Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

firewall login Dst-Address\TCP State

Wed May 26, 2021 10:57 am

Hello,
I want to check my home netwrok \ computer to see if a computer is sending data to "bad" place :-)

so I thought I will check the router firewall for tcp connection
will this do the job? or I need to get all the protocols?

meaning I will write a script that run once every 20 seconds ~ and print me the connection my computer is doing ?
***
I have try to run this
:foreach i in=[/ip firewall connection find where src-address~"10.0.0.111"] do={[/ip firewall connection print where .id=$i] } 
I get 10 lines in answer
but I want to get only the dst-address

I thought I will do this -
:foreach i in=[/ip firewall connection find where src-address~"10.0.0.111"] do={[/ip firewall connection get value-name=dst-address number=$i]}
but I cant use "print" in this command -why ?

***
if I'm correct -
what will be the best way to investigate the results?
send the dst-address to syslog server?

is there any what to get a the firewall send a syslog or something when a new connection is open from the internal netwrok ?
that way I will get also the UDP\ICMP all other protocols I miss if I run every 20 sencods?


Thanks ,
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: firewall login Dst-Address\TCP State

Wed May 26, 2021 11:44 am

Use get instead of print:
:foreach i in=[/ip firewall connection find where src-address~"10.0.0.111"] do={:put [/ip firewall connection get $i dst-address] }
What do you mean by bad? Do you have a list of IP.
I do use Splunk for investigation. You can make a bad list and a filter rule with those bad ip in it. Then send logs of this rule to Splunk.
You can (with licensed version of Splunk) make realtime alerts, that sends email or other stuff if some is triggered,.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: firewall login Dst-Address\TCP State

Thu May 27, 2021 9:03 am

I want to take all the IP's my computer is sending data to , and investigate them.
also I want to do the same to my IP camera - to make sure it's dones't send data to any unknown server or something

I don't familiar with Splunk - It's seem like a good idea for what I need . (and maybe for other things also waen ithink about it)
I saw your example - and there is "page" called Mikrotik Live attack , is this something I can use?
can you guide me to what I need to create in order to get the wnated IP's list(as shown above)?

Thanks ,
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: firewall login Dst-Address\TCP State

Thu May 27, 2021 3:26 pm

Live attack shows location of IP address that are trying ports on my router that are not open. It does not show when some tries to attack the http server and other open ports.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: firewall login Dst-Address\TCP State

Thu May 27, 2021 3:32 pm

I understand this ,
I didn't see where this rule in the mikrotik firewall setting and\or how Splunk know how to read\open this rule in this page

this is my question
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: firewall login Dst-Address\TCP State

Thu May 27, 2021 5:30 pm

I understand this ,
I didn't see where this rule in the mikrotik firewall setting and\or how Splunk know how to read\open this rule in this page

this is my question
Your logging normally contain all & any packet that is DROPPED. You should set the "log" flag for all these rules to start with.
Mikrotik uses SYSLOG to forward each of these logging-lines to Splunk that will ingest it & parse it as long as you have the prefix "MikroTik" set in the logging config section.
All packet drops are under the "firewall" topic.

As mentioned, you will only see entries in Splunk for which you activated "log" flag. Sure you could log also all "accept" / "allow" rules but this will generate a LOT of events and not very usefull.

You can consider "Netflow" also to make visual how systems on your Local LAN make connections/session to the outside world. But that is not very easy. I have Netflow running in Splunk and ingest netflow-data from my RB3011 but its not click-click-click OK stuff ...
 
mucutaiulian
just joined
Posts: 1
Joined: Fri Mar 17, 2023 11:00 am

Re: firewall login Dst-Address\TCP State

Fri Mar 17, 2023 12:01 pm

:foreach i in=[/ip firewall connection find where connection-mark~"conn_father"] do={:put [/ip firewall connection get $i dst-address] }
Hi I have a question on this top , I need that after scrip run see mark connection and send it on telegram bot is not working if I put tool fetch url=
How can I do that not put the adress but sending ?

Who is online

Users browsing this forum: marcelofares, rogerioqueiroz and 19 guests