual/en/mail.configuration.php
I got a test successfully but I don't receive emails from script suricata-block. How could I debug it more? I have alerts on Snorby which I think that I should have an email from script.

Here my test.php which I receive alerts:
<?php
$to = "mydomain@mydomain.com";
$subject = "My subject";
$txt = "Hello world!";
$headers = "From: mydomain@mydomain.com" . "\r\n" .
"CC: mydomain@mydomain.com";

mail($to,$subject,$txt,$headers);
?>
Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Apr 28, 2017 8:33 am


Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
Check these settings in php.ini:

http://php.net/manual/en/mail.configuration.php
I got a test successfully but I don't receive emails from script suricata-block. How could I debug it more? I have alerts on Snorby which I think that I should have an email from script.

Here my test.php which I receive alerts:
<?php
$to = "mydomain@mydomain.com";
$subject = "My subject";
$txt = "Hello world!";
$headers = "From: mydomain@mydomain.com" . "\r\n" .
"CC: mydomain@mydomain.com";

mail($to,$subject,$txt,$headers);
?>
Thanks.
You did update suricata_block.php with the new one? That is the same code as in suricata_block.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Apr 28, 2017 9:26 am


Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
Check these settings in php.ini:

http://php.net/manual/en/mail.configuration.php
I got a test successfully but I don't receive emails from script suricata-block. How could I debug it more? I have alerts on Snorby which I think that I should have an email from script.

Here my test.php which I receive alerts:
<?php
$to = "mydomain@mydomain.com";
$subject = "My subject";
$txt = "Hello world!";
$headers = "From: mydomain@mydomain.com" . "\r\n" .
"CC: mydomain@mydomain.com";

mail($to,$subject,$txt,$headers);
?>
Thanks.
You did update suricata_block.php with the new one? That is the same code as in suricata_block.
Solved! I use Debian and I had to declare variable before with this:

$email_alert = true;

Now I receive emails from alerts. Thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri May 05, 2017 2:12 pm

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat May 06, 2017 5:37 am

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue May 09, 2017 1:06 pm

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue May 09, 2017 3:34 pm

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
If that is the actual contents of the log, "192.168.X.X" then the reason it is failing is because the script can't find a full IP address.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed May 10, 2017 8:40 am

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
If that is the actual contents of the log, "192.168.X.X" then the reason it is failing is because the script can't find a full IP address.
Uhmm so I understand that its works fine, when an event ocurrs script will get full IP I understand, don't?

Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed May 10, 2017 8:57 am

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
If that is the actual contents of the log, "192.168.X.X" then the reason it is failing is because the script can't find a full IP address.
Uhmm so I understand that its works fine, when an event ocurrs script will get full IP I understand, don't?

Thanks!
Yes, if the event from the log file contains the full IP address, it works.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed May 10, 2017 11:57 am


Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
If that is the actual contents of the log, "192.168.X.X" then the reason it is failing is because the script can't find a full IP address.
Uhmm so I understand that its works fine, when an event ocurrs script will get full IP I understand, don't?

Thanks!
Yes, if the event from the log file contains the full IP address, it works.
Nice! So, I feel calmer without see attackers :)

Which it will be your next update? I wait it to test it :D

Thanks (one more time).
 
lorenzo95
just joined
Posts: 2
Joined: Fri May 29, 2015 8:02 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon May 29, 2017 2:04 am

Wow, this is fantastic :) . A great way to do it without having to use an inline IPS.
Just one question: can we do it without snorby? Could you maybe provide a full sql schema instead of just your additions for barnyard to write to?

I usually use suricata with evebox (json api) so I was just trying to think of a way to use this solution without having to install ruby and such.

Edit: would this schema work when imported into a database named snorby?
https://github.com/firnsy/barnyard2/blo ... eate_mysql

Thanks
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon May 29, 2017 10:41 am

Wow, this is fantastic :) . A great way to do it without having to use an inline IPS.
Just one question: can we do it without snorby? Could you maybe provide a full sql schema instead of just your additions for barnyard to write to?

I usually use suricata with evebox (json api) so I was just trying to think of a way to use this solution without having to install ruby and such.

Edit: would this schema work when imported into a database named snorby?
https://github.com/firnsy/barnyard2/blo ... eate_mysql

Thanks
Yes. I use Suricata as well so as long as the alerts get moved into the snorby structure using barnyard2 all should be good. And yes, adding the database structure you linked to is what is needed.

Tom
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Jun 05, 2017 12:44 pm

Hi,

Tried to implement this solution. I use Ubuntu 16.04 with mysql 5.7.18. When I put a trigger in place I get this while loading barnyard2:

Code: Select all

ERROR: database mysql_error: Unknown column 'event.id' in 'field list'
SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES (1,2211,3232235876,3109214298,4,5,0,44,12662,0,0,64,17,46481);]
Fatal Error, Quitting..
Without a trigger my events are exporting fine. It seems my db cannot handle nested querry. Any ideas what is wrong?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Jun 05, 2017 3:09 pm

Hi,

Tried to implement this solution. I use Ubuntu 16.04 with mysql 5.7.18. When I put a trigger in place I get this while loading barnyard2:

Code: Select all

ERROR: database mysql_error: Unknown column 'event.id' in 'field list'
SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES (1,2211,3232235876,3109214298,4,5,0,44,12662,0,0,64,17,46481);]
Fatal Error, Quitting..
Without a trigger my events are exporting fine. It seems my db cannot handle nested querry. Any ideas what is wrong?
Can you check the definition of the event table in the database?
show columns from event;
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Jun 05, 2017 5:28 pm

Code: Select all

+-----------+------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------------+------+-----+---------+-------+
| sid | int(10) unsigned | NO | PRI | NULL | |
| cid | int(10) unsigned | NO | PRI | NULL | |
| signature | int(10) unsigned | NO | MUL | NULL | |
| timestamp | datetime | NO | MUL | NULL | |
+-----------+------------------+------+-----+---------+-------+
4 rows in set (0.00 sec)
It was created using schema in barnyard2 repository.
 
User avatar
mlpaul
just joined
Posts: 13
Joined: Thu Apr 20, 2017 11:02 pm
Location: Ohio, United States

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Jun 05, 2017 7:23 pm

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error.

I am really eager to try this as it seems fairly interesting,

Thanks!
error.JPG
You do not have the required permissions to view the files attached to this post.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 4:38 am

Code: Select all

+-----------+------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------------+------+-----+---------+-------+
| sid | int(10) unsigned | NO | PRI | NULL | |
| cid | int(10) unsigned | NO | PRI | NULL | |
| signature | int(10) unsigned | NO | MUL | NULL | |
| timestamp | datetime | NO | MUL | NULL | |
+-----------+------------------+------+-----+---------+-------+
4 rows in set (0.00 sec)
It was created using schema in barnyard2 repository.
OK, that doesn't match the snort/snorby schema. I've included the snort/snorby schema in the post. Create the database with that schema and all should be good.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 4:41 am

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error.

I am really eager to try this as it seems fairly interesting,

Thanks!
error.JPG
Does my reply from Mon Feb 27, 2017 10:44 am help?
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 12:33 pm

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error.

I am really eager to try this as it seems fairly interesting,

Thanks!
error.JPG
Does my reply from Mon Feb 27, 2017 10:44 am help?
Try with changing delimiter:
DELIMITER ;;
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr`
  FOR EACH ROW BEGIN
  DECLARE this_event INT(11) default 0;
  DECLARE this_event_signature INT(10) default 0;
  DECLARE this_event_timestamp TIMESTAMP;
  DECLARE this_sig INT(10) default 0;
  DECLARE this_sig_name VARCHAR(256) default "";
  DECLARE this_sig_gid INT(10) default 0;
  DECLARE timeout VARCHAR(12) default "";
  DECLARE interested INT default 0;
  DECLARE direction VARCHAR(3) default "";
  DECLARE ip_src VARCHAR(64) default "";
  DECLARE ip_dst VARCHAR(64) default "";
  SELECT event.id, event.signature, event.timestamp
  INTO this_event, this_event_signature, this_event_timestamp
  FROM event
  WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
  SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
  INTO this_sig, this_sig_gid, this_sig_name
  FROM signature
  WHERE signature.sig_id = this_event_signature;
  SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
  INTO interested, direction, timeout
  FROM sigs_to_block
  WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
  IF (interested > 0) THEN
   IF (direction = "src") THEN
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_src),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    ELSE
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_dst),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    END IF;
  END IF;
END;;
DELIMITER ;
Last edited by rapiertg on Tue Jun 06, 2017 3:39 pm, edited 1 time in total.
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 2:26 pm

Ok, new record are added to firewall's access list. One issue with it, is that they are added as unsigned long. Somehow they are not converted to addresses.
You do not have the required permissions to view the files attached to this post.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 2:44 pm

Ok, new record are added to firewall's access list. One issue with it, is that they are added as unsigned long. Somehow they are not converted to addresses.
Check the records in the block_queue table. Should be populated with IP v4 addresses. They are converted from numeric to IP v4 address by the trigger with inet_ntoa function.
 
User avatar
mlpaul
just joined
Posts: 13
Joined: Thu Apr 20, 2017 11:02 pm
Location: Ohio, United States

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 3:56 pm

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error.

I am really eager to try this as it seems fairly interesting,

Thanks!
error.JPG
Does my reply from Mon Feb 27, 2017 10:44 am help?
Try with changing delimiter:
DELIMITER ;;
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr`
  FOR EACH ROW BEGIN
  DECLARE this_event INT(11) default 0;
  DECLARE this_event_signature INT(10) default 0;
  DECLARE this_event_timestamp TIMESTAMP;
  DECLARE this_sig INT(10) default 0;
  DECLARE this_sig_name VARCHAR(256) default "";
  DECLARE this_sig_gid INT(10) default 0;
  DECLARE timeout VARCHAR(12) default "";
  DECLARE interested INT default 0;
  DECLARE direction VARCHAR(3) default "";
  DECLARE ip_src VARCHAR(64) default "";
  DECLARE ip_dst VARCHAR(64) default "";
  SELECT event.id, event.signature, event.timestamp
  INTO this_event, this_event_signature, this_event_timestamp
  FROM event
  WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
  SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
  INTO this_sig, this_sig_gid, this_sig_name
  FROM signature
  WHERE signature.sig_id = this_event_signature;
  SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
  INTO interested, direction, timeout
  FROM sigs_to_block
  WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
  IF (interested > 0) THEN
   IF (direction = "src") THEN
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_src),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    ELSE
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_dst),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    END IF;
  END IF;
END;;
DELIMITER ;
Thanks for the reply! I tried this and got a new error,
ERROR 1054 (42S22) at line 2: Unknown column 'sid' in 'NEW'
Also tomfisk, i tried adding it straight to the triggers tab in phpMyAdmin, but i get the same error that is presented on the command line. I think it may have something to do with the iphdr table. Is there anything specific i have to do with that to get it to work?

Thanks guys!
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 4:31 pm

Ok, new record are added to firewall's access list. One issue with it, is that they are added as unsigned long. Somehow they are not converted to addresses.
Check the records in the block_queue table. Should be populated with IP v4 addresses. They are converted from numeric to IP v4 address by the trigger with inet_ntoa function.
Working great. Somehow I had maximan's trigger instead of Yours, which handle conversion elsewhere. Thanks!
 
User avatar
mlpaul
just joined
Posts: 13
Joined: Thu Apr 20, 2017 11:02 pm
Location: Ohio, United States

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 8:38 pm

I figured out my mistake, sorry guys im kinda stupid lol, i had to install barnyard2... -_-
 
User avatar
mlpaul
just joined
Posts: 13
Joined: Thu Apr 20, 2017 11:02 pm
Location: Ohio, United States

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 11:38 pm

Hey tom, i think there is an issue with the routeros_api.class.php file i got. Is there a dedicated link to the one you used? I got mine from https://github.com/BenMenking/routeros- ... .class.php and when i run it, i get errors such as:
PHP Warning:  fwrite() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 332
PHP Warning:  fwrite() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 339
PHP Warning:  fread() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 255
PHP Warning:  socket_get_status() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 302
PHP Notice:  Undefined offset: 0 in /usr/local/bin/suricata_block.php on line 125
Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jun 07, 2017 5:05 am

Hey tom, i think there is an issue with the routeros_api.class.php file i got. Is there a dedicated link to the one you used? I got mine from https://github.com/BenMenking/routeros- ... .class.php and when i run it, i get errors such as:
PHP Warning:  fwrite() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 332
PHP Warning:  fwrite() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 339
PHP Warning:  fread() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 255
PHP Warning:  socket_get_status() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 302
PHP Notice:  Undefined offset: 0 in /usr/local/bin/suricata_block.php on line 125
Thanks!
Here's the comment block at the top of my routeros_api.class.php file and my reference for the file is https://github.com/BenMenking/routeros- ... master.zip
/*****************************
 *
 * RouterOS PHP API class v1.6
 * Author: Denis Basta
 * Contributors:
 *    Nick Barnes
 *    Ben Menking (ben [at] infotechsc [dot] com)
 *    Jeremy Jefferson (http://jeremyj.com)
 *    Cristian Deluxe (djcristiandeluxe [at] gmail [dot] com)
 *    Mikhail Moskalev (mmv.rus [at] gmail [dot] com)
 *
 * http://www.mikrotik.com
 * http://wiki.mikrotik.com/wiki/API_PHP_class
 *
 ******************************/
 
SystemErrorMessage
Member
Member
Posts: 378
Joined: Sat Dec 22, 2012 9:04 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Jun 29, 2017 8:39 am

This looks like one of the things i've been searching for however i would like to know how much CPU is needed for this. Would using a quad core ARM A17 with gigabit ethernet would be sufficient for gigabit speeds? I would like to keep things as low power as possible and my routerboard has a usb port which can power it.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Jun 29, 2017 9:17 am

This looks like one of the things i've been searching for however i would like to know how much CPU is needed for this. Would using a quad core ARM A17 with gigabit ethernet would be sufficient for gigabit speeds? I would like to keep things as low power as possible and my routerboard has a usb port which can power it.
When it comes to running suricata it really depends on your traffic mix. If you have lots of users on your network then you'll have more unique sessions to keep track of. In general, the more memory you have available, the better off you will be. I'm running on a quad core ARM A9 with gigabit ethernet (4gb memory) with loads peaking around 200mbs and with typically less than 100 sessions. The A17 is supposed to be 60% higher performance. So I'd give it a qualified "yes" if you have the memory to support your sessions. There is an entire chapter on suricata performance in their documentation which might be worth a read: http://suricata.readthedocs.io/en/lates ... index.html
 
SystemErrorMessage
Member
Member
Posts: 378
Joined: Sat Dec 22, 2012 9:04 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Jun 29, 2017 3:30 pm

This looks like one of the things i've been searching for however i would like to know how much CPU is needed for this. Would using a quad core ARM A17 with gigabit ethernet would be sufficient for gigabit speeds? I would like to keep things as low power as possible and my routerboard has a usb port which can power it.
When it comes to running suricata it really depends on your traffic mix. If you have lots of users on your network then you'll have more unique sessions to keep track of. In general, the more memory you have available, the better off you will be. I'm running on a quad core ARM A9 with gigabit ethernet (4gb memory) with loads peaking around 200mbs and with typically less than 100 sessions. The A17 is supposed to be 60% higher performance. So I'd give it a qualified "yes" if you have the memory to support your sessions. There is an entire chapter on suricata performance in their documentation which might be worth a read: http://suricata.readthedocs.io/en/lates ... index.html
Thanks, so basically its all down to how many thousands of torrent connections i want to be able to support for memory usage or how many fps gamers there'll be on the network (a lot of fps games send many minimal sized packets) for cpu usage. I might need a better machine.
 
Guram
just joined
Posts: 1
Joined: Tue Jul 04, 2017 2:09 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jul 04, 2017 2:17 pm

Hello, I'm try to implement this one, but I don't know how to test it, works or not. Please help my!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jul 04, 2017 2:56 pm

Hello, I'm try to implement this one, but I don't know how to test it, works or not. Please help my!
There are several tutorials on testing the alerts on Suricata. For example, look at paragraph 1.5 of this tutorial to test if the rules are firing.

https://web.nsrc.org/workshops/2015/pac ... g-test.htm
 
Percanta
newbie
Posts: 39
Joined: Tue Feb 24, 2009 1:00 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 10, 2017 5:48 pm

Good day
Thank you for sharing this , my comments:
looking the blocked ips (public) i notice the most times are caused by the same clients (ip private) so i decided not send this traffic again to suricata during the blocked time, then i stopped packet sniff and i use mangle
/ip fi ma
add action=sniff-tzsp out-interface=LAN chain=forward sniff-target=172.18.1.4 sniff-target-port=37008 src-address-list=!Blocked

Maybe it'd be great to know lan ip in the comment of the address list and/or telegram, i know i could search it on snorby web but it'd more practical like this
/ip firewall address-list> pr wh list =Blocked
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 D ;;; From suricata, ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 397 => 1:2522792 => event timestamp: 2017-08-10 08:28:38, Address=192.168.X.X
Blocked 46.28.110.244 aug/10/2017 13:28:41 3m12s

ive' added this to mikrotik-fw.sh for send telegram message (ossec active response)
rm $tmpfile
curl --data chat_id=-0000000 --data-urlencode "text="'"'"OSSEC HIDS >> $LOGLINE"'"'", Timeout 23:59:59" https://api.telegram.org/bot00000:ewrj4lrjlrkj5lwrfwjrj5/sendMessage
Regards
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Aug 14, 2017 6:08 am

Thanks for your comments Percanta. I will look at adding in the IP of the internal source/destination to the comment.

Tom
 
Percanta
newbie
Posts: 39
Joined: Tue Feb 24, 2009 1:00 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Aug 14, 2017 4:48 pm

Good day
i've made this,
added a new column for queue_block table
ALTER TABLE block_queue ADD que_ip_adrlan VARCHAR(64) COLLATE utf8_unicode_ci NOT NULL;
modify trigger
                         
....                         
                           INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_src,
                               `que_ip_adrlan = NEW.ip_dst,`
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          ELSE
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_dst,
                               `que_ip_adrlan = NEW.ip_src,`
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          END IF;
                        END IF;
                      END;;
                      DELIMITER ;
Now we can use the other ip address, for example
$API->comm("/ip/firewall/address-list/add", array(
      "list" => "Blocked",
      "address" => $thisrow['que_ip_adr'],
      "timeout" => $timeremaining,
      "comment" => "From suricata, " . $thisrow[ 'que_ip_adrlan' ] .    $thisrow['que_sig_name'] . " => " . $thisrow['que_sig_gid'] . ":" . $thisrow['que_sig_sid'] .
         " => event timestamp: " . $thisrow['que_event_timestamp'],));
Tom i have a doubt, how did u choose the 20 signatures to block?? i see around 1000 in signature table :lol: :lol: :lol: , or where can i get info about how to choose them, thank you

regards
 
User avatar
otgooneo
Trainer
Trainer
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Aug 15, 2017 5:07 am

Sorry for being lazy. But does any one have pre-configured image, which supports to install it and change minor configurations like IP address, username and password?
----------------------------
Want to learn more and more...
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Aug 15, 2017 5:18 am

Good day
i've made this,
added a new column for queue_block table
ALTER TABLE block_queue ADD que_ip_adrlan VARCHAR(64) COLLATE utf8_unicode_ci NOT NULL;
modify trigger
                         
....                         
                           INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_src,
                               `que_ip_adrlan = NEW.ip_dst,`
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          ELSE
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_dst,
                               `que_ip_adrlan = NEW.ip_src,`
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          END IF;
                        END IF;
                      END;;
                      DELIMITER ;
Now we can use the other ip address, for example
$API->comm("/ip/firewall/address-list/add", array(
      "list" => "Blocked",
      "address" => $thisrow['que_ip_adr'],
      "timeout" => $timeremaining,
      "comment" => "From suricata, " . $thisrow[ 'que_ip_adrlan' ] .    $thisrow['que_sig_name'] . " => " . $thisrow['que_sig_gid'] . ":" . $thisrow['que_sig_sid'] .
         " => event timestamp: " . $thisrow['que_event_timestamp'],));
Tom i have a doubt, how did u choose the 20 signatures to block?? i see around 1000 in signature table :lol: :lol: :lol: , or where can i get info about how to choose them, thank you

regards
Thanks for the code updates Percanta!

With regard to the number of signatures I block...this is on a home "lab" network so instead of blocking all activity, I wait to see what activity is coming in and then block specific signatures or blocks of signatures. If this was on a corporate network, I would take the other approach...block every signature and then look at excluding specific activity that is valid.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 23, 2017 2:40 pm

A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 24, 2017 7:31 am

In my nightly process to update the rules, I issue the following command to suricata:
pkill -USR2 -u snort -f /usr/bin/suricata
This might help with the problem.
A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 24, 2017 12:22 pm

In my nightly process to update the rules, I issue the following command to suricata:
pkill -USR2 -u snort -f /usr/bin/suricata
This might help with the problem.
A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
Yes, It can help, do you start after process again with any particular script or with normal script?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 24, 2017 12:29 pm

I do it in my oinkupdate.sh script.
#!/bin/bash                                             
/usr/local/bin/oinkmaster.pl -C /etc/suricata/oinkmaster.conf -o /etc/suricata/rules                            
chown snort:snort /etc/suricata/rules/*                 
pkill -USR2 -u snort -f /usr/bin/suricata               
/etc/init.d/aanval restart                              
/etc/init.d/barnyard2 stop                              
sleep 5                                                 
/etc/init.d/barnyard2 start
In my nightly process to update the rules, I issue the following command to suricata:
pkill -USR2 -u snort -f /usr/bin/suricata
This might help with the problem.
A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
Yes, It can help, do you start after process again with any particular script or with normal script?

Thanks.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 24, 2017 1:42 pm

I do it in my oinkupdate.sh script.
#!/bin/bash                                             
/usr/local/bin/oinkmaster.pl -C /etc/suricata/oinkmaster.conf -o /etc/suricata/rules                            
chown snort:snort /etc/suricata/rules/*                 
pkill -USR2 -u snort -f /usr/bin/suricata               
/etc/init.d/aanval restart                              
/etc/init.d/barnyard2 stop                              
sleep 5                                                 
/etc/init.d/barnyard2 start
In my nightly process to update the rules, I issue the following command to suricata:
pkill -USR2 -u snort -f /usr/bin/suricata
This might help with the problem.
A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
Yes, It can help, do you start after process again with any particular script or with normal script?

Thanks.
Good idea, done too :) thanks!
 
ATROX
newbie
Posts: 44
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 12:46 pm

Very much I ask - help!
Everything was done step by step.
After creating the table, sigs_to_block and TRIGGER barnyard2 stopped writing to the database.
Ends with an error:
Aug 30 11:43:14 sv-ips-01 barnyard2: FATAL ERROR: database mysql_error: In aggregated query without GROUP BY, expression #2 of SELECT list contains nonaggregated column 'snorby.sigs_to_block.src_or_dst'; this is incompatible with sql_mode=only_full_group_by#012#011SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES (1,22527,1539234099,3274620322,4,5,0,45,0,0,0,0,6,1289);]
ОК.
I turned on the desired mode in mySQL:
mysql> select @@sql_mode;
+------------------------+
| @@sql_mode             |
+------------------------+
| NO_ENGINE_SUBSTITUTION |
+------------------------+
1 row in set (0,00 sec)
It did not help!
How to fix it?
What's my mistake?
There are no answers on the Internet ...
Help me please!
OS: Ubuntu 16.04.3 AMD64
Barnyard2 Version 2.1.14 (Build 337)
As I understand, this is not working properly trigger ..
I created the trigger like this:
mysql -u root -p snorby < trigger_code.sql
trigger_code.sql:
DELIMITER ;;
                      CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr` FOR EACH ROW
                      BEGIN
                        DECLARE this_event INT(11) default 0;
                        DECLARE this_event_signature INT(10) default 0;
                        DECLARE this_event_timestamp TIMESTAMP;
                        DECLARE this_sig INT(10) default 0;
                        DECLARE this_sig_name VARCHAR(256) default "";
                        DECLARE this_sig_gid INT(10) default 0;
                        DECLARE timeout VARCHAR(12) default "";
                        DECLARE interested INT default 0;
                        DECLARE direction VARCHAR(3) default "";
                        DECLARE ip_src VARCHAR(64) default "";
                        DECLARE ip_dst VARCHAR(64) default "";
                        SELECT event.id, event.signature, event.timestamp
                        INTO this_event, this_event_signature, this_event_timestamp
                        FROM event
                        WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
                        SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
                        INTO this_sig, this_sig_gid, this_sig_name
                        FROM signature
                        WHERE signature.sig_id = this_event_signature;
                        SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
                        INTO interested, direction, timeout
                        FROM sigs_to_block
                        WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
                        IF (interested > 0) THEN
                         IF (direction = "src") THEN
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_src,
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          ELSE
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_dst,
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          END IF;
                        END IF;
                      END;;
DELIMITER ;
 
ATROX
newbie
Posts: 44
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 2:33 pm

OK.
I drop trigger:
mysql> use snorby;
mysql> drop trigger `after_iphdr_insert`;
run barnyard2.
Everything is great. He works!
Aug 30 14:22:47 sv-ips-01 barnyard2:         --== Initialization Complete ==--
Aug 30 14:22:47 sv-ips-01 barnyard2: Barnyard2 initialization completed successfully (pid=11329)
Aug 30 14:22:47 sv-ips-01 barnyard2: Using waldo file '/var/log/suricata/suricata.waldo':#012    spool directory = /var/log/suricata/#012
Aug 30 14:22:47 sv-ips-01 barnyard2: Opened spool file '/var/log/suricata//unified2.alert.1504074207'
......
Aug 30 14:25:08 sv-ips-01 barnyard2: INFO [dbProcessSignatureInformation()]: [Event: 2633] with [gid: 1] [sid: 2522988] [rev: 3068] [classif...
Aug 30 14:30:26 sv-ips-01 barnyard2: INFO [dbProcessSignatureInformation()]: [Event: 2685] with [gid: 1] [sid: 2403336] [rev: 3794] [classif...
What's wrong with the trigger?
How should its code be written correctly?

Who is online

Users browsing this forum: No registered users and 73 guests