Hi,

I am looking a good IDS to my net, I know that exits Suricata and Snort, but I would like to use "Maltrail". I installed on server but I dont know how sent the info from MK to Maltrail's server. MK tries do it using port 37008 but Maltrail is only listening on http port. Any advice?

BTW, I installed Snort too but I dont know how do that the router's info go until Snort.

I enabled on "streaming" my IP where its Maltrail (and snort) installed.

Thanks

Hi,
I quickly checked out Maltrail documentation. I think you should set up a mirror port and connect your sensor to that port.
Streaming will not help you. Streaming uses tzsp format to send traffic data. Check out https://wiki.mikrotik.com/wiki/Ethereal/Wireshark
Maybe you can use streaming with trafr executable. https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS
On this link, there is an example of how to do it with snort.

Osman Kazdal

Interested in this myself. Once my internet gets restored I'm planning on setting up a bunch of these to test in a VM. I'll let you know what I figure out

Sent from my Pixel XL using Tapatalk

Thanks you both. I had installed Snort/Maltrail/Suricata on container openvz, is it a problem?

Suricata give me
23/3/2017 -- 08:37:56 - <Error> - [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 65535 not yet supported in module DecodeAFP

Thanks again.

With snort installed I get this when I try start Snort:

# ./trafr -s | snort -r -
-bash: ./trafr: No such file or directory
Running in packet dump mode

--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to read-file.
ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0
Fatal Error, Quitting..

I am using this manual -> https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS

Thanks.

New update, I installed on VirtualBox server and I get this with this new server:

root@ids:~# ./trafr -s | snort -r -
bash: ./trafr: No existe el archivo o el directorio
Running in packet dump mode

--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to read-file.
ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0
Fatal Error, Quitting.

And when OpenVz container, same output, but with virtual box container if I execute "snort" I receive packets, but with OpenVz container not, with this output:

root@ids:/# snort
Running in packet dump mode

--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "venet0".
ERROR: Cannot decode data link type 113
Fatal Error, Quitting..

Hi,
I think you should download trafr from http://mikrotik.com/download

Hi,
I think you should download trafr from http://mikrotik.com/download

thanks, but my error is showed on my server ids (debian normal), could you guide me a few?

I solved to get traffic on server snort from Mikrotik. Server couldn't take traffic from MK because tool "trafr" isn't good installed, you have to download it and install a package, here output:

# ./trafr
-bash: ./trafr: No such file or directory

The problem is that the trafr program is a 32 bit application and you’re trying this on a 64bit OS without 32bit compatibility libraries. To verify that you can use following command:

file ./trafr
./trafr: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.0, stripped

On Ubuntu 14.04 you can that simple by doing following:

sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install libc6:i386

With that package you can receive traffic, test it using this:
trafr -s | snort -r -

You should get traffic now.

Now, I want to go ahead with Snort. How could I have graphics from that stats? I get a lot of traffic but I would like to see it on GUI or similar.

Thanks.

Hello

I use it creating a dummy interface and replay the tzsp traffic to it with tcpreplay.
and chan chan chan chan....you can use maltrail using eth10

HTH

M.

Hello

I use it creating a dummy interface and replay the tzsp traffic to it with tcpreplay.

Code: Select all

modprobe dummy
ip link set name eth10 dev dummy0
ifconfig eth10 192.168.42.42
trafr -s | tcpreplay --topspeed -i eth10 -
python sensor.py 
python server.py   

and chan chan chan chan....you can use maltrail using eth10

HTH

M.

Thanks you for share that, its sounds really good, but I have a problem. I am running under openvz container and I can't load module dummy, do you know how could I do it?
# modprobe dummy
modprobe: ERROR: ../libkmod/libkmod.c:507 kmod_lookup_alias_from_builtin_file() could not open builtin file '/lib/modules/2.6.32-openvz-042stab120.18-amd64/modules.builtin.bin'
modprobe: FATAL: Module dummy not found.

I tried loading iptables modules, netfilter... not luck.

=======================================================

I tried doing it in a VirtualBox server and I get this:
# ./trafr -s | tcpreplay --topspeed -i eth10 -
sending out eth10
processing file: -

Fatal Error in tcpreplay.c:replay_file() line 252:
Error opening pcap file: unknown file format


Thanks.