Community discussions

MikroTik App
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Sep 01, 2016 12:01 pm

Update 7-December-2017 For those who don't want to fuss with MySQL, I've added fast2mikrotik.php that will read the suricata events from fast.log and create the firewall rules.

Update 26-November-2017 Look at my post Historical IP address analysis for Intrusion Prevention on how event history can be used to identify clusters of frequent offenders and create firewall rules to prevent those frequent offenders from accessing your network.

Updated 10-March-2017
  • The list of signatures that I use, there are now 51 signatures.
  • suricata_block.php has been updated to rebuild the list of blocked addresses after the Mikrotik is rebooted (e.g. firmware upgrade). When updating the firmware on the router, stop the suricata_block process, perform the update, then start the suricata_block process. The list of blocked addresses will be repopulated
Updated 9-April-2017
  • Added in OSSEC IPS functionality (after suricata section)
Updated 27-April-2017
  • Added email notification function in suricata_block.php
Updated 6-June-2017
  • Included snort/snorby database schema
Updated 19-June-2017
  • fixed bug in mikrotik-fw.sh for ossec active response
I’ve seen a few posts on this forum asking for integration of an IDS/IPS into the Mikrotik platform. While this would be convenient, I find the arguments made against doing such pretty compelling. As Robert Penz pointed out in his blog (http://robert.penz.name/849/howto-setup ... ta-as-ids/) it is quite easy to set up a Mikrotik router to stream the packets into an IDS platform (suricata/snort). The part that is missing in this scenario is the IPS portion of the solution. In order to implement an IPS, the alerts that the IDS signals need to modify the firewall rules in order to block the offending traffic. In this article, I’ll layout what I did in order to introduce an IPS solution into the mix.

My IDS installation for my rather extensive home network is pretty straight-forward. It is a run of the mill Suricata implementation, using the Emerging Threat rule set, which, when fired, are taken from the Unified2 format into a MySQL database using barnyard2. I use Aanval as my console to monitor alerts. My Suricata platform is a Solid Run CuBox I4 (quad core arm, 4gb memory, Debian Jessie) and a 1TB hard drive (overkill, but it was spare parts) attached via eSata. I have this directly connected to one of the ports on my RB2011UiAS-IN.

Mikrotik Set-up

Here are the steps that you can take on the Mikrotik side of the IPS equation.
  1. 1. Stream packets to the IDS platform (CuBox in my case):
/tool sniffer set filter-interface=ether1 filter-ip-address=!1.2.3.4/32 filter-stream=yes streaming-enabled=yes streaming-server=192.168.3.12
I filter out a specific remote address (in this example of 1.2.3.4) as this traffic is a site-to-site IP tunnel and really doesn’t need to be checked by the IDS.
  1. 2. Set up firewall rules to block inbound and outbound traffic based on an address list:
/ip firewall add action=drop chain=input comment="Block bad actors" src-address-list=Blocked
/ip firewall add action=drop chain=forward comment="Drop any traffic going to bad actors" dst-address-list=Blocked
I have the input chain rule as the first rule after any default rules created by the Mikrotik. Similar with the forward chain rule.
  1. 3. Enable the API interface:
/ip service set api address=192.168.3.0/24 enabled=yes
The API will be used to write the address list back to the Mikrotik. We make sure it is only accessible from the internal network.

IDS platform set-up, MySQL modifications

** If you don't want to fuss with MySQL and barnyard2, skip to the section titled fast2mikrotik.php **

The alerts are moved from the Unified2 format into a MySQL database using barnyard2. There are plenty of examples on the web on how to do that. The schema that is being used for the database is the standard snort/snorby schema. The schema is included here for those who want to create it manually, rather than through the snort/snorby method.
-- phpMyAdmin SQL Dump

SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
SET AUTOCOMMIT = 0;
START TRANSACTION;
SET time_zone = "+00:00";

--
-- Database: `snorby`
--
CREATE DATABASE IF NOT EXISTS `snorby` DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
USE `snorby`;

-- --------------------------------------------------------

--
-- Table structure for table `agent_asset_names`
--

DROP TABLE IF EXISTS `agent_asset_names`;
CREATE TABLE `agent_asset_names` (
  `sensor_sid` int(10) UNSIGNED NOT NULL,
  `asset_name_id` int(10) UNSIGNED NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Stand-in structure for view `aggregated_events`
-- (See below for the actual view)
--
DROP VIEW IF EXISTS `aggregated_events`;
CREATE TABLE `aggregated_events` (
`ip_src` int(10) unsigned
,`ip_dst` int(10) unsigned
,`signature` int(10) unsigned
,`event_id` int(11)
,`number_of_events` bigint(21)
);

-- --------------------------------------------------------

--
-- Table structure for table `asset_names`
--

DROP TABLE IF EXISTS `asset_names`;
CREATE TABLE `asset_names` (
  `id` int(10) UNSIGNED NOT NULL,
  `ip_address` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `name` varchar(1024) NOT NULL,
  `global` tinyint(1) DEFAULT '1'
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `block_queue`
--

DROP TABLE IF EXISTS `block_queue`;
CREATE TABLE `block_queue` (
  `que_id` int(11) NOT NULL,
  `que_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'When the block was added',
  `que_ip_adr` varchar(64) CHARACTER SET utf8 NOT NULL COMMENT 'The IP address to block',
  `que_timeout` varchar(12) CHARACTER SET utf8 NOT NULL COMMENT 'How long to block for',
  `que_sig_name` varchar(256) CHARACTER SET utf8 NOT NULL COMMENT 'The name of the signature that caused the block',
  `que_sig_gid` int(10) NOT NULL COMMENT 'The signature group ID',
  `que_sig_sid` int(10) NOT NULL COMMENT 'The signature ID',
  `que_event_timestamp` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'When the event was triggered',
  `que_processed` int(11) NOT NULL DEFAULT '0' COMMENT 'If this item has been processed (0=no, <>0=yes)'
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Queue of ip addresses to block on firewall';

-- --------------------------------------------------------

--
-- Table structure for table `caches`
--

DROP TABLE IF EXISTS `caches`;
CREATE TABLE `caches` (
  `id` int(10) UNSIGNED NOT NULL,
  `sid` int(11) DEFAULT NULL,
  `cid` int(11) DEFAULT NULL,
  `ran_at` datetime DEFAULT NULL,
  `event_count` int(11) DEFAULT '0',
  `tcp_count` int(11) DEFAULT '0',
  `udp_count` int(11) DEFAULT '0',
  `icmp_count` int(11) DEFAULT '0',
  `severity_metrics` mediumtext,
  `signature_metrics` mediumtext,
  `src_ips` mediumtext,
  `dst_ips` mediumtext,
  `created_at` datetime DEFAULT NULL,
  `updated_at` datetime DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `classifications`
--

DROP TABLE IF EXISTS `classifications`;
CREATE TABLE `classifications` (
  `id` int(10) UNSIGNED NOT NULL,
  `name` varchar(50) DEFAULT NULL,
  `description` text,
  `hotkey` int(11) DEFAULT NULL,
  `locked` tinyint(1) DEFAULT '0',
  `events_count` int(11) DEFAULT '0'
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `data`
--

DROP TABLE IF EXISTS `data`;
CREATE TABLE `data` (
  `sid` int(10) UNSIGNED NOT NULL,
  `cid` int(10) UNSIGNED NOT NULL,
  `data_payload` text
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `delayed_jobs`
--

DROP TABLE IF EXISTS `delayed_jobs`;
CREATE TABLE `delayed_jobs` (
  `id` int(10) UNSIGNED NOT NULL,
  `priority` int(11) DEFAULT '0',
  `attempts` int(11) DEFAULT '0',
  `handler` text,
  `run_at` datetime DEFAULT NULL,
  `locked_at` datetime DEFAULT NULL,
  `locked_by` text,
  `failed_at` datetime DEFAULT NULL,
  `last_error` text
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `detail`
--

DROP TABLE IF EXISTS `detail`;
CREATE TABLE `detail` (
  `detail_type` int(10) UNSIGNED NOT NULL,
  `detail_text` text
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `encoding`
--

DROP TABLE IF EXISTS `encoding`;
CREATE TABLE `encoding` (
  `encoding_type` int(10) UNSIGNED NOT NULL,
  `encoding_text` text
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `event`
--

DROP TABLE IF EXISTS `event`;
CREATE TABLE `event` (
  `sid` int(10) UNSIGNED NOT NULL,
  `cid` int(10) UNSIGNED NOT NULL,
  `signature` int(10) UNSIGNED DEFAULT NULL,
  `classification_id` int(10) UNSIGNED DEFAULT NULL,
  `users_count` int(10) UNSIGNED DEFAULT '0',
  `user_id` int(10) UNSIGNED DEFAULT NULL,
  `notes_count` int(10) UNSIGNED DEFAULT '0',
  `type` int(10) UNSIGNED DEFAULT '1',
  `number_of_events` int(10) UNSIGNED DEFAULT '0',
  `timestamp` datetime DEFAULT NULL,
  `id` int(11) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Stand-in structure for view `events_with_join`
-- (See below for the actual view)
--
DROP VIEW IF EXISTS `events_with_join`;
CREATE TABLE `events_with_join` (
`sid` int(10) unsigned
,`cid` int(10) unsigned
,`signature` int(10) unsigned
,`classification_id` int(10) unsigned
,`users_count` int(10) unsigned
,`user_id` int(10) unsigned
,`notes_count` int(10) unsigned
,`type` int(10) unsigned
,`number_of_events` int(10) unsigned
,`timestamp` datetime
,`id` int(11)
,`ip_src` int(10) unsigned
,`ip_dst` int(10) unsigned
,`sig_priority` int(10) unsigned
,`sig_name` text
);

-- --------------------------------------------------------

--
-- Table structure for table `favorites`
--

DROP TABLE IF EXISTS `favorites`;
CREATE TABLE `favorites` (
  `id` int(10) UNSIGNED NOT NULL,
  `sid` int(11) DEFAULT NULL,
  `cid` int(11) DEFAULT NULL,
  `user_id` int(11) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `icmphdr`
--

DROP TABLE IF EXISTS `icmphdr`;
CREATE TABLE `icmphdr` (
  `sid` int(10) UNSIGNED NOT NULL,
  `cid` int(10) UNSIGNED NOT NULL,
  `icmp_type` int(10) UNSIGNED DEFAULT NULL,
  `icmp_code` int(10) UNSIGNED DEFAULT NULL,
  `icmp_csum` int(10) UNSIGNED DEFAULT NULL,
  `icmp_id` int(10) UNSIGNED DEFAULT NULL,
  `icmp_seq` int(10) UNSIGNED DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `iphdr`
--

DROP TABLE IF EXISTS `iphdr`;
CREATE TABLE `iphdr` (
  `sid` int(11) NOT NULL,
  `cid` int(11) NOT NULL,
  `ip_src` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `ip_dst` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `ip_ver` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `ip_hlen` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `ip_tos` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `ip_len` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `ip_id` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `ip_flags` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `ip_off` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `ip_ttl` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `ip_proto` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `ip_csum` int(10) UNSIGNED NOT NULL DEFAULT '0'
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `lookups`
--

DROP TABLE IF EXISTS `lookups`;
CREATE TABLE `lookups` (
  `id` int(10) UNSIGNED NOT NULL,
  `title` varchar(50) DEFAULT NULL,
  `value` text
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `notes`
--

DROP TABLE IF EXISTS `notes`;
CREATE TABLE `notes` (
  `id` int(10) UNSIGNED NOT NULL,
  `sid` int(11) DEFAULT NULL,
  `cid` int(11) DEFAULT NULL,
  `user_id` int(11) DEFAULT NULL,
  `body` text,
  `created_at` datetime DEFAULT NULL,
  `updated_at` datetime DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `notifications`
--

DROP TABLE IF EXISTS `notifications`;
CREATE TABLE `notifications` (
  `id` int(10) UNSIGNED NOT NULL,
  `description` text,
  `sig_id` int(11) DEFAULT NULL,
  `ip_src` varchar(50) DEFAULT NULL,
  `ip_dst` varchar(50) DEFAULT NULL,
  `user_id` int(11) DEFAULT NULL,
  `user_ids` mediumtext,
  `sensor_ids` mediumtext,
  `created_at` datetime DEFAULT NULL,
  `updated_at` datetime DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `opt`
--

DROP TABLE IF EXISTS `opt`;
CREATE TABLE `opt` (
  `sid` int(10) UNSIGNED NOT NULL,
  `cid` int(10) UNSIGNED NOT NULL,
  `optid` int(10) UNSIGNED NOT NULL,
  `opt_proto` int(10) UNSIGNED DEFAULT NULL,
  `opt_code` int(10) UNSIGNED DEFAULT NULL,
  `opt_len` int(10) UNSIGNED DEFAULT NULL,
  `opt_data` text
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `reference`
--

DROP TABLE IF EXISTS `reference`;
CREATE TABLE `reference` (
  `ref_id` int(10) UNSIGNED NOT NULL,
  `ref_system_id` int(10) UNSIGNED DEFAULT NULL,
  `ref_tag` text
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `reference_system`
--

DROP TABLE IF EXISTS `reference_system`;
CREATE TABLE `reference_system` (
  `ref_system_id` int(10) UNSIGNED NOT NULL,
  `ref_system_name` varchar(50) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `schema`
--

DROP TABLE IF EXISTS `schema`;
CREATE TABLE `schema` (
  `id` int(10) UNSIGNED NOT NULL,
  `vseq` int(10) UNSIGNED DEFAULT NULL,
  `ctime` datetime DEFAULT NULL,
  `version` varchar(50) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `search`
--

DROP TABLE IF EXISTS `search`;
CREATE TABLE `search` (
  `id` int(10) UNSIGNED NOT NULL,
  `user_id` int(11) DEFAULT NULL,
  `rule_count` int(11) DEFAULT '0',
  `public` tinyint(1) DEFAULT '0',
  `title` varchar(50) DEFAULT NULL,
  `search` mediumtext,
  `checksum` text,
  `created_at` datetime DEFAULT NULL,
  `updated_at` datetime DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `sensor`
--

DROP TABLE IF EXISTS `sensor`;
CREATE TABLE `sensor` (
  `sid` int(10) UNSIGNED NOT NULL,
  `name` varchar(50) DEFAULT 'Click To Change Me',
  `hostname` text,
  `interface` text,
  `filter` text,
  `detail` int(10) UNSIGNED DEFAULT NULL,
  `encoding` int(10) UNSIGNED DEFAULT NULL,
  `last_cid` int(10) UNSIGNED DEFAULT NULL,
  `pending_delete` tinyint(1) DEFAULT '0',
  `updated_at` datetime DEFAULT NULL,
  `events_count` int(10) UNSIGNED DEFAULT '0'
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `settings`
--

DROP TABLE IF EXISTS `settings`;
CREATE TABLE `settings` (
  `name` varchar(50) NOT NULL DEFAULT '',
  `value` mediumtext
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `severities`
--

DROP TABLE IF EXISTS `severities`;
CREATE TABLE `severities` (
  `id` int(10) UNSIGNED NOT NULL,
  `sig_id` int(10) UNSIGNED DEFAULT NULL,
  `events_count` int(10) UNSIGNED DEFAULT '0',
  `name` varchar(50) DEFAULT NULL,
  `text_color` varchar(50) DEFAULT '#ffffff',
  `bg_color` varchar(50) DEFAULT '#dddddd'
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `signature`
--

DROP TABLE IF EXISTS `signature`;
CREATE TABLE `signature` (
  `sig_id` int(10) UNSIGNED NOT NULL,
  `sig_class_id` int(10) UNSIGNED DEFAULT NULL,
  `sig_name` text,
  `sig_priority` int(10) UNSIGNED DEFAULT NULL,
  `sig_rev` int(10) UNSIGNED DEFAULT NULL,
  `sig_sid` int(10) UNSIGNED DEFAULT NULL,
  `sig_gid` int(10) UNSIGNED DEFAULT NULL,
  `events_count` int(10) UNSIGNED DEFAULT '0'
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `sig_class`
--

DROP TABLE IF EXISTS `sig_class`;
CREATE TABLE `sig_class` (
  `sig_class_id` int(10) UNSIGNED NOT NULL,
  `sig_class_name` varchar(50) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `sig_reference`
--

DROP TABLE IF EXISTS `sig_reference`;
CREATE TABLE `sig_reference` (
  `sig_id` int(10) UNSIGNED NOT NULL,
  `ref_seq` int(10) UNSIGNED NOT NULL,
  `ref_id` int(10) UNSIGNED DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `tcphdr`
--

DROP TABLE IF EXISTS `tcphdr`;
CREATE TABLE `tcphdr` (
  `sid` int(10) UNSIGNED NOT NULL,
  `cid` int(10) UNSIGNED NOT NULL,
  `tcp_sport` int(10) UNSIGNED DEFAULT NULL,
  `tcp_dport` int(10) UNSIGNED DEFAULT NULL,
  `tcp_seq` int(10) UNSIGNED DEFAULT NULL,
  `tcp_ack` int(10) UNSIGNED DEFAULT NULL,
  `tcp_off` int(10) UNSIGNED DEFAULT NULL,
  `tcp_res` int(10) UNSIGNED DEFAULT NULL,
  `tcp_flags` int(10) UNSIGNED DEFAULT NULL,
  `tcp_win` int(10) UNSIGNED DEFAULT NULL,
  `tcp_csum` int(10) UNSIGNED DEFAULT NULL,
  `tcp_urp` int(10) UNSIGNED DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `udphdr`
--

DROP TABLE IF EXISTS `udphdr`;
CREATE TABLE `udphdr` (
  `sid` int(10) UNSIGNED NOT NULL,
  `cid` int(10) UNSIGNED NOT NULL,
  `udp_sport` int(10) UNSIGNED DEFAULT NULL,
  `udp_dport` int(10) UNSIGNED DEFAULT NULL,
  `udp_len` int(10) UNSIGNED DEFAULT NULL,
  `udp_csum` int(10) UNSIGNED DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Table structure for table `users`
--

DROP TABLE IF EXISTS `users`;
CREATE TABLE `users` (
  `email` varchar(255) NOT NULL DEFAULT '',
  `encrypted_password` varchar(128) NOT NULL DEFAULT '',
  `remember_token` varchar(255) DEFAULT NULL,
  `remember_created_at` datetime DEFAULT NULL,
  `reset_password_token` varchar(255) DEFAULT NULL,
  `sign_in_count` int(11) DEFAULT '0',
  `current_sign_in_at` datetime DEFAULT NULL,
  `last_sign_in_at` datetime DEFAULT NULL,
  `current_sign_in_ip` varchar(255) DEFAULT NULL,
  `last_sign_in_ip` varchar(255) DEFAULT NULL,
  `favorites_count` int(11) DEFAULT '0',
  `accept_notes` int(11) DEFAULT '1',
  `notes_count` int(11) DEFAULT '0',
  `id` int(10) UNSIGNED NOT NULL,
  `per_page_count` int(11) DEFAULT '45',
  `name` varchar(50) DEFAULT NULL,
  `timezone` varchar(50) DEFAULT 'UTC',
  `admin` tinyint(1) DEFAULT '0',
  `enabled` tinyint(1) DEFAULT '1',
  `gravatar` tinyint(1) DEFAULT '1',
  `created_at` datetime DEFAULT NULL,
  `updated_at` datetime DEFAULT NULL,
  `online` tinyint(1) DEFAULT '0',
  `last_daily_report_at` datetime DEFAULT '2016-07-26 03:37:41',
  `last_weekly_report_at` int(11) DEFAULT '201630',
  `last_monthly_report_at` int(11) DEFAULT '201607',
  `last_email_report_at` datetime DEFAULT NULL,
  `email_reports` tinyint(1) DEFAULT '0'
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- --------------------------------------------------------

--
-- Structure for view `aggregated_events`
--
DROP TABLE IF EXISTS `aggregated_events`;

CREATE ALGORITHM=UNDEFINED DEFINER=`snort`@`localhost` SQL SECURITY DEFINER VIEW `aggregated_events`  AS  select `iphdr`.`ip_src` AS `ip_src`,`iphdr`.`ip_dst` AS `ip_dst`,`event`.`signature` AS `signature`,max(`event`.`id`) AS `event_id`,count(0) AS `number_of_events` from (`event` join `iphdr` on(((`event`.`sid` = `iphdr`.`sid`) and (`event`.`cid` = `iphdr`.`cid`)))) where isnull(`event`.`classification_id`) group by `iphdr`.`ip_src`,`iphdr`.`ip_dst`,`event`.`signature` ;

-- --------------------------------------------------------

--
-- Structure for view `events_with_join`
--
DROP TABLE IF EXISTS `events_with_join`;

CREATE ALGORITHM=UNDEFINED DEFINER=`snort`@`localhost` SQL SECURITY DEFINER VIEW `events_with_join`  AS  select `event`.`sid` AS `sid`,`event`.`cid` AS `cid`,`event`.`signature` AS `signature`,`event`.`classification_id` AS `classification_id`,`event`.`users_count` AS `users_count`,`event`.`user_id` AS `user_id`,`event`.`notes_count` AS `notes_count`,`event`.`type` AS `type`,`event`.`number_of_events` AS `number_of_events`,`event`.`timestamp` AS `timestamp`,`event`.`id` AS `id`,`iphdr`.`ip_src` AS `ip_src`,`iphdr`.`ip_dst` AS `ip_dst`,`signature`.`sig_priority` AS `sig_priority`,`signature`.`sig_name` AS `sig_name` from ((`event` join `iphdr` on(((`event`.`sid` = `iphdr`.`sid`) and (`event`.`cid` = `iphdr`.`cid`)))) join `signature` on((`event`.`signature` = `signature`.`sig_id`))) ;

--
-- Indexes for dumped tables
--

--
-- Indexes for table `agent_asset_names`
--
ALTER TABLE `agent_asset_names`
  ADD PRIMARY KEY (`sensor_sid`,`asset_name_id`),
  ADD KEY `index_agent_asset_names_sensor` (`sensor_sid`),
  ADD KEY `index_agent_asset_names_asset_name` (`asset_name_id`);

--
-- Indexes for table `asset_names`
--
ALTER TABLE `asset_names`
  ADD PRIMARY KEY (`id`),
  ADD KEY `index_asset_names_ip_address` (`ip_address`);

--
-- Indexes for table `block_queue`
--
ALTER TABLE `block_queue`
  ADD PRIMARY KEY (`que_id`),
  ADD KEY `que_added` (`que_added`);

--
-- Indexes for table `caches`
--
ALTER TABLE `caches`
  ADD PRIMARY KEY (`id`),
  ADD KEY `index_caches_ran_at` (`ran_at`);

--
-- Indexes for table `classifications`
--
ALTER TABLE `classifications`
  ADD PRIMARY KEY (`id`),
  ADD KEY `index_classifications_id` (`id`),
  ADD KEY `index_classifications_hotkey` (`hotkey`),
  ADD KEY `index_classifications_locked` (`locked`),
  ADD KEY `index_classifications_events_count` (`events_count`);

--
-- Indexes for table `data`
--
ALTER TABLE `data`
  ADD PRIMARY KEY (`sid`,`cid`),
  ADD KEY `index_data_sid` (`sid`),
  ADD KEY `index_data_cid` (`cid`);

--
-- Indexes for table `delayed_jobs`
--
ALTER TABLE `delayed_jobs`
  ADD PRIMARY KEY (`id`),
  ADD KEY `index_delayed_jobs_run_at_priority` (`priority`,`run_at`),
  ADD KEY `index_delayed_jobs_locked_at` (`locked_at`);

--
-- Indexes for table `detail`
--
ALTER TABLE `detail`
  ADD PRIMARY KEY (`detail_type`),
  ADD KEY `index_detail_detail_type` (`detail_type`);

--
-- Indexes for table `encoding`
--
ALTER TABLE `encoding`
  ADD PRIMARY KEY (`encoding_type`),
  ADD KEY `index_encoding_encoding_type` (`encoding_type`);

--
-- Indexes for table `event`
--
ALTER TABLE `event`
  ADD PRIMARY KEY (`sid`,`cid`),
  ADD KEY `index_event_sid` (`sid`),
  ADD KEY `index_event_cid` (`cid`),
  ADD KEY `index_event_signature` (`signature`),
  ADD KEY `index_event_classification_id` (`classification_id`),
  ADD KEY `index_event_users_count` (`users_count`),
  ADD KEY `index_event_user_id` (`user_id`),
  ADD KEY `index_event_notes_count` (`notes_count`),
  ADD KEY `index_timestamp_cid_sid` (`timestamp`,`cid`,`sid`),
  ADD KEY `index_event_id` (`id`);

--
-- Indexes for table `favorites`
--
ALTER TABLE `favorites`
  ADD PRIMARY KEY (`id`),
  ADD KEY `index_favorites_id` (`id`),
  ADD KEY `index_favorites_sid` (`sid`),
  ADD KEY `index_favorites_cid` (`cid`),
  ADD KEY `index_favorites_user_id` (`user_id`);

--
-- Indexes for table `icmphdr`
--
ALTER TABLE `icmphdr`
  ADD PRIMARY KEY (`sid`,`cid`),
  ADD KEY `index_icmphdr_sid` (`sid`),
  ADD KEY `index_icmphdr_cid` (`cid`);

--
-- Indexes for table `iphdr`
--
ALTER TABLE `iphdr`
  ADD PRIMARY KEY (`sid`,`cid`),
  ADD KEY `index_iphdr_sid` (`sid`),
  ADD KEY `index_iphdr_cid` (`cid`),
  ADD KEY `index_iphdr_ip_src` (`ip_src`),
  ADD KEY `index_iphdr_ip_dst` (`ip_dst`);

--
-- Indexes for table `lookups`
--
ALTER TABLE `lookups`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `notes`
--
ALTER TABLE `notes`
  ADD PRIMARY KEY (`id`),
  ADD KEY `index_notes_sid` (`sid`),
  ADD KEY `index_notes_cid` (`cid`),
  ADD KEY `index_notes_user_id` (`user_id`);

--
-- Indexes for table `notifications`
--
ALTER TABLE `notifications`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `opt`
--
ALTER TABLE `opt`
  ADD PRIMARY KEY (`sid`,`cid`,`optid`),
  ADD KEY `index_opt_sid` (`sid`),
  ADD KEY `index_opt_cid` (`cid`),
  ADD KEY `index_opt_optid` (`optid`);

--
-- Indexes for table `reference`
--
ALTER TABLE `reference`
  ADD PRIMARY KEY (`ref_id`),
  ADD KEY `index_reference_ref_id` (`ref_id`);

--
-- Indexes for table `reference_system`
--
ALTER TABLE `reference_system`
  ADD PRIMARY KEY (`ref_system_id`),
  ADD KEY `index_reference_system_ref_system_id` (`ref_system_id`);

--
-- Indexes for table `schema`
--
ALTER TABLE `schema`
  ADD PRIMARY KEY (`id`),
  ADD KEY `index_schema_id` (`id`);

--
-- Indexes for table `search`
--
ALTER TABLE `search`
  ADD PRIMARY KEY (`id`),
  ADD KEY `index_search_user_id` (`user_id`),
  ADD KEY `index_search_rule_count` (`rule_count`),
  ADD KEY `index_search_public` (`public`);

--
-- Indexes for table `sensor`
--
ALTER TABLE `sensor`
  ADD PRIMARY KEY (`sid`),
  ADD KEY `index_sensor_sid` (`sid`),
  ADD KEY `index_sensor_detail` (`detail`),
  ADD KEY `index_sensor_encoding` (`encoding`),
  ADD KEY `index_sensor_last_cid` (`last_cid`),
  ADD KEY `index_sensor_events_count` (`events_count`);

--
-- Indexes for table `settings`
--
ALTER TABLE `settings`
  ADD PRIMARY KEY (`name`),
  ADD KEY `index_settings_name` (`name`);

--
-- Indexes for table `severities`
--
ALTER TABLE `severities`
  ADD PRIMARY KEY (`id`),
  ADD KEY `index_severities_id` (`id`),
  ADD KEY `index_severities_sig_id` (`sig_id`),
  ADD KEY `index_severities_events_count` (`events_count`),
  ADD KEY `index_severities_text_color` (`text_color`),
  ADD KEY `index_severities_bg_color` (`bg_color`);

--
-- Indexes for table `signature`
--
ALTER TABLE `signature`
  ADD PRIMARY KEY (`sig_id`),
  ADD KEY `index_signature_sig_id` (`sig_id`),
  ADD KEY `index_signature_sig_class_id` (`sig_class_id`),
  ADD KEY `index_signature_sig_priority` (`sig_priority`),
  ADD KEY `index_signature_events_count` (`events_count`);

--
-- Indexes for table `sig_class`
--
ALTER TABLE `sig_class`
  ADD PRIMARY KEY (`sig_class_id`),
  ADD KEY `index_sig_class_sig_class_id` (`sig_class_id`);

--
-- Indexes for table `sig_reference`
--
ALTER TABLE `sig_reference`
  ADD PRIMARY KEY (`sig_id`,`ref_seq`),
  ADD KEY `index_sig_reference_sig_id` (`sig_id`),
  ADD KEY `index_sig_reference_ref_seq` (`ref_seq`);

--
-- Indexes for table `tcphdr`
--
ALTER TABLE `tcphdr`
  ADD PRIMARY KEY (`sid`,`cid`),
  ADD KEY `index_tcphdr_sid` (`sid`),
  ADD KEY `index_tcphdr_cid` (`cid`),
  ADD KEY `index_tcphdr_tcp_sport` (`tcp_sport`),
  ADD KEY `index_tcphdr_tcp_dport` (`tcp_dport`);

--
-- Indexes for table `udphdr`
--
ALTER TABLE `udphdr`
  ADD PRIMARY KEY (`sid`,`cid`),
  ADD KEY `index_udphdr_sid` (`sid`),
  ADD KEY `index_udphdr_cid` (`cid`),
  ADD KEY `index_udphdr_udp_sport` (`udp_sport`),
  ADD KEY `index_udphdr_udp_dport` (`udp_dport`);

--
-- Indexes for table `users`
--
ALTER TABLE `users`
  ADD PRIMARY KEY (`id`),
  ADD KEY `index_users_favorites_count` (`favorites_count`),
  ADD KEY `index_users_notes_count` (`notes_count`),
  ADD KEY `index_users_id` (`id`),
  ADD KEY `index_users_per_page_count` (`per_page_count`);

--
-- AUTO_INCREMENT for dumped tables
--

--
-- AUTO_INCREMENT for table `asset_names`
--
ALTER TABLE `asset_names`
  MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT for table `block_queue`
--
ALTER TABLE `block_queue`
  MODIFY `que_id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=160;
--
-- AUTO_INCREMENT for table `caches`
--
ALTER TABLE `caches`
  MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=1593;
--
-- AUTO_INCREMENT for table `classifications`
--
ALTER TABLE `classifications`
  MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=9;
--
-- AUTO_INCREMENT for table `delayed_jobs`
--
ALTER TABLE `delayed_jobs`
  MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=4434;
--
-- AUTO_INCREMENT for table `detail`
--
ALTER TABLE `detail`
  MODIFY `detail_type` int(10) UNSIGNED NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT for table `encoding`
--
ALTER TABLE `encoding`
  MODIFY `encoding_type` int(10) UNSIGNED NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT for table `event`
--
ALTER TABLE `event`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=79077;
--
-- AUTO_INCREMENT for table `favorites`
--
ALTER TABLE `favorites`
  MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT for table `lookups`
--
ALTER TABLE `lookups`
  MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT for table `notes`
--
ALTER TABLE `notes`
  MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT for table `notifications`
--
ALTER TABLE `notifications`
  MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT for table `reference`
--
ALTER TABLE `reference`
  MODIFY `ref_id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=35231;
--
-- AUTO_INCREMENT for table `reference_system`
--
ALTER TABLE `reference_system`
  MODIFY `ref_system_id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=11;
--
-- AUTO_INCREMENT for table `schema`
--
ALTER TABLE `schema`
  MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=2;
--
-- AUTO_INCREMENT for table `search`
--
ALTER TABLE `search`
  MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT for table `sensor`
--
ALTER TABLE `sensor`
  MODIFY `sid` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=2;
--
-- AUTO_INCREMENT for table `severities`
--
ALTER TABLE `severities`
  MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=4;
--
-- AUTO_INCREMENT for table `signature`
--
ALTER TABLE `signature`
  MODIFY `sig_id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=516;
--
-- AUTO_INCREMENT for table `sig_class`
--
ALTER TABLE `sig_class`
  MODIFY `sig_class_id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=39;
--
-- AUTO_INCREMENT for table `users`
--
ALTER TABLE `users`
  MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=2;COMMIT;
New Tables

In my situation, I don’t want all alerts to trigger an IPS. I’ve watched my traffic over time and the vast majority of events come from a small set of alert signatures. So the first thing we’ll do is set up a table (sigs_to_block) in MySQL to indicate which alert signature categories we want to trigger an IPS.
--
-- Table structure for table `sigs_to_block`
--
CREATE TABLE `sigs_to_block` (
   `sig_name` text COLLATE utf8_unicode_ci NOT NULL,
   `src_or_dst` char(3) COLLATE utf8_unicode_ci NOT NULL DEFAULT 'src',
   `timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL DEFAULT '01:00:00'
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
--
-- Indexes for table `sigs_to_block`
--
ALTER TABLE `sigs_to_block`
  ADD UNIQUE KEY `sig_name_unique_index` (`sig_name`(64));
The “sig_name” column contains the portion of the signature that will be used to match alerts we want to block. The “src_or_dst” column contains whether we are blocking a source IP address or a destination IP address with this alert. And finally, the “timeout” column indicates how long we’ll block this IP address for after an event.

Here are the alert signatures that I have populated the “sigs_to_block” table with:
INSERT INTO `sigs_to_block` (`sig_name`, `src_or_dst`, `timeout`) VALUES
('ET COMPROMISED Known Compromised or Hostile Host Traffic', 'src', '01:00:00'),
('ET POLICY Suspicious inbound to', 'src', '01:00:00'),
('ET DROP Dshield Block Listed Source', 'src', '01:00:00'),
('ET SCAN', 'src', '01:00:00'),
('ET DROP Spamhaus DROP Listed Traffic Inbound', 'src', '01:00:00'),
('ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted', 'dst', '23:59:59'),
('ET CINS Active Threat Intelligence Poor Reputation IP', 'src', '01:00:00'),
('GPL SNMP', 'src', '01:00:00'),
('ET TOR Known Tor', 'src', '01:00:00'),
('GPL DNS named version attempt', 'src', '01:00:00'),
('ET VOIP Modified Sipvicious Asterisk PBX User-Agent', 'src', '01:00:00'),
('GPL RPC xdmcp info query', 'src', '01:00:00'),
('GPL RPC portmap listing', 'src', '01:00:00'),
('SURICATA SMTP no server welcome message', 'dst', '23:59:59'),
('GPL SMTP', 'dst', '23:59:59'),
('ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check', 'dst', '01:00:00'),
('Snort Alert [1:2403326:2951]', 'src', '01:00:00'),
('Snort Alert [1:2500082:4086]', 'src', '01:00:00'),
('GPL POLICY PCAnywhere', 'src', '01:00:00'),
('ET POLICY External IP Lookup', 'dst', '23:59:59'),
('GPL WEB_SERVER', 'src', '23:59:59'),
('ET SHELLCODE', 'src', '23:59:59'),
('ET P2P Edonkey IP Query End', 'src', '01:00:00'),
('ET MALWARE Suspicious', 'dst', '01:00:00'),
('ET CURRENT_EVENTS', 'src', '01:00:00'),
('Unencrypted Request Method', 'src', '01:00:00'),
('SURICATA SMTP data command rejected', 'dst', '01:00:00'),
('ET WEB_SERVER', 'src', '01:00:00'),
('ET DOS', 'src', '01:00:00'),
(' ET POLICY User', 'dst', '01:00:00'),
('ET TROJAN Possible Win32/', 'dst', '01:00:00'),
('.tk domain', 'dst', '23:59:59'),
('ET POLICY archive.org', 'dst', '01:00:00'),
('ET CNC', 'dst', '23:59:59'),
('ET SNMP', 'src', '01:00:00'),
('ET POLICY Python', 'dst', '01:00:00'),
('ET POLICY curl User-Agent Outbound', 'dst', '01:00:00'),
('ET POLICY Windows 98 User-Agent Detected', 'dst', '01:00:00'),
('ET POLICY Internal Host Retrieving External IP', 'dst', '01:00:00'),
('ET POLICY Unsupported/Fake FireFox Version', 'dst', '01:00:00'),
('ET MOBILE_MALWARE', 'dst', '23:59:59'),
('ET POLICY Possible IP Check', 'src', '01:00:00'),
('ET P2P', 'dst', '01:00:00'),
('GPL SHELLCODE', 'src', '23:59:59'),
('GPL P2P', 'src', '01:00:00'),
('.pw domain', 'dst', '23:59:59'),
('Request to .su TLD', 'dst', '01:00:00'),
('Abnormal User-Agent', 'dst', '01:00:00'),
('SSLv3 outbound', 'src', '01:00:00'),
('Hex Obfuscation', 'src', '01:00:00'),
('SSH banner detected on TCP 443 likely proxy evasion', 'src', '01:00:00');
The next table that we’ll add is a queue table, which collects the relevant alerts (events) that will be used to create the IPS triggers sent to the Mikrotik.
--
-- Table structure for table `block_queue`
--
CREATE TABLE `block_queue` (
   `que_id` int(11) NOT NULL,
   `que_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'When the block was added',
   `que_ip_adr` varchar(64) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The IP address to block',
   `que_timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL COMMENT 'How long to block for',
   `que_sig_name` varchar(256) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The name of the signature that caused the block',
   `que_sig_gid` int(10) NOT NULL COMMENT 'The signature group ID',
   `que_sig_sid` int(10) NOT NULL COMMENT 'The signature ID',
   `que_event_timestamp` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'When the event was triggered',
   `que_processed` int(11) NOT NULL DEFAULT '0' COMMENT 'If this item has been processed (0=no, <>0=yes)'
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Queue of ip addresses to block on firewall';

--
-- Indexes for table `block_queue`
--
ALTER TABLE `block_queue`
  ADD PRIMARY KEY (`que_id`),
  ADD KEY `que_added` (`que_added`);
--
-- AUTO_INCREMENT for table `block_queue`
--
ALTER TABLE `block_queue`
  MODIFY `que_id` int(11) NOT NULL AUTO_INCREMENT;
Database Trigger

The last portion that ties this all together and makes it work, is a MySQL trigger that populates the block_queue table when a relevant alert occurs. This is an after insert trigger on the iphdr table.
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr`
  FOR EACH ROW BEGIN
  DECLARE this_event INT(11) default 0;
  DECLARE this_event_signature INT(10) default 0;
  DECLARE this_event_timestamp TIMESTAMP;
  DECLARE this_sig INT(10) default 0;
  DECLARE this_sig_name VARCHAR(256) default "";
  DECLARE this_sig_gid INT(10) default 0;
  DECLARE timeout VARCHAR(12) default "";
  DECLARE interested INT default 0;
  DECLARE direction VARCHAR(3) default "";
  DECLARE ip_src VARCHAR(64) default "";
  DECLARE ip_dst VARCHAR(64) default "";
  SELECT event.id, event.signature, event.timestamp
  INTO this_event, this_event_signature, this_event_timestamp
  FROM event
  WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
  SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
  INTO this_sig, this_sig_gid, this_sig_name
  FROM signature
  WHERE signature.sig_id = this_event_signature;
  SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
  INTO interested, direction, timeout
  FROM sigs_to_block
  WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
  IF (interested > 0) THEN
   IF (direction = "src") THEN
      INSERT INTO block_queue
	SET que_ip_adr = inet_ntoa(NEW.ip_src),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    ELSE
      INSERT INTO block_queue
	SET que_ip_adr = inet_ntoa(NEW.ip_dst),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    END IF;
  END IF;
END
suricata_block.php

The last component is a PHP script. It has 2 functions:
  • If the router was booted less than 5 minutes ago, rebuild the list of blocked addresses that are still active
  • Watch for new records in the "block_queue" table and add new entries to the blocked address list. When a new record is added, it uses the Mikrotik PHP API to create a new address in the “Blocked” address list.
Be sure to modify the configuration variables at the beginning of the script. Notice that you can have this script send you emails when an address is blocked. The emails will look like this:
email.png
<?php
require('routeros_api.class.php');

/* Set your specific configuration below */
$user_name = "db_user";
$password = "db_password";
$database = "snorby";
$server = "localhost";
$mikrotik_addr = "x.x.x.x";
$mikrotik_user = "admin";
$mikrotik_pwd = "admin_password";
$local_ip_prefix = "192.168.";
/* Set email_alert to true if you'd like to get email messages when a block is sent to the Mikrotik */
$email_alert = false;
$email_to = "myself@abc.com";
$email_from = "myids@abc.com";

header('Content-Type: text/plain');

$API = new RouterosAPI();

function UptimeInSeconds($uptime) {
  $mark1=strpos($uptime, "d");
  $days=substr($uptime, 0, $mark1);
  if ($mark1) $uptime=substr($uptime, $mark1 + 1);
  $mark1=strpos($uptime, "h");
  $hours=substr($uptime, 0, $mark1);
  if ($mark1) $uptime=substr($uptime, $mark1 + 1);
  $mark1=strpos($uptime, "m");
  $minutes=substr($uptime, 0, $mark1);
  if ($mark1) $uptime=substr($uptime, $mark1 + 1);
  $mark1=strpos($uptime, "s");
  $seconds=substr($uptime, 0, $mark1);
  if ($mark1) $uptime=substr($uptime, $mark1 + 1);
  $total=($days * 86400) + ($hours * 3600) + ($minutes * 60) + $seconds;
  return $total;
}

function AddToFirewall($thisrow) {

  global $local_ip_prefix, $API, $mikrotik_addr, $mikrotik_user, $mikrotik_pwd, $email_to, $email_from, $email_alert;

  if (strpos($thisrow['que_ip_adr'], $local_ip_prefix) !== true) {
    /* Does not match local address... */
    /* See if the address is already in the firewall list, if so delete it so we can readd it with a new timeout */
    try {
        $API->connect($mikrotik_addr, $mikrotik_user, $mikrotik_pwd);
    } catch (Exception $e) {
        die('Unable to connect to RouterOS. Error:' . $e);
    }
    $ARRAY = $API->comm("/ip/firewall/address-list/print", array(
       ".proplist"=> ".id",
       "?address" => $thisrow['que_ip_adr'],));
    foreach ($ARRAY as $a) {
      foreach ($a as $name => $value) {
        $API->write("/ip/firewall/address-list/remove",false);
        $API->write("=.id=$value",true);
        $API->read();
      }
    }
    if (array_key_exists('que_remaining', $thisrow))
      { $timeremaining = $thisrow['que_remaining']; }
    else
      { $timeremaining = $thisrow['que_timeout']; }
    $API->comm("/ip/firewall/address-list/add", array(
      "list" => "Blocked",
      "address" => $thisrow['que_ip_adr'],
      "timeout" => $timeremaining,
      "comment" => "From suricata, " . $thisrow['que_sig_name'] . " => " . $thisrow['que_sig_gid'] . ":" . $thisrow['que_sig_sid'] .
         " => event timestamp: " . $thisrow['que_event_timestamp'],));
    $API->disconnect();
    if ($email_alert) {
      $to      = $email_to;
      $subject = 'Suricata on ' . gethostname() . ': blocked IP address ' . $thisrow['que_ip_adr'];
      $message = 'The IP address ' . $thisrow['que_ip_adr'] . " has been blocked due to the following rule match:\r\n";
      $message = $message . "\r\n";
      $message = $message . "The signature ID is " . $thisrow['que_sig_gid'] . " named: " . $thisrow['que_sig_name'] . "\r\n";
      $message = $message . "    event timestamp: " . $thisrow['que_event_timestamp'] . " blocked for: " . $timeremaining . "\r\n\r\n";
      $headers = 'From: ' . $email_from . "\r\n" .
        'Reply-To: ' . $email_from . "\r\n" .
        'X-Mailer: PHP/' . phpversion();
      mail($to, $subject, $message, $headers);
    }
  } else {
    /* Send email indicating bad block attempt*/
    $to      = $email_to;
    $subject = 'Suricata on ' . gethostname() . ': attempted block on local address';
    $message = 'A record in the block_queue indicated a block on a local IP Address (' . $row['que_ip_adr'] . ")\r\n";
    $message = $message . "\r\n";
    $message = $message . "The signature ID is " . $row['que_sig_id'] . " named: " . $row['que_sig_name'] . "\r\n";
    $message = $message . "    with a que_id of " . $row['que_id'] . "\r\n\r\n";
    $message = $message . "Check the src_or_dst field in events_to_block for the signature to make sure it is correct (src/dst).\r\n\r\n";
    $message = $message . "The record was not processed but marked as completed.\r\n";
    $headers = 'From: ' . $email_from . "\r\n" .
      'Reply-To: ' . $email_from . "\r\n" .
      'X-Mailer: PHP/' . phpversion();
    mail($to, $subject, $message, $headers);
  }
  return true;
}

/* $API->debug = true; */

/* Connect to database, if unsuccessful keep trying for 100 seconds */
    $i = 0;
    while ( $i < 100 ) {
      $db = new mysqli($server, $user_name, $password, $database);
      if ($db->connect_errno > 0) {
        print('Unable to connect to database [' . $db->connect_error . ']');
        sleep(10);
        $i = $i + 10;
      }
      else {
        $i = 100;
      }
    }

/* Check to see how long the mikrotik has been up.  If less than 5 minutes then rebuild firewall list */
    try {
        $API->connect($mikrotik_addr, $mikrotik_user, $mikrotik_pwd);
    } catch (Exception $e) {
        die('Unable to connect to RouterOS. Error:' . $e);
    }
    $ARRAY = $API->comm("/system/resource/print", false);
    $upsecs = UptimeInSeconds($ARRAY[0]['uptime']);
    $API->disconnect();
    if ($upsecs < 300) {
      /* Do not send alerts when rebuilding the firewall list */
      $save_alert = $email_alert;
      $email_alert = false;
      /* This SELECT statement will ignore any entries that had 2 minutes or less remaining */
      $SQL = "SELECT *,DATE_FORMAT(TIMEDIFF(ADDTIME(que_added,que_timeout), CURRENT_TIMESTAMP), '%H:%i:%s') as que_remaining " .
          "FROM block_queue where ADDTIME(que_added, que_timeout) > TIMESTAMPADD(MINUTE, 2, CURRENT_TIMESTAMP) order by que_remaining;";
      if (!$result = $db->query($SQL)) {
          die('There was an error running the query [' . $db->error . ']');
      }
      while ($row = $result->fetch_assoc()) {
        $x = AddToFirewall($row);
      }
      mysqli_free_result($result);
      $email_alert = $save_alert;
    }

/* Main program loop */
    while ( 1 == 1 ) {
      $SQL = "SELECT * FROM block_queue WHERE que_processed = 0;";
      if(!$result = $db->query($SQL)) {
        die('There was an error running the query [' . $db->error . ']');
      }
      while($row = $result->fetch_assoc()) {
        $x = AddToFirewall($row);
        $SQL2 = "UPDATE block_queue set que_processed = 1 WHERE que_id = " . $row['que_id'] . ";";
        if (!$result2 = $db->query($SQL2)) {
          die('There was an error running the query [' . $db->error . ']');
        }
        mysqli_free_result($result2);
      }
      mysqli_free_result($result);
      sleep(5); /* Sleep 5 seconds then do again */
      mysqli_ping($db);
    }
  $db->close();
?>
You can run this code with the command php –f /usr/local/bin/suricata_block.php. I’ve created an /etc/init.d script for it so that it can be started upon system boot and managed with the service command.

The following php script is useful to have run by a crontab entry every 10 minutes. It turns on packet sniffing on the Mikrotik, which is helpful if the Mikrotik gets rebooted as the default state for the packet sniffer tool is stopped.
<?php
require('routeros_api.class.php');

header('Content-Type: text/plain');

$API = new RouterosAPI();

/* $API->debug = true; */

    try {
        $API->connect('192.168.3.1', 'username', 'password');
    } catch (Exception $e) {
        die('Unable to connect to RouterOS. Error:' . $e);
    }
    $ARRAY = $API->comm("/tool/sniffer/start");
    $API->disconnect();
?>
The Result

Here is a screen shot from Winbox that shows the address list with the addresses generated as a result of the alerts from Suricata.
Block List.jpg
fast2mikrotik.php

If you want to go to a fast and simple route to create firewall rules, I've created the following PHP script, fast2mikrotik.php that will use the fast.log created by suricata. This PHP script uses the inotify library so you'll have to add this to your PHP implementation. To do this:
$ apt-get install php-pear php-dev
$ pecl install inotify
Then modify php.ini to include the configuration command "extension=inotify.so". In my case, php.ini was located in /etc/php/7.0/cli.

Be sure to modify the configuration variables at the beginning of the fast2mikrotik.php script. Notice that you can have this script send you emails when an address is blocked.

This script will block all events flagged by suricata and for the length of time specified in the $block_time variable.

You can run this code with the command php –f /usr/local/bin/fast2mikrotik.php. I’ve created an /etc/init.d script for it so that it can be started upon system boot and managed with the service command.
<?php
require('routeros_api.class.php');

/* Set your specific configuration below */
$fastlog = "/var/log/suricata/fast.log";
$mikrotik_addr = "__someip__";
$mikrotik_user = "admin";
$mikrotik_pwd = "__somesecret__";
$local_ip_prefix = "192.168.";
$block_time = "01:00:00";
/* Set email_alert to true if you'd like to get email messages when a block is sent to the Mikrotik */
$email_alert = false;
$email_to = "__someemail__yourself@xyz.com";
$email_from = "__someemail__root@xyz.com";

header('Content-Type: text/plain');

$API = new RouterosAPI();

/**
* Tail a file (UNIX only!)
* Watch a file for changes using inotify and return the changed data
*
* @param string $file - filename of the file to be watched
* @param integer $pos - actual position in the file
* @return string
*/
function tail($file,&$pos) {
    $buf='';
    // get the size of the file
    if(!$pos) $pos = filesize($file);
    // Open an inotify instance
    $fd = inotify_init();
    // Watch $file for changes.
    $watch_descriptor = inotify_add_watch($fd, $file, IN_ALL_EVENTS);
    // Loop forever (breaks are below)
    while (true) {
        // Read events (inotify_read is blocking!)
        $events = inotify_read($fd);
        // Loop though the events which occured
        foreach ($events as $event=>$evdetails) {
            // React on the event type
            switch (true) {
                // File was modified
                case ($evdetails['mask'] & IN_MODIFY):
                    // Stop watching $file for changes
                    inotify_rm_watch($fd, $watch_descriptor);
                    // Close the inotify instance
                    fclose($fd);
                    // open the file
                    $fp = fopen($file,'r');
                    if (!$fp) return false;
                    // seek to the last EOF position
                    fseek($fp,$pos);
                    // read until EOF
                    while (!feof($fp)) {
                        $buf .= fread($fp,8192);
                    }
                    // save the new EOF to $pos
                    $pos = ftell($fp); // (remember: $pos is called by reference)
                    // close the file pointer
                    fclose($fp);
                    // return the new data and leave the function
                    return $buf;
                    // be a nice guy and program good code ;-)
                    break;

                    // File was moved or deleted
                case ($evdetails['mask'] & IN_MOVE):
                case ($evdetails['mask'] & IN_MOVE_SELF):
                case ($evdetails['mask'] & IN_DELETE):
                case ($evdetails['mask'] & IN_DELETE_SELF):
                    // Stop watching $file for changes
                    inotify_rm_watch($fd, $watch_descriptor);
                    // Close the inotify instance
                    fclose($fd);
                    // Return a failure
                    return false;
                    break;
            }
        }
    }
}

function AddToFirewall($thisalert, $srcdst) {

  global $local_ip_prefix, $API, $mikrotik_addr, $mikrotik_user, $mikrotik_pwd, $block_time, $email_to, $email_from, $email_alert;

  /* Determine the target external address */
  if ((strpos($srcdst[0], $local_ip_prefix) === false) and
      (strpos($srcdst[0], "127.0.0.1") === false)) {
     $target = $srcdst[0];
  } else {
     $target = $srcdst[1];
  }   
  try {
      $API->connect($mikrotik_addr, $mikrotik_user, $mikrotik_pwd);
  } catch (Exception $e) {
      die('Unable to connect to RouterOS. Error:' . $e);
  }
  $ARRAY = $API->comm("/ip/firewall/address-list/print", array(
     ".proplist"=> ".id",
     "?address" => $target,));
  foreach ($ARRAY as $a) {
    foreach ($a as $name => $value) {
      $API->write("/ip/firewall/address-list/remove",false);
      $API->write("=.id=$value",true);
      $API->read();
    }
  }
  $API->comm("/ip/firewall/address-list/add", array(
    "list" => "Blocked",
    "address" => $target,
    "timeout" => $block_time,
    "comment" => "From suricata, " . $thisalert[1] .
       " => event timestamp: " . $thisalert[0],));
  $API->disconnect();
  if ($email_alert) {
    $to      = $email_to;
    $subject = 'Suricata on ' . gethostname() . ': blocked IP address ' . $target;
    $message = 'The IP address ' . $target . " has been blocked due to the following rule match:\r\n";
    $message = $message . "\r\n";
    $message = $message . "The signature ID is " . $thisalert[1] . "\r\n";
    $message = $message . "    event timestamp: " . $thisalert[0] . " blocked for: " . $block_time . "\r\n\r\n";
    $headers = 'From: ' . $email_from . "\r\n" .
      'Reply-To: ' . $email_from . "\r\n" .
      'X-Mailer: PHP/' . phpversion();
    mail($to, $subject, $message, $headers);
  }
  return true;
}

$lastpos = 0;
while (true) {
  $alertstr = tail($fastlog,$lastpos);
  foreach (preg_split("/((\r?\n)|(\r\n?))/", $alertstr) as $line){
    if (strlen($line) > 0) {
      $thisalert = explode("[**]", $line);
      $thisalert[0] = trim($thisalert[0]);
      $thisalert[1] = trim($thisalert[1]);
      $thisalert[2] = trim($thisalert[2]);
      $tmpstr = explode("}", $thisalert[2]);
      $srcdst = explode("->", $tmpstr[1]);
      $tmpstr = explode(":", $srcdst[0]);
      $srcdst[0] = trim($tmpstr[0]);
      $tmpstr = explode(":", $srcdst[1]);
      $srcdst[1] = trim($tmpstr[0]);
      AddToFirewall($thisalert, $srcdst);
    }
  }   
}
?>
OSSEC IPS

Once you have Suricata sending messages to the Mikrotik with the components above, adding in OSSEC IPS is relatively easy. We will take advantage of the block_queue MySQL table and the suricata_block process. You'll have to set up the host running suricata as the OSSEC Manager (Server).

In order to have OSSEC send IPS requests to the Mikrotik, we need to turn on active_responses in OSSEC. In the /var/ossec/etc/ossec.conf file (your path may vary slightly) add the following lines in the <ossec_config> section:
<command>
    <name>block-mikrotik</name>
    <executable>mikrotik-fw.sh</executable>
    <timeout_allowed>no</timeout_allowed>
    <expect />
</command>

<active-response>
    <command>block-mikrotik</command>
    <location>server</location>
    <!-- Set these rules to the rules in local_rules.xml that you want to have fire an active reponse -->
    <rules_id>100070,100071,100072,100073,100074</rules_id>
</active-response>
Make sure to check if there is another <active_repsonse> section in the ossec.conf file. If so, comment it out.

The <command> directive defines a command block-mikrotik that points to a shell script that is located in /var/ossec/active-response/bin. Here is the mikrotik-fw.sh bash script:
#!/bin/bash
# mikrotik-fw.sh - get address from alert and write record into snorby.block_queue to drop packets from/to this address
# Author: Tom Fisk

ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`

# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log

# Getting alert time
ALERTTIME=`echo "$ALERTID" | cut -d  "." -f 1`

# Getting end of alert
ALERTLAST=`echo "$ALERTID" | cut -d  "." -f 2`

# Get the line from the log file and remove characters that need to be escaped in MySQL
LOGLINE=`sed -n "/$ALERTTIME/,/^$/{/^$/!p}" "${PWD}/../logs/alerts/alerts.log" | tail -n1`
LOGLINE=`echo ${LOGLINE//[-\"_]/} | cut -c1-232`

# Get the IP address from the last line
IP=`grep -oP '\b(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-
5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))\b' <<< "$LOGLINE" | head -1`

# if IP isn't blank & doesn't match 192.168.* <Replace 192.168.* below with your local address prefix>
if [[ ! -z "$IP" && ! $IP =~ ^192.168.* ]]; then
  tmpfile=$(mktemp)
  echo "insert into snorby.block_queue (que_ip_adr, que_timeout, que_sig_name, que_sig_gid, que_sig_sid, que_event_timestamp)" >> $tmpfile
  curdate=`date +'%F %T'`
  echo "  values ("'"'"$IP"'"'", "'"'"23:59:59"'"'", "'"'"OSSEC HIDS >> $LOGLINE"'"'" , 1, 1002, "'"'"$curdate"'"'");" >> $tmpfile
  /usr/local/mysql/bin/mysql -u<your mysql username> -p<your mysql password> snorby < $tmpfile
  rm $tmpfile
fi
Make sure this script is executable (chmod a+x).

Finally, you'll want to override any rules that you want to fire an active response in /var/ossec/rules/local_rules.xml. Here are a set of rules that I defined for some specific events OSSEC fires on:
  <rule id="100070" level="12">
    <if_sid>1002</if_sid>
    <match>AH00135: Invalid method in request quit</match>
    <description>Block IP's trying to attack apache</description>
  </rule>

  <rule id="100071" level="12">
    <if_sid>1002</if_sid>
    <match>not found or unable to stat</match>
    <description>Block IP's trying to attack apache</description>
  </rule>

  <rule id="100072" level="12">
    <if_sid>1002</if_sid>
    <match>rejecting client initiated renegotiation</match>
    <description>Block IP's trying to attack apache</description>
  </rule>

  <rule id="100073" level="12">
    <if_sid>1002</if_sid>
    <match>request failed: malformed request line</match>
    <description>Block IP's trying to attack apache</description>
  </rule>

  <rule id="100074" level="12">
    <if_sid>3332</if_sid>
    <match>SASL LOGIN authentication failed</match>
    <description>Block IP's trying to log into SMTP</description>
  </rule>
That is all there is to do in order to get your OSSEC alerts firing into you Mikrotik.
You do not have the required permissions to view the files attached to this post.
Last edited by tomfisk on Thu Feb 01, 2018 8:39 am, edited 18 times in total.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Suricata IDS/IPS integration with Mikrotik

Thu Sep 01, 2016 12:28 pm

Great post!

Thanks Tom
 
doush
Long time Member
Long time Member
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

Re: Suricata IDS/IPS integration with Mikrotik

Thu Sep 01, 2016 12:41 pm

wonderful post.
Thanks.
Should be made a sticky
 
User avatar
maximan
Trainer
Trainer
Posts: 543
Joined: Sat May 29, 2004 12:10 am
Location: Rio Cuarto, Argentina
Contact:

Re: Suricata IDS/IPS integration with Mikrotik

Tue Jan 31, 2017 5:36 pm

Hello

Thanks for your sharing. I'm try to implement this one but when i try to create trigger I have this issue:
Error in query (1064): Syntax error near '' at line 3
Error in query (1064): Syntax error near 'DECLARE this_event_signature INT(10) default 0' at line 1
I try to fix it, but i can't.

Can you help me with this issue?

Regards.
M.
 
User avatar
maximan
Trainer
Trainer
Posts: 543
Joined: Sat May 29, 2004 12:10 am
Location: Rio Cuarto, Argentina
Contact:

Re: Suricata IDS/IPS integration with Mikrotik

Thu Feb 02, 2017 8:38 pm

Hello


Well, after working a few days, I used your post like base, to make this project

https://github.com/elmaxid/ips-mikrotik-suricata

Tell me if you have some suggestions

Regards

M.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Mon Feb 27, 2017 5:44 am

If you are using phpMyAdmin to define the trigger, you can't do it in an SQL window. Go to the "Triggers" tab on the iphdr table and add the new trigger.
addtrigger.png
Otherwise just put the code in a file and execute it from the command line:
mysql -u username -p database_name < trigger_code.sql
Hello

Thanks for your sharing. I'm try to implement this one but when i try to create trigger I have this issue:
Error in query (1064): Syntax error near '' at line 3
Error in query (1064): Syntax error near 'DECLARE this_event_signature INT(10) default 0' at line 1
I try to fix it, but i can't.

Can you help me with this issue?

Regards.
M.
You do not have the required permissions to view the files attached to this post.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Mon Feb 27, 2017 6:06 am

Looks good. There are a couple of reasons I don't clean out the block_queue table:
  1. I do some analytics to see who my repeat offenders are. The top repeat offenders get added into the address list on the mikrotik with no expiration time.
  2. If the mikrotik gets rebooted, then the blocked address list is lost. It would be possible to detect if the mikrotik was rebooted (check the system/resources uptime) and then replay the blocks that are still unexpired to rebuild the blocked address list. I haven't done this, but would be relatively easy to do with some time arithmetic.
Hello


Well, after working a few days, I used your post like base, to make this project

https://github.com/elmaxid/ips-mikrotik-suricata

Tell me if you have some suggestions

Regards

M.
 
User avatar
maximan
Trainer
Trainer
Posts: 543
Joined: Sat May 29, 2004 12:10 am
Location: Rio Cuarto, Argentina
Contact:

Re: Suricata IDS/IPS integration with Mikrotik

Fri Mar 03, 2017 5:43 pm

Hello.
Well, I update the manual on GIT. The new release support Telegram and Mail report.

I commented on it, you need Snorby installed to work ( the script) , because i use the schema DB.
Looks good. There are a couple of reasons I don't clean out the block_queue table:
  1. I do some analytics to see who my repeat offenders are. The top repeat offenders get added into the address list on the mikrotik with no expiration time.
  2. If the mikrotik gets rebooted, then the blocked address list is lost. It would be possible to detect if the mikrotik was rebooted (check the system/resources uptime) and then replay the blocks that are still unexpired to rebuild the blocked address list. I haven't done this, but would be relatively easy to do with some time arithmetic.
Hello


Well, after working a few days, I used your post like base, to make this project

https://github.com/elmaxid/ips-mikrotik-suricata

Tell me if you have some suggestions

Regards

M.
You suggestions are great and welcome. Thank you.

M.
 
User avatar
maximan
Trainer
Trainer
Posts: 543
Joined: Sat May 29, 2004 12:10 am
Location: Rio Cuarto, Argentina
Contact:

Re: Suricata IDS/IPS integration with Mikrotik

Fri Mar 03, 2017 6:05 pm

If you are using phpMyAdmin to define the trigger, you can't do it in an SQL window. Go to the "Triggers" tab on the iphdr table and add the new trigger.

addtrigger.png

Otherwise just put the code in a file and execute it from the command line:
mysql -u username -p database_name < trigger_code.sql
Hello

Thanks for your sharing. I'm try to implement this one but when i try to create trigger I have this issue:
Error in query (1064): Syntax error near '' at line 3
Error in query (1064): Syntax error near 'DECLARE this_event_signature INT(10) default 0' at line 1
I try to fix it, but i can't.

Can you help me with this issue?

Regards.
M.
Thank you for your recommendation. i don't know mysql, so you rescue me. I will update my script to add this trigger and remove a "daemon" which make this job.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Thu Apr 06, 2017 1:09 pm

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please?

Here a picture:

Image
Hello
Well, after working a few days, I used your post like base, to make this project
https://github.com/elmaxid/ips-mikrotik-suricata
Tell me if you have some suggestions
Regards
M.
Hi, I am using your package but with your script MK can't receive any rule. With original script from Tom I receive rules but badformed. Could you help me?

===Spanish===
He usado tu programa, aparentemente se ha instalado bien pero MK no recibe ninguna regla para banear. Con el script original de Tom si que añade reglas pero con un formato mal (la IP no es tal y es otro valor), ¿qué estoy haciendo mal para echar a andar tu script al completo?

Thanks/Gracias.
Last edited by aarango on Thu Apr 06, 2017 1:53 pm, edited 1 time in total.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Thu Apr 06, 2017 1:26 pm

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please?

Here a picture:

Image
What version of MySql are you using? inet_ntoa was introduced in version 5.5.3.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Thu Apr 06, 2017 1:35 pm

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please?

Here a picture:

Image
What version of MySql are you using? inet_ntoa was introduced in version 5.5.3.
Thanks you for reply.

I am using this:
# mysql -V
mysql Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (x86_64) using readline 6.3

For other side, I used your script php but I added the tables using the package from maximan. Are you tables inserted different way to thim and for that reason Mysql is taking another values?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Thu Apr 06, 2017 1:39 pm

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please?

Here a picture:

Image
What version of MySql are you using? inet_ntoa was introduced in version 5.5.3.
Thanks you for reply.

I am using this:
# mysql -V
mysql Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (x86_64) using readline 6.3

For other side, I used your script php but I added the tables using the package from maximan. Are you tables inserted different way to thim and for that reason Mysql is taking another values?

Thanks.
I haven't examined his code in detail so I couldn't say what changes he may have made.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Thu Apr 06, 2017 1:44 pm

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please?

Here a picture:

Image
What version of MySql are you using? inet_ntoa was introduced in version 5.5.3.
Thanks you for reply.

I am using this:
# mysql -V
mysql Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (x86_64) using readline 6.3

For other side, I used your script php but I added the tables using the package from maximan. Are you tables inserted different way to thim and for that reason Mysql is taking another values?

Thanks.
I haven't examined his code in detail so I couldn't say what changes he may have made.
Well, its seems same but maybe I should restore database to original (before to install that script) and add your tables.
If I paste your mysql's code on a file .sql and export, is it right? or how should I add that content?

NOTE: Its same the tables. Any idea why MK get another value and not IP?

Thanks.
Last edited by aarango on Thu Apr 06, 2017 1:59 pm, edited 1 time in total.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Thu Apr 06, 2017 1:57 pm

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please?

Here a picture:

Image
What version of MySql are you using? inet_ntoa was introduced in version 5.5.3.
Thanks you for reply.

I am using this:
# mysql -V
mysql Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (x86_64) using readline 6.3

For other side, I used your script php but I added the tables using the package from maximan. Are you tables inserted different way to thim and for that reason Mysql is taking another values?

Thanks.
I haven't examined his code in detail so I couldn't say what changes he may have made.
Well, its seems same but maybe I should restore database to original (before to install that script) and add your tables.
If I paste your mysql's code on a file .sql and export, is it right? or how should I add that content?

Thanks.
Yes, export code to file, then run it from command line into MySQL. See my previous response to max.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Thu Apr 06, 2017 3:09 pm


What version of MySql are you using? inet_ntoa was introduced in version 5.5.3.
Thanks you for reply.

I am using this:
# mysql -V
mysql Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (x86_64) using readline 6.3

For other side, I used your script php but I added the tables using the package from maximan. Are you tables inserted different way to thim and for that reason Mysql is taking another values?

Thanks.
I haven't examined his code in detail so I couldn't say what changes he may have made.
Well, its seems same but maybe I should restore database to original (before to install that script) and add your tables.
If I paste your mysql's code on a file .sql and export, is it right? or how should I add that content?

Thanks.
Yes, export code to file, then run it from command line into MySQL. See my previous response to max.
Thanks, I pasted all code (with DROP TABLE IF exists table_name

When I export sql I receive this on triggers:

# mysql -usnorby -p snorby < table.sql
Enter password:
ERROR 1064 (42000) at line 101: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3

Line 101 is trigger's start. I dropped trigger:
mysql> show triggers;
Empty set (0.00 sec)

How could I add it again?

Here my code new table
--
-- Table structure for table `sigs_to_block`
--
DROP TABLE IF EXISTS sigs_to_block;
CREATE TABLE `sigs_to_block` (
   `sig_name` text COLLATE utf8_unicode_ci NOT NULL,
   `src_or_dst` char(3) COLLATE utf8_unicode_ci NOT NULL DEFAULT 'src',
   `timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL DEFAULT '01:00:00'
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
--
-- Indexes for table `sigs_to_block`
--
ALTER TABLE `sigs_to_block`
  ADD UNIQUE KEY `sig_name_unique_index` (`sig_name`(64));


INSERT INTO `sigs_to_block` (`sig_name`, `src_or_dst`, `timeout`) VALUES
('ET COMPROMISED Known Compromised or Hostile Host Traffic', 'src', '01:00:00'),
('ET POLICY Suspicious inbound to', 'src', '01:00:00'),
('ET DROP Dshield Block Listed Source', 'src', '01:00:00'),
('ET SCAN', 'src', '01:00:00'),
('ET DROP Spamhaus DROP Listed Traffic Inbound', 'src', '01:00:00'),
('ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted', 'dst', '23:59:59'),
('ET CINS Active Threat Intelligence Poor Reputation IP', 'src', '01:00:00'),
('GPL SNMP', 'src', '01:00:00'),
('ET TOR Known Tor', 'src', '01:00:00'),
('GPL DNS named version attempt', 'src', '01:00:00'),
('ET VOIP Modified Sipvicious Asterisk PBX User-Agent', 'src', '01:00:00'),
('GPL RPC xdmcp info query', 'src', '01:00:00'),
('GPL RPC portmap listing', 'src', '01:00:00'),
('SURICATA SMTP no server welcome message', 'dst', '23:59:59'),
('GPL SMTP', 'dst', '23:59:59'),
('ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check', 'dst', '01:00:00'),
('Snort Alert [1:2403326:2951]', 'src', '01:00:00'),
('Snort Alert [1:2500082:4086]', 'src', '01:00:00'),
('GPL POLICY PCAnywhere', 'src', '01:00:00'),
('ET POLICY External IP Lookup', 'dst', '23:59:59'),
('GPL WEB_SERVER', 'src', '23:59:59'),
('ET SHELLCODE', 'src', '23:59:59'),
('ET P2P Edonkey IP Query End', 'src', '01:00:00'),
('ET MALWARE Suspicious', 'dst', '01:00:00'),
('ET CURRENT_EVENTS', 'src', '01:00:00'),
('Unencrypted Request Method', 'src', '01:00:00'),
('SURICATA SMTP data command rejected', 'dst', '01:00:00'),
('ET WEB_SERVER', 'src', '01:00:00'),
('ET DOS', 'src', '01:00:00'),
(' ET POLICY User', 'dst', '01:00:00'),
('ET TROJAN Possible Win32/', 'dst', '01:00:00'),
('.tk domain', 'dst', '23:59:59'),
('ET POLICY archive.org', 'dst', '01:00:00'),
('ET CNC', 'dst', '23:59:59'),
('ET SNMP', 'src', '01:00:00'),
('ET POLICY Python', 'dst', '01:00:00'),
('ET POLICY curl User-Agent Outbound', 'dst', '01:00:00'),
('ET POLICY Windows 98 User-Agent Detected', 'dst', '01:00:00'),
('ET POLICY Internal Host Retrieving External IP', 'dst', '01:00:00'),
('ET POLICY Unsupported/Fake FireFox Version', 'dst', '01:00:00'),
('ET MOBILE_MALWARE', 'dst', '23:59:59'),
('ET POLICY Possible IP Check', 'src', '01:00:00'),
('ET P2P', 'dst', '01:00:00'),
('GPL SHELLCODE', 'src', '23:59:59'),
('GPL P2P', 'src', '01:00:00'),
('.pw domain', 'dst', '23:59:59'),
('Request to .su TLD', 'dst', '01:00:00'),
('Abnormal User-Agent', 'dst', '01:00:00'),
('SSLv3 outbound', 'src', '01:00:00'),
('Hex Obfuscation', 'src', '01:00:00'),
('SSH banner detected on TCP 443 likely proxy evasion', 'src', '01:00:00');


--
-- Table structure for table `block_queue`
--
DROP TABLE IF EXISTS block_queue;
CREATE TABLE `block_queue` (
   `que_id` int(11) NOT NULL,
   `que_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'When the block was added',
   `que_ip_adr` varchar(64) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The IP address to block',
   `que_timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL COMMENT 'How long to block for',
   `que_sig_name` varchar(256) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The name of the signature that caused the block',
   `que_sig_gid` int(10) NOT NULL COMMENT 'The signature group ID',
   `que_sig_sid` int(10) NOT NULL COMMENT 'The signature ID',
   `que_event_timestamp` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'When the event was triggered',
   `que_processed` int(11) NOT NULL DEFAULT '0' COMMENT 'If this item has been processed (0=no, <>0=yes)'
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Queue of ip addresses to block on firewall';

--
-- Indexes for table `block_queue`
--
ALTER TABLE `block_queue`
  ADD PRIMARY KEY (`que_id`),
  ADD KEY `que_added` (`que_added`);
--
-- AUTO_INCREMENT for table `block_queue`
--
ALTER TABLE `block_queue`
  MODIFY `que_id` int(11) NOT NULL AUTO_INCREMENT;


DROP TRIGGER IF EXISTS after_iphdr_insert;
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr` FOR EACH ROW
  BEGIN
  DECLARE this_event INT(11) default 0;
  DECLARE this_event_signature INT(10) default 0;
  DECLARE this_event_timestamp TIMESTAMP;
  DECLARE this_sig INT(10) default 0;
  DECLARE this_sig_name VARCHAR(256) default "";
  DECLARE this_sig_gid INT(10) default 0;
  DECLARE timeout VARCHAR(12) default "";
  DECLARE interested INT default 0;
  DECLARE direction VARCHAR(3) default "";
  DECLARE ip_src VARCHAR(64) default "";
  DECLARE ip_dst VARCHAR(64) default "";
  SELECT event.id, event.signature, event.timestamp
  INTO this_event, this_event_signature, this_event_timestamp
  FROM event
  WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
  SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
  INTO this_sig, this_sig_gid, this_sig_name
  FROM signature
  WHERE signature.sig_id = this_event_signature;
  SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
  INTO interested, direction, timeout
  FROM sigs_to_block
  WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
  IF (interested > 0) THEN
   IF (direction = "src") THEN
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_src),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    ELSE
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_dst),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    END IF;
  END IF;
END
Thanks
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Thu Apr 06, 2017 3:41 pm


Thanks you for reply.

I am using this:
# mysql -V
mysql Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (x86_64) using readline 6.3

For other side, I used your script php but I added the tables using the package from maximan. Are you tables inserted different way to thim and for that reason Mysql is taking another values?

Thanks.
I haven't examined his code in detail so I couldn't say what changes he may have made.
Well, its seems same but maybe I should restore database to original (before to install that script) and add your tables.
If I paste your mysql's code on a file .sql and export, is it right? or how should I add that content?

Thanks.
Yes, export code to file, then run it from command line into MySQL. See my previous response to max.
Thanks, I pasted all code (with DROP TABLE IF exists table_name

When I export sql I receive this on triggers:

# mysql -usnorby -p snorby < table.sql
Enter password:
ERROR 1064 (42000) at line 101: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3

Line 101 is trigger's start. I dropped trigger:
mysql> show triggers;
Empty set (0.00 sec)

How could I add it again?

Here my code new table
--
-- Table structure for table `sigs_to_block`
--
DROP TABLE IF EXISTS sigs_to_block;
CREATE TABLE `sigs_to_block` (
   `sig_name` text COLLATE utf8_unicode_ci NOT NULL,
   `src_or_dst` char(3) COLLATE utf8_unicode_ci NOT NULL DEFAULT 'src',
   `timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL DEFAULT '01:00:00'
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
--
-- Indexes for table `sigs_to_block`
--
ALTER TABLE `sigs_to_block`
  ADD UNIQUE KEY `sig_name_unique_index` (`sig_name`(64));


INSERT INTO `sigs_to_block` (`sig_name`, `src_or_dst`, `timeout`) VALUES
('ET COMPROMISED Known Compromised or Hostile Host Traffic', 'src', '01:00:00'),
('ET POLICY Suspicious inbound to', 'src', '01:00:00'),
('ET DROP Dshield Block Listed Source', 'src', '01:00:00'),
('ET SCAN', 'src', '01:00:00'),
('ET DROP Spamhaus DROP Listed Traffic Inbound', 'src', '01:00:00'),
('ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted', 'dst', '23:59:59'),
('ET CINS Active Threat Intelligence Poor Reputation IP', 'src', '01:00:00'),
('GPL SNMP', 'src', '01:00:00'),
('ET TOR Known Tor', 'src', '01:00:00'),
('GPL DNS named version attempt', 'src', '01:00:00'),
('ET VOIP Modified Sipvicious Asterisk PBX User-Agent', 'src', '01:00:00'),
('GPL RPC xdmcp info query', 'src', '01:00:00'),
('GPL RPC portmap listing', 'src', '01:00:00'),
('SURICATA SMTP no server welcome message', 'dst', '23:59:59'),
('GPL SMTP', 'dst', '23:59:59'),
('ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check', 'dst', '01:00:00'),
('Snort Alert [1:2403326:2951]', 'src', '01:00:00'),
('Snort Alert [1:2500082:4086]', 'src', '01:00:00'),
('GPL POLICY PCAnywhere', 'src', '01:00:00'),
('ET POLICY External IP Lookup', 'dst', '23:59:59'),
('GPL WEB_SERVER', 'src', '23:59:59'),
('ET SHELLCODE', 'src', '23:59:59'),
('ET P2P Edonkey IP Query End', 'src', '01:00:00'),
('ET MALWARE Suspicious', 'dst', '01:00:00'),
('ET CURRENT_EVENTS', 'src', '01:00:00'),
('Unencrypted Request Method', 'src', '01:00:00'),
('SURICATA SMTP data command rejected', 'dst', '01:00:00'),
('ET WEB_SERVER', 'src', '01:00:00'),
('ET DOS', 'src', '01:00:00'),
(' ET POLICY User', 'dst', '01:00:00'),
('ET TROJAN Possible Win32/', 'dst', '01:00:00'),
('.tk domain', 'dst', '23:59:59'),
('ET POLICY archive.org', 'dst', '01:00:00'),
('ET CNC', 'dst', '23:59:59'),
('ET SNMP', 'src', '01:00:00'),
('ET POLICY Python', 'dst', '01:00:00'),
('ET POLICY curl User-Agent Outbound', 'dst', '01:00:00'),
('ET POLICY Windows 98 User-Agent Detected', 'dst', '01:00:00'),
('ET POLICY Internal Host Retrieving External IP', 'dst', '01:00:00'),
('ET POLICY Unsupported/Fake FireFox Version', 'dst', '01:00:00'),
('ET MOBILE_MALWARE', 'dst', '23:59:59'),
('ET POLICY Possible IP Check', 'src', '01:00:00'),
('ET P2P', 'dst', '01:00:00'),
('GPL SHELLCODE', 'src', '23:59:59'),
('GPL P2P', 'src', '01:00:00'),
('.pw domain', 'dst', '23:59:59'),
('Request to .su TLD', 'dst', '01:00:00'),
('Abnormal User-Agent', 'dst', '01:00:00'),
('SSLv3 outbound', 'src', '01:00:00'),
('Hex Obfuscation', 'src', '01:00:00'),
('SSH banner detected on TCP 443 likely proxy evasion', 'src', '01:00:00');


--
-- Table structure for table `block_queue`
--
DROP TABLE IF EXISTS block_queue;
CREATE TABLE `block_queue` (
   `que_id` int(11) NOT NULL,
   `que_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'When the block was added',
   `que_ip_adr` varchar(64) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The IP address to block',
   `que_timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL COMMENT 'How long to block for',
   `que_sig_name` varchar(256) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The name of the signature that caused the block',
   `que_sig_gid` int(10) NOT NULL COMMENT 'The signature group ID',
   `que_sig_sid` int(10) NOT NULL COMMENT 'The signature ID',
   `que_event_timestamp` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'When the event was triggered',
   `que_processed` int(11) NOT NULL DEFAULT '0' COMMENT 'If this item has been processed (0=no, <>0=yes)'
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Queue of ip addresses to block on firewall';

--
-- Indexes for table `block_queue`
--
ALTER TABLE `block_queue`
  ADD PRIMARY KEY (`que_id`),
  ADD KEY `que_added` (`que_added`);
--
-- AUTO_INCREMENT for table `block_queue`
--
ALTER TABLE `block_queue`
  MODIFY `que_id` int(11) NOT NULL AUTO_INCREMENT;


DROP TRIGGER IF EXISTS after_iphdr_insert;
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr` FOR EACH ROW
  BEGIN
  DECLARE this_event INT(11) default 0;
  DECLARE this_event_signature INT(10) default 0;
  DECLARE this_event_timestamp TIMESTAMP;
  DECLARE this_sig INT(10) default 0;
  DECLARE this_sig_name VARCHAR(256) default "";
  DECLARE this_sig_gid INT(10) default 0;
  DECLARE timeout VARCHAR(12) default "";
  DECLARE interested INT default 0;
  DECLARE direction VARCHAR(3) default "";
  DECLARE ip_src VARCHAR(64) default "";
  DECLARE ip_dst VARCHAR(64) default "";
  SELECT event.id, event.signature, event.timestamp
  INTO this_event, this_event_signature, this_event_timestamp
  FROM event
  WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
  SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
  INTO this_sig, this_sig_gid, this_sig_name
  FROM signature
  WHERE signature.sig_id = this_event_signature;
  SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
  INTO interested, direction, timeout
  FROM sigs_to_block
  WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
  IF (interested > 0) THEN
   IF (direction = "src") THEN
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_src),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    ELSE
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_dst),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    END IF;
  END IF;
END
Thanks
Hmmm. A couple of ideas. Try to put just the trigger code in the SQL file and run it again. If that doesn't work so you have phpmyadmin or a similar tool that will let you define the trigger?
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Thu Apr 06, 2017 3:55 pm


I haven't examined his code in detail so I couldn't say what changes he may have made.
Well, its seems same but maybe I should restore database to original (before to install that script) and add your tables.
If I paste your mysql's code on a file .sql and export, is it right? or how should I add that content?

Thanks.
Yes, export code to file, then run it from command line into MySQL. See my previous response to max.
Thanks, I pasted all code (with DROP TABLE IF exists table_name

When I export sql I receive this on triggers:

# mysql -usnorby -p snorby < table.sql
Enter password:
ERROR 1064 (42000) at line 101: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3

Line 101 is trigger's start. I dropped trigger:
mysql> show triggers;
Empty set (0.00 sec)

How could I add it again?

Here my code new table
--
-- Table structure for table `sigs_to_block`
--
DROP TABLE IF EXISTS sigs_to_block;
CREATE TABLE `sigs_to_block` (
   `sig_name` text COLLATE utf8_unicode_ci NOT NULL,
   `src_or_dst` char(3) COLLATE utf8_unicode_ci NOT NULL DEFAULT 'src',
   `timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL DEFAULT '01:00:00'
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
--
-- Indexes for table `sigs_to_block`
--
ALTER TABLE `sigs_to_block`
  ADD UNIQUE KEY `sig_name_unique_index` (`sig_name`(64));


INSERT INTO `sigs_to_block` (`sig_name`, `src_or_dst`, `timeout`) VALUES
('ET COMPROMISED Known Compromised or Hostile Host Traffic', 'src', '01:00:00'),
('ET POLICY Suspicious inbound to', 'src', '01:00:00'),
('ET DROP Dshield Block Listed Source', 'src', '01:00:00'),
('ET SCAN', 'src', '01:00:00'),
('ET DROP Spamhaus DROP Listed Traffic Inbound', 'src', '01:00:00'),
('ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted', 'dst', '23:59:59'),
('ET CINS Active Threat Intelligence Poor Reputation IP', 'src', '01:00:00'),
('GPL SNMP', 'src', '01:00:00'),
('ET TOR Known Tor', 'src', '01:00:00'),
('GPL DNS named version attempt', 'src', '01:00:00'),
('ET VOIP Modified Sipvicious Asterisk PBX User-Agent', 'src', '01:00:00'),
('GPL RPC xdmcp info query', 'src', '01:00:00'),
('GPL RPC portmap listing', 'src', '01:00:00'),
('SURICATA SMTP no server welcome message', 'dst', '23:59:59'),
('GPL SMTP', 'dst', '23:59:59'),
('ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check', 'dst', '01:00:00'),
('Snort Alert [1:2403326:2951]', 'src', '01:00:00'),
('Snort Alert [1:2500082:4086]', 'src', '01:00:00'),
('GPL POLICY PCAnywhere', 'src', '01:00:00'),
('ET POLICY External IP Lookup', 'dst', '23:59:59'),
('GPL WEB_SERVER', 'src', '23:59:59'),
('ET SHELLCODE', 'src', '23:59:59'),
('ET P2P Edonkey IP Query End', 'src', '01:00:00'),
('ET MALWARE Suspicious', 'dst', '01:00:00'),
('ET CURRENT_EVENTS', 'src', '01:00:00'),
('Unencrypted Request Method', 'src', '01:00:00'),
('SURICATA SMTP data command rejected', 'dst', '01:00:00'),
('ET WEB_SERVER', 'src', '01:00:00'),
('ET DOS', 'src', '01:00:00'),
(' ET POLICY User', 'dst', '01:00:00'),
('ET TROJAN Possible Win32/', 'dst', '01:00:00'),
('.tk domain', 'dst', '23:59:59'),
('ET POLICY archive.org', 'dst', '01:00:00'),
('ET CNC', 'dst', '23:59:59'),
('ET SNMP', 'src', '01:00:00'),
('ET POLICY Python', 'dst', '01:00:00'),
('ET POLICY curl User-Agent Outbound', 'dst', '01:00:00'),
('ET POLICY Windows 98 User-Agent Detected', 'dst', '01:00:00'),
('ET POLICY Internal Host Retrieving External IP', 'dst', '01:00:00'),
('ET POLICY Unsupported/Fake FireFox Version', 'dst', '01:00:00'),
('ET MOBILE_MALWARE', 'dst', '23:59:59'),
('ET POLICY Possible IP Check', 'src', '01:00:00'),
('ET P2P', 'dst', '01:00:00'),
('GPL SHELLCODE', 'src', '23:59:59'),
('GPL P2P', 'src', '01:00:00'),
('.pw domain', 'dst', '23:59:59'),
('Request to .su TLD', 'dst', '01:00:00'),
('Abnormal User-Agent', 'dst', '01:00:00'),
('SSLv3 outbound', 'src', '01:00:00'),
('Hex Obfuscation', 'src', '01:00:00'),
('SSH banner detected on TCP 443 likely proxy evasion', 'src', '01:00:00');


--
-- Table structure for table `block_queue`
--
DROP TABLE IF EXISTS block_queue;
CREATE TABLE `block_queue` (
   `que_id` int(11) NOT NULL,
   `que_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'When the block was added',
   `que_ip_adr` varchar(64) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The IP address to block',
   `que_timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL COMMENT 'How long to block for',
   `que_sig_name` varchar(256) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The name of the signature that caused the block',
   `que_sig_gid` int(10) NOT NULL COMMENT 'The signature group ID',
   `que_sig_sid` int(10) NOT NULL COMMENT 'The signature ID',
   `que_event_timestamp` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'When the event was triggered',
   `que_processed` int(11) NOT NULL DEFAULT '0' COMMENT 'If this item has been processed (0=no, <>0=yes)'
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Queue of ip addresses to block on firewall';

--
-- Indexes for table `block_queue`
--
ALTER TABLE `block_queue`
  ADD PRIMARY KEY (`que_id`),
  ADD KEY `que_added` (`que_added`);
--
-- AUTO_INCREMENT for table `block_queue`
--
ALTER TABLE `block_queue`
  MODIFY `que_id` int(11) NOT NULL AUTO_INCREMENT;


DROP TRIGGER IF EXISTS after_iphdr_insert;
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr` FOR EACH ROW
  BEGIN
  DECLARE this_event INT(11) default 0;
  DECLARE this_event_signature INT(10) default 0;
  DECLARE this_event_timestamp TIMESTAMP;
  DECLARE this_sig INT(10) default 0;
  DECLARE this_sig_name VARCHAR(256) default "";
  DECLARE this_sig_gid INT(10) default 0;
  DECLARE timeout VARCHAR(12) default "";
  DECLARE interested INT default 0;
  DECLARE direction VARCHAR(3) default "";
  DECLARE ip_src VARCHAR(64) default "";
  DECLARE ip_dst VARCHAR(64) default "";
  SELECT event.id, event.signature, event.timestamp
  INTO this_event, this_event_signature, this_event_timestamp
  FROM event
  WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
  SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
  INTO this_sig, this_sig_gid, this_sig_name
  FROM signature
  WHERE signature.sig_id = this_event_signature;
  SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
  INTO interested, direction, timeout
  FROM sigs_to_block
  WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
  IF (interested > 0) THEN
   IF (direction = "src") THEN
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_src),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    ELSE
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_dst),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    END IF;
  END IF;
END
Thanks
Hmmm. A couple of ideas. Try to put just the trigger code in the SQL file and run it again. If that doesn't work so you have phpmyadmin or a similar tool that will let you define the trigger?
A add trigger deleting old trigger, I think that its works ,but I discovered a new thing:

If I do from myqsl console set inet_ntoa(NEW.ip_src) -> I get real IP

But MK is adding the number without decipher.

Any idea?

Thanks
 
boardman
Member Candidate
Member Candidate
Posts: 258
Joined: Fri May 28, 2004 11:10 pm
Location: Mexico
Contact:

Re: Suricata IDS/IPS integration with Mikrotik

Fri Apr 07, 2017 1:49 am

Nice !!!

Thanks
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Fri Apr 07, 2017 3:53 am


A add trigger deleting old trigger, I think that its works ,but I discovered a new thing:

If I do from myqsl console set inet_ntoa(NEW.ip_src) -> I get real IP

But MK is adding the number without decipher.

Any idea?

Thanks
So if you do this in MySQL:
use snorby;
Select * from block_queue;
What do you see in the que_ip_adr column? Should be real IP address. If it is still encoded IP address then trigger is not executing correctly as trigger should insert record with real IP address.

If you don't see real IP address then do this in MySQL:
show triggers;
And check to make sure that trigger code is correct. If not, you might still have the old trigger executing.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Fri Apr 07, 2017 7:40 am


A add trigger deleting old trigger, I think that its works ,but I discovered a new thing:

If I do from myqsl console set inet_ntoa(NEW.ip_src) -> I get real IP

But MK is adding the number without decipher.

Any idea?

Thanks
So if you do this in MySQL:
use snorby;
Select * from block_queue;
What do you see in the que_ip_adr column? Should be real IP address. If it is still encoded IP address then trigger is not executing correctly as trigger should insert record with real IP address.

If you don't see real IP address then do this in MySQL:
show triggers;
And check to make sure that trigger code is correct. If not, you might still have the old trigger executing.
Hi, finally its working fine. I dropped old tables and add it again and its showing real IP on Mikrotik.

A last question, I see a lot of rules on emerging-*, how could I test one? I see some rules with an address.
Example:alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hadsruda!bit Adware/PUA Installation Activity"; flow:to_server,established; content:"GET"; http_method; content:"?alpha="; http_uri; content:"User-Agent|3a 20|NSIS_Inetc"; http_header; fast_pattern; pcre:"/\?alpha=(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})/U"; reference:md5,6b58b3eb9bbb0f7297a2e36e615506d3; classtype:trojan-activity; sid:2022850; rev:2;)

I want to access to check how MK ban that traffic. I tested with ransomware's IP and its ok, MK ban automatically, but I can't test it with a URL.

Thanks you for your job and support.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Fri Apr 07, 2017 9:35 am


A add trigger deleting old trigger, I think that its works ,but I discovered a new thing:

If I do from myqsl console set inet_ntoa(NEW.ip_src) -> I get real IP

But MK is adding the number without decipher.

Any idea?

Thanks
So if you do this in MySQL:
use snorby;
Select * from block_queue;
What do you see in the que_ip_adr column? Should be real IP address. If it is still encoded IP address then trigger is not executing correctly as trigger should insert record with real IP address.

If you don't see real IP address then do this in MySQL:
show triggers;
And check to make sure that trigger code is correct. If not, you might still have the old trigger executing.
Hi, finally its working fine. I dropped old tables and add it again and its showing real IP on Mikrotik.

A last question, I see a lot of rules on emerging-*, how could I test one? I see some rules with an address.
Example:alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hadsruda!bit Adware/PUA Installation Activity"; flow:to_server,established; content:"GET"; http_method; content:"?alpha="; http_uri; content:"User-Agent|3a 20|NSIS_Inetc"; http_header; fast_pattern; pcre:"/\?alpha=(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})/U"; reference:md5,6b58b3eb9bbb0f7297a2e36e615506d3; classtype:trojan-activity; sid:2022850; rev:2;)

I want to access to check how MK ban that traffic. I tested with ransomware's IP and its ok, MK ban automatically, but I can't test it with a URL.

Thanks you for your job and support.
I don't know that there is a way to test all of the signatures, at least not easily. If you go to section 1.5 of this document you can see how they test some of the signatures:

https://web.nsrc.org/workshops/2015/pac ... g-test.htm

I would suspect that there is a way to generate the signatures on the interface, but that is beyond my level at this time.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Fri Apr 07, 2017 1:21 pm


A add trigger deleting old trigger, I think that its works ,but I discovered a new thing:

If I do from myqsl console set inet_ntoa(NEW.ip_src) -> I get real IP

But MK is adding the number without decipher.

Any idea?

Thanks
So if you do this in MySQL:
use snorby;
Select * from block_queue;
What do you see in the que_ip_adr column? Should be real IP address. If it is still encoded IP address then trigger is not executing correctly as trigger should insert record with real IP address.

If you don't see real IP address then do this in MySQL:
show triggers;
And check to make sure that trigger code is correct. If not, you might still have the old trigger executing.
Hi, finally its working fine. I dropped old tables and add it again and its showing real IP on Mikrotik.

A last question, I see a lot of rules on emerging-*, how could I test one? I see some rules with an address.
Example:alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hadsruda!bit Adware/PUA Installation Activity"; flow:to_server,established; content:"GET"; http_method; content:"?alpha="; http_uri; content:"User-Agent|3a 20|NSIS_Inetc"; http_header; fast_pattern; pcre:"/\?alpha=(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})/U"; reference:md5,6b58b3eb9bbb0f7297a2e36e615506d3; classtype:trojan-activity; sid:2022850; rev:2;)

I want to access to check how MK ban that traffic. I tested with ransomware's IP and its ok, MK ban automatically, but I can't test it with a URL.

Thanks you for your job and support.
I don't know that there is a way to test all of the signatures, at least not easily. If you go to section 1.5 of this document you can see how they test some of the signatures:

https://web.nsrc.org/workshops/2015/pac ... g-test.htm

I would suspect that there is a way to generate the signatures on the interface, but that is beyond my level at this time.
I will look to test it.

My Mikrotik has banned my own mail IP, are there way to add a whitelist in suricata or script or Mikrotik?
Could I create a rule in first place to allow traffic to my mail address?

Thanks again.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Sat Apr 08, 2017 6:52 am


I will look to test it.

My Mikrotik has banned my own mail IP, are there way to add a whitelist in suricata or script or Mikrotik?
Could I create a rule in first place to allow traffic to my mail address?

Thanks again.
A couple of different ways to do this in suricata.

First of all in /etc/suricata/suricata.yaml right at the top of the file is a place to define you home network:
vars:
  # more specifc is better for alert accuracy and performance
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"
If that doesn't seem to do the trick, then in /etc/suricata/threshold.config you can suppress the firing of specific signatures:
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Just see what signature id caused your email server to be block and add it into the threshold.config file.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Mon Apr 10, 2017 8:11 am


I will look to test it.

My Mikrotik has banned my own mail IP, are there way to add a whitelist in suricata or script or Mikrotik?
Could I create a rule in first place to allow traffic to my mail address?

Thanks again.
A couple of different ways to do this in suricata.

First of all in /etc/suricata/suricata.yaml right at the top of the file is a place to define you home network:
vars:
  # more specifc is better for alert accuracy and performance
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"
If that doesn't seem to do the trick, then in /etc/suricata/threshold.config you can suppress the firing of specific signatures:
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Just see what signature id caused your email server to be block and add it into the threshold.config file.

Hi,

I added my HOME_NET to suricata.yaml:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,192.168.5.0/24]"

And I too added a line in threshold.config to avoid that alert from my IP. Could you say me if its right?
suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.100
suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.1

suricata/fast.log.1:04/03/2017-09:57:09.934246 [**] [1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.5.1:37764 -> 192.168.5.100:8088

192.168.5.100 its my own mail IP.
192.168.5.1 its my own router.

And if from my home_net someone try to upload/download/access/execute any file or bad website, will be detected by suricata or if I have my net home_net is it invisible for it?
I want to avoid attacks from external net and any possible attack from any laptop infected or access prohibited.

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Mon Apr 10, 2017 8:49 am


Hi,

I added my HOME_NET to suricata.yaml:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,192.168.5.0/24]"

And I too added a line in threshold.config to avoid that alert from my IP. Could you say me if its right?
suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.100
suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.1

suricata/fast.log.1:04/03/2017-09:57:09.934246 [**] [1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.5.1:37764 -> 192.168.5.100:8088

192.168.5.100 its my own mail IP.
192.168.5.1 its my own router.

And if from my home_net someone try to upload/download/access/execute any file or bad website, will be detected by suricata or if I have my net home_net is it invisible for it?
I want to avoid attacks from external net and any possible attack from any laptop infected or access prohibited.

Thanks.
Yes, your definitions look right.

Suricata will not prevent all bad things from happening. It will detect network based threats that match it's signature database. If you have an external facing website or any other service, it will see that traffic as valid and not prohibit access.

Suricata is just one layer of security that you can implement to protect your assets from network based threats. End-point protection, ransomware protection, and host intrusion detection (e.g. OSSEC) adds more layers of security in order to try to alleviate threats. But just like physical security, if someone wants to work hard enough to get into your house, there is really not a way to stop them. The more layers of security you have, the more likely it is that the attacker will move on and look for softer targets.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Mon Apr 10, 2017 11:06 am


Hi,

I added my HOME_NET to suricata.yaml:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,192.168.5.0/24]"

And I too added a line in threshold.config to avoid that alert from my IP. Could you say me if its right?
suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.100
suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.1

suricata/fast.log.1:04/03/2017-09:57:09.934246 [**] [1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.5.1:37764 -> 192.168.5.100:8088

192.168.5.100 its my own mail IP.
192.168.5.1 its my own router.

And if from my home_net someone try to upload/download/access/execute any file or bad website, will be detected by suricata or if I have my net home_net is it invisible for it?
I want to avoid attacks from external net and any possible attack from any laptop infected or access prohibited.

Thanks.
Yes, your definitions look right.

Suricata will not prevent all bad things from happening. It will detect network based threats that match it's signature database. If you have an external facing website or any other service, it will see that traffic as valid and not prohibit access.

Suricata is just one layer of security that you can implement to protect your assets from network based threats. End-point protection, ransomware protection, and host intrusion detection (e.g. OSSEC) adds more layers of security in order to try to alleviate threats. But just like physical security, if someone wants to work hard enough to get into your house, there is really not a way to stop them. The more layers of security you have, the more likely it is that the attacker will move on and look for softer targets.
A lot of thanks for your fast reply. I am checking this script and I am finding with a trouble.

Script is running good:
# ps wuaxf|grep suri
root      7789 45.3 24.0 1392900 755588 ?      Sl   07:17  54:48 /usr/bin/suricata -c /etc/suricata/suricata-debian.yaml -r -
root      7862  0.3  2.4 177752 77560 ?        Ss   07:18   0:28 barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D
root     11335  0.0  0.0   8824   752 pts/0    S+   09:18   0:00      \_ grep --color=auto suri
root     11325  0.2  0.3 191204 10532 pts/0    S    09:18   0:00 php -f /opt/mikrotik-ips-suricata/suricata_block.php
And if I try to access a ransomware website (for example) automatically Mikrotik receive a new line from server with that IP, its okay and running fine.

Now, I leave from that shell, and I again enter a new ransomware's IP (which it should be banned too because php process is running) but not, when I access this new IP, script doesn't appear running and IP's aren't banned.

I enabled logs php:
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
log_errors = On
error_log = /var/log/php_errors.log
But log is empty.

Any idea please?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Mon Apr 10, 2017 11:10 am


Hi,

I added my HOME_NET to suricata.yaml:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,192.168.5.0/24]"

And I too added a line in threshold.config to avoid that alert from my IP. Could you say me if its right?
suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.100
suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.1

suricata/fast.log.1:04/03/2017-09:57:09.934246 [**] [1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.5.1:37764 -> 192.168.5.100:8088

192.168.5.100 its my own mail IP.
192.168.5.1 its my own router.

And if from my home_net someone try to upload/download/access/execute any file or bad website, will be detected by suricata or if I have my net home_net is it invisible for it?
I want to avoid attacks from external net and any possible attack from any laptop infected or access prohibited.

Thanks.
Yes, your definitions look right.

Suricata will not prevent all bad things from happening. It will detect network based threats that match it's signature database. If you have an external facing website or any other service, it will see that traffic as valid and not prohibit access.

Suricata is just one layer of security that you can implement to protect your assets from network based threats. End-point protection, ransomware protection, and host intrusion detection (e.g. OSSEC) adds more layers of security in order to try to alleviate threats. But just like physical security, if someone wants to work hard enough to get into your house, there is really not a way to stop them. The more layers of security you have, the more likely it is that the attacker will move on and look for softer targets.
A lot of thanks for your fast reply. I am checking this script and I am finding with a trouble.

Script is running good:
# ps wuaxf|grep suri
root      7789 45.3 24.0 1392900 755588 ?      Sl   07:17  54:48 /usr/bin/suricata -c /etc/suricata/suricata-debian.yaml -r -
root      7862  0.3  2.4 177752 77560 ?        Ss   07:18   0:28 barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D
root     11335  0.0  0.0   8824   752 pts/0    S+   09:18   0:00      \_ grep --color=auto suri
root     11325  0.2  0.3 191204 10532 pts/0    S    09:18   0:00 php -f /opt/mikrotik-ips-suricata/suricata_block.php
And if I try to access a ransomware website (for example) automatically Mikrotik receive a new line from server with that IP, its okay and running fine.

Now, I leave from that shell, and I again enter a new ransomware's IP (which it should be banned too because php process is running) but not, when I access this new IP, script doesn't appear running and IP's aren't banned.

I enabled logs php:
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
log_errors = On
error_log = /var/log/php_errors.log
But log is empty.

Any idea please?

Thanks.
Is there anything in fast.log? Perhaps suricata didn't flag any signatures.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Mon Apr 10, 2017 11:21 am


Hi,

I added my HOME_NET to suricata.yaml:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,192.168.5.0/24]"

And I too added a line in threshold.config to avoid that alert from my IP. Could you say me if its right?
suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.100
suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.1

suricata/fast.log.1:04/03/2017-09:57:09.934246 [**] [1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.5.1:37764 -> 192.168.5.100:8088

192.168.5.100 its my own mail IP.
192.168.5.1 its my own router.

And if from my home_net someone try to upload/download/access/execute any file or bad website, will be detected by suricata or if I have my net home_net is it invisible for it?
I want to avoid attacks from external net and any possible attack from any laptop infected or access prohibited.

Thanks.
Yes, your definitions look right.

Suricata will not prevent all bad things from happening. It will detect network based threats that match it's signature database. If you have an external facing website or any other service, it will see that traffic as valid and not prohibit access.

Suricata is just one layer of security that you can implement to protect your assets from network based threats. End-point protection, ransomware protection, and host intrusion detection (e.g. OSSEC) adds more layers of security in order to try to alleviate threats. But just like physical security, if someone wants to work hard enough to get into your house, there is really not a way to stop them. The more layers of security you have, the more likely it is that the attacker will move on and look for softer targets.
A lot of thanks for your fast reply. I am checking this script and I am finding with a trouble.

Script is running good:
# ps wuaxf|grep suri
root      7789 45.3 24.0 1392900 755588 ?      Sl   07:17  54:48 /usr/bin/suricata -c /etc/suricata/suricata-debian.yaml -r -
root      7862  0.3  2.4 177752 77560 ?        Ss   07:18   0:28 barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D
root     11335  0.0  0.0   8824   752 pts/0    S+   09:18   0:00      \_ grep --color=auto suri
root     11325  0.2  0.3 191204 10532 pts/0    S    09:18   0:00 php -f /opt/mikrotik-ips-suricata/suricata_block.php
And if I try to access a ransomware website (for example) automatically Mikrotik receive a new line from server with that IP, its okay and running fine.

Now, I leave from that shell, and I again enter a new ransomware's IP (which it should be banned too because php process is running) but not, when I access this new IP, script doesn't appear running and IP's aren't banned.

I enabled logs php:
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
log_errors = On
error_log = /var/log/php_errors.log
But log is empty.

Any idea please?

Thanks.
Is there anything in fast.log? Perhaps suricata didn't flag any signatures.
Yes, suricata is getting rules because I can see it on Snorby.
When I start script again, Mikrotik receive all rules which Suricata/Barnyard2/Snorby had captured. I have to re-start it again because script stops when I leave shell and access a new bad IP. (note: While none IP has been detected by suricata, script continue running but if I access any ransomware's IP (or any other), script stop run and doesn't send notifications to Mikrotik)

Here my tests in fast.log
04/10/2017-09:47:00.315253  [**] [1:2404571:4579] ET CNC Ransomware Tracker Reported CnC Server group 172 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.73:51052 -> 91.226.92.140:80
04/10/2017-09:47:00.315303  [**] [1:2404571:4579] ET CNC Ransomware Tracker Reported CnC Server group 172 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.6.2:51052 -> 91.226.92.140:80
04/10/2017-09:48:02.390455  [**] [1:2404404:4579] ET CNC Ransomware Tracker Reported CnC Server group 5 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.73:52704 -> 109.195.175.176:80
04/10/2017-09:48:02.390541  [**] [1:2404404:4579] ET CNC Ransomware Tracker Reported CnC Server group 5 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.6.2:52704 -> 109.195.175.176:80
04/10/2017-09:53:01.815003  [**] [1:2404510:4579] ET CNC Ransomware Tracker Reported CnC Server group 111 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.6.2:33050 -> 46.172.212.32:80
04/10/2017-09:53:01.815198  [**] [1:2404510:4579] ET CNC Ransomware Tracker Reported CnC Server group 111 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.73:33050 -> 46.172.212.32:80
Last edited by aarango on Mon Apr 10, 2017 11:35 am, edited 1 time in total.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Mon Apr 10, 2017 11:30 am


Yes, when I run script again Mikrotik receive all rules which Suricata/Barnyard2/Snorby had captured. I have to re-run it again because script is stopped when I leave shell.

Here my tests in fast.log
04/10/2017-09:47:00.315253  [**] [1:2404571:4579] ET CNC Ransomware Tracker Reported CnC Server group 172 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.73:51052 -> 91.226.92.140:80
04/10/2017-09:47:00.315303  [**] [1:2404571:4579] ET CNC Ransomware Tracker Reported CnC Server group 172 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.6.2:51052 -> 91.226.92.140:80
04/10/2017-09:48:02.390455  [**] [1:2404404:4579] ET CNC Ransomware Tracker Reported CnC Server group 5 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.73:52704 -> 109.195.175.176:80
04/10/2017-09:48:02.390541  [**] [1:2404404:4579] ET CNC Ransomware Tracker Reported CnC Server group 5 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.6.2:52704 -> 109.195.175.176:80
04/10/2017-09:53:01.815003  [**] [1:2404510:4579] ET CNC Ransomware Tracker Reported CnC Server group 111 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.6.2:33050 -> 46.172.212.32:80
04/10/2017-09:53:01.815198  [**] [1:2404510:4579] ET CNC Ransomware Tracker Reported CnC Server group 111 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.73:33050 -> 46.172.212.32:80
Have you added this signature string
Ransomware Tracker Reported CnC Server
in the sigs_to_block table? By default, only signatures in the sigs_to_block table are actually blocked. I use Anvil to check which signatures I'm seeing and if I see new signatures that I want to block, I add them to that table.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Mon Apr 10, 2017 11:36 am


Yes, when I run script again Mikrotik receive all rules which Suricata/Barnyard2/Snorby had captured. I have to re-run it again because script is stopped when I leave shell.

Here my tests in fast.log
04/10/2017-09:47:00.315253  [**] [1:2404571:4579] ET CNC Ransomware Tracker Reported CnC Server group 172 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.73:51052 -> 91.226.92.140:80
04/10/2017-09:47:00.315303  [**] [1:2404571:4579] ET CNC Ransomware Tracker Reported CnC Server group 172 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.6.2:51052 -> 91.226.92.140:80
04/10/2017-09:48:02.390455  [**] [1:2404404:4579] ET CNC Ransomware Tracker Reported CnC Server group 5 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.73:52704 -> 109.195.175.176:80
04/10/2017-09:48:02.390541  [**] [1:2404404:4579] ET CNC Ransomware Tracker Reported CnC Server group 5 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.6.2:52704 -> 109.195.175.176:80
04/10/2017-09:53:01.815003  [**] [1:2404510:4579] ET CNC Ransomware Tracker Reported CnC Server group 111 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.6.2:33050 -> 46.172.212.32:80
04/10/2017-09:53:01.815198  [**] [1:2404510:4579] ET CNC Ransomware Tracker Reported CnC Server group 111 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.73:33050 -> 46.172.212.32:80
Have you added this signature string
Ransomware Tracker Reported CnC Server
in the sigs_to_block table? By default, only signatures in the sigs_to_block table are actually blocked. I use Anvil to check which signatures I'm seeing and if I see new signatures that I want to block, I add them to that table.
Yes, I edited my own message to be more clear:

Yes, suricata is getting rules because I can see it on Snorby.
When I start script again, Mikrotik receive all rules which Suricata/Barnyard2/Snorby had captured. I have to re-start it again because script stops when I leave shell and access a new bad IP. (note: While none IP has been detected by suricata, script continue running but if I access any ransomware's IP (or any other), script stop run and doesn't send notifications to Mikrotik).

Maybe could I debug php in any log to check because script stops?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Mon Apr 10, 2017 12:00 pm


Yes, I edited my own message to be more clear:

Yes, suricata is getting rules because I can see it on Snorby.
When I start script again, Mikrotik receive all rules which Suricata/Barnyard2/Snorby had captured. I have to re-start it again because script stops when I leave shell and access a new bad IP. (note: While none IP has been detected by suricata, script continue running but if I access any ransomware's IP (or any other), script stop run and doesn't send notifications to Mikrotik).

Maybe could I debug php in any log to check because script stops?

Thanks.
This is my php script, or script from max?
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Mon Apr 10, 2017 12:10 pm


Yes, I edited my own message to be more clear:

Yes, suricata is getting rules because I can see it on Snorby.
When I start script again, Mikrotik receive all rules which Suricata/Barnyard2/Snorby had captured. I have to re-start it again because script stops when I leave shell and access a new bad IP. (note: While none IP has been detected by suricata, script continue running but if I access any ransomware's IP (or any other), script stop run and doesn't send notifications to Mikrotik).

Maybe could I debug php in any log to check because script stops?

Thanks.
This is my php script, or script from max?
It is your script. Its weird because now script sent 2 rules to Mikrotik but in third test, script has stopped. Some is killing that script which I can't see what neither why.

Here output file php (which its always showing but doesn't matter because with that error if I don't leave shell, Mikrotik receive alerts) ->
Notice: Array to string conversion in /opt/mikrotik-ips-suricata/suricata_block.php on line 41
Array
Warning: mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /opt/mikrotik-ips-suricata/suricata_block.php on line 139

Here script:
# cat /opt/mikrotik-ips-suricata/suricata_block.php 
<?php
require('routeros_api.class.php');

/* Set your specific configuration below */
$user_name = "snorby";
$password = "XXXXXX";
$database = "snorby";
$server = "localhost";
$mikrotik_addr = "192.168.X.X";
$mikrotik_user = "admin";
$mikrotik_pwd = "XXXXX";
$local_ip_prefix = "192.168.";
$email_to = "MYEMAIL";
$email_from = "MYEMAIL";

header('Content-Type: text/plain');

$API = new RouterosAPI();

function UptimeInSeconds($uptime) { 
  $mark1=strpos($uptime, "d"); 
  $days=substr($uptime, 0, $mark1); 
  if ($mark1) $uptime=substr($uptime, $mark1 + 1); 
  $mark1=strpos($uptime, "h"); 
  $hours=substr($uptime, 0, $mark1); 
  if ($mark1) $uptime=substr($uptime, $mark1 + 1); 
  $mark1=strpos($uptime, "m"); 
  $minutes=substr($uptime, 0, $mark1); 
  if ($mark1) $uptime=substr($uptime, $mark1 + 1); 
  $mark1=strpos($uptime, "s"); 
  $seconds=substr($uptime, 0, $mark1); 
  if ($mark1) $uptime=substr($uptime, $mark1 + 1); 
  $total=($days * 86400) + ($hours * 3600) + ($minutes * 60) + $seconds; 
  return $total; 
}

function AddToFirewall($thisrow) {
  echo $thisrow;
  global $local_ip_prefix, $API, $mikrotik_addr, $mikrotik_user, $mikrotik_pwd, $email_to, $email_from;

  if (strpos($thisrow['que_ip_adr'], $local_ip_prefix) !== true) {
    /* Does not match local address... */
    /* See if the address is already in the firewall list, if so delete it so we can readd it with a new timeout */
    try {
        $API->connect($mikrotik_addr, $mikrotik_user, $mikrotik_pwd);
    } catch (Exception $e) {
        die('Unable to connect to RouterOS. Error:' . $e);
    }
    $ARRAY = $API->comm("/ip/firewall/address-list/print", array(
       ".proplist"=> ".id",
       "?address" => $thisrow['que_ip_adr'],));
    foreach ($ARRAY as $a) {
      foreach ($a as $name => $value) {
        $API->write("/ip/firewall/address-list/remove",false);
        $API->write("=.id=$value",true);
        $API->read();
      }
    }
    if (array_key_exists('que_remaining', $thisrow))
      { $timeremaining = $thisrow['que_remaining']; }
    else
      { $timeremaining = $thisrow['que_timeout']; } 
    $API->comm("/ip/firewall/address-list/add", array(
      "list" => "Blocked",
      "address" => $thisrow['que_ip_adr'],
      "timeout" => $timeremaining,
      "comment" => "From suricata, " . $thisrow['que_sig_name'] . " => " . $thisrow['que_sig_gid'] . ":" . $thisrow['que_sig_sid'] .
         " => event timestamp: " . $thisrow['que_event_timestamp'],));
    $API->disconnect();
  } else {
    /* Send email indicating bad block attempt*/
    $to      = $email_to;
    $subject = 'Suricata on ' . gethostname() . ': attempted block on local address';
    $message = 'A record in the block_queue indicated a block on a local IP Address (' . $row['que_ip_adr'] . ")\r\n";
    $message = $message . "\r\n";
    $message = $message . "The signature ID is " . $row['que_sig_id'] . " named: " . $row['que_sig_name'] . "\r\n";
    $message = $message . "    with a que_id of " . $row['que_id'] . "\r\n\r\n";
    $message = $message . "Check the src_or_dst field in events_to_block for the signature to make sure it is correct (src/dst).\r\n\r\n";
    $message = $message . "The record was not processed but marked as completed.\r\n";
    $headers = 'From: ' . $email_from . "\r\n" .
      'Reply-To: ' . $email_from . "\r\n" .
      'X-Mailer: PHP/' . phpversion();
    mail($to, $subject, $message, $headers);
  }
  return true;
}

/* Connect to database, if unsuccessful keep trying for 100 seconds */
    $i = 0;
    while ( $i < 100 ) {
      $db = new mysqli($server, $user_name, $password, $database);
      if ($db->connect_errno > 0) {
        print('Unable to connect to database [' . $db->connect_error . ']');
        sleep(10);
        $i = $i + 10;
      }
      else {
        $i = 100;
      }
    }

/* Check to see how long the mikrotik has been up.  If less than 5 minutes then rebuild firewall list */
    try {
        $API->connect($mikrotik_addr, $mikrotik_user, $mikrotik_pwd);
    } catch (Exception $e) {
        die('Unable to connect to RouterOS. Error:' . $e);
    }
    $ARRAY = $API->comm("/system/resource/print", false);
    $upsecs = UptimeInSeconds($ARRAY[0]['uptime']);  
    $API->disconnect();
    if ($upsecs < 300) {
      /* This SELECT statement will ignore any entries that had 2 minutes or less remaining */
      $SQL = "SELECT *,DATE_FORMAT(TIMEDIFF(ADDTIME(que_added,que_timeout), CURRENT_TIMESTAMP), '%H:%i:%s') as que_remaining " . 
          "FROM block_queue where ADDTIME(que_added, que_timeout) > TIMESTAMPADD(MINUTE, 2, CURRENT_TIMESTAMP) order by que_remaining;";
      if (!$result = $db->query($SQL)) {
          die('There was an error running the query [' . $db->error . ']');
      }
      while ($row = $result->fetch_assoc()) {
        $x = AddToFirewall($row);
      }
      $rslt = mysqli_free_result($result);
    }

/* Main program loop */
    while ( 1 == 1 ) {
      $SQL = "SELECT * FROM block_queue WHERE que_processed = 0;";
      if(!$result = $db->query($SQL)) {
        die('There was an error running the query [' . $db->error . ']');
      }
      while($row = $result->fetch_assoc()) {
        $x = AddToFirewall($row);
        $SQL2 = "UPDATE block_queue set que_processed = 1 WHERE que_id = " . $row['que_id'] . ";";
        if (!$result2 = $db->query($SQL2)) {
          die('There was an error running the query [' . $db->error . ']');
        }
        $rslt = mysqli_free_result($result2);
      }
      $rslt = mysqli_free_result($result);
      sleep(5); /* Sleep 5 seconds then do again */
      mysqli_ping($db);
    }
  $db->close();
?>
Sorry for so many post converting the post (a great job and an excellent tool) in my troubleshooting. Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Mon Apr 10, 2017 12:29 pm


It is your script. Its weird because now script sent 2 rules to Mikrotik but in third test, script has stopped. Some is killing that script which I can't see what neither why.

Here output file php (which its always showing but doesn't matter because with that error if I don't leave shell, Mikrotik receive alerts) ->
Notice: Array to string conversion in /opt/mikrotik-ips-suricata/suricata_block.php on line 41
Array
Warning: mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /opt/mikrotik-ips-suricata/suricata_block.php on line 139

Here script:
# cat /opt/mikrotik-ips-suricata/suricata_block.php 
<?php
require('routeros_api.class.php');

/* Set your specific configuration below */
$user_name = "snorby";
$password = "XXXXXX";
$database = "snorby";
$server = "localhost";
$mikrotik_addr = "192.168.X.X";
$mikrotik_user = "admin";
$mikrotik_pwd = "XXXXX";
$local_ip_prefix = "192.168.";
$email_to = "MYEMAIL";
$email_from = "MYEMAIL";

header('Content-Type: text/plain');

$API = new RouterosAPI();

function UptimeInSeconds($uptime) { 
  $mark1=strpos($uptime, "d"); 
  $days=substr($uptime, 0, $mark1); 
  if ($mark1) $uptime=substr($uptime, $mark1 + 1); 
  $mark1=strpos($uptime, "h"); 
  $hours=substr($uptime, 0, $mark1); 
  if ($mark1) $uptime=substr($uptime, $mark1 + 1); 
  $mark1=strpos($uptime, "m"); 
  $minutes=substr($uptime, 0, $mark1); 
  if ($mark1) $uptime=substr($uptime, $mark1 + 1); 
  $mark1=strpos($uptime, "s"); 
  $seconds=substr($uptime, 0, $mark1); 
  if ($mark1) $uptime=substr($uptime, $mark1 + 1); 
  $total=($days * 86400) + ($hours * 3600) + ($minutes * 60) + $seconds; 
  return $total; 
}

function AddToFirewall($thisrow) {
  echo $thisrow;
  global $local_ip_prefix, $API, $mikrotik_addr, $mikrotik_user, $mikrotik_pwd, $email_to, $email_from;

  if (strpos($thisrow['que_ip_adr'], $local_ip_prefix) !== true) {
    /* Does not match local address... */
    /* See if the address is already in the firewall list, if so delete it so we can readd it with a new timeout */
    try {
        $API->connect($mikrotik_addr, $mikrotik_user, $mikrotik_pwd);
    } catch (Exception $e) {
        die('Unable to connect to RouterOS. Error:' . $e);
    }
    $ARRAY = $API->comm("/ip/firewall/address-list/print", array(
       ".proplist"=> ".id",
       "?address" => $thisrow['que_ip_adr'],));
    foreach ($ARRAY as $a) {
      foreach ($a as $name => $value) {
        $API->write("/ip/firewall/address-list/remove",false);
        $API->write("=.id=$value",true);
        $API->read();
      }
    }
    if (array_key_exists('que_remaining', $thisrow))
      { $timeremaining = $thisrow['que_remaining']; }
    else
      { $timeremaining = $thisrow['que_timeout']; } 
    $API->comm("/ip/firewall/address-list/add", array(
      "list" => "Blocked",
      "address" => $thisrow['que_ip_adr'],
      "timeout" => $timeremaining,
      "comment" => "From suricata, " . $thisrow['que_sig_name'] . " => " . $thisrow['que_sig_gid'] . ":" . $thisrow['que_sig_sid'] .
         " => event timestamp: " . $thisrow['que_event_timestamp'],));
    $API->disconnect();
  } else {
    /* Send email indicating bad block attempt*/
    $to      = $email_to;
    $subject = 'Suricata on ' . gethostname() . ': attempted block on local address';
    $message = 'A record in the block_queue indicated a block on a local IP Address (' . $row['que_ip_adr'] . ")\r\n";
    $message = $message . "\r\n";
    $message = $message . "The signature ID is " . $row['que_sig_id'] . " named: " . $row['que_sig_name'] . "\r\n";
    $message = $message . "    with a que_id of " . $row['que_id'] . "\r\n\r\n";
    $message = $message . "Check the src_or_dst field in events_to_block for the signature to make sure it is correct (src/dst).\r\n\r\n";
    $message = $message . "The record was not processed but marked as completed.\r\n";
    $headers = 'From: ' . $email_from . "\r\n" .
      'Reply-To: ' . $email_from . "\r\n" .
      'X-Mailer: PHP/' . phpversion();
    mail($to, $subject, $message, $headers);
  }
  return true;
}

/* Connect to database, if unsuccessful keep trying for 100 seconds */
    $i = 0;
    while ( $i < 100 ) {
      $db = new mysqli($server, $user_name, $password, $database);
      if ($db->connect_errno > 0) {
        print('Unable to connect to database [' . $db->connect_error . ']');
        sleep(10);
        $i = $i + 10;
      }
      else {
        $i = 100;
      }
    }

/* Check to see how long the mikrotik has been up.  If less than 5 minutes then rebuild firewall list */
    try {
        $API->connect($mikrotik_addr, $mikrotik_user, $mikrotik_pwd);
    } catch (Exception $e) {
        die('Unable to connect to RouterOS. Error:' . $e);
    }
    $ARRAY = $API->comm("/system/resource/print", false);
    $upsecs = UptimeInSeconds($ARRAY[0]['uptime']);  
    $API->disconnect();
    if ($upsecs < 300) {
      /* This SELECT statement will ignore any entries that had 2 minutes or less remaining */
      $SQL = "SELECT *,DATE_FORMAT(TIMEDIFF(ADDTIME(que_added,que_timeout), CURRENT_TIMESTAMP), '%H:%i:%s') as que_remaining " . 
          "FROM block_queue where ADDTIME(que_added, que_timeout) > TIMESTAMPADD(MINUTE, 2, CURRENT_TIMESTAMP) order by que_remaining;";
      if (!$result = $db->query($SQL)) {
          die('There was an error running the query [' . $db->error . ']');
      }
      while ($row = $result->fetch_assoc()) {
        $x = AddToFirewall($row);
      }
      $rslt = mysqli_free_result($result);
    }

/* Main program loop */
    while ( 1 == 1 ) {
      $SQL = "SELECT * FROM block_queue WHERE que_processed = 0;";
      if(!$result = $db->query($SQL)) {
        die('There was an error running the query [' . $db->error . ']');
      }
      while($row = $result->fetch_assoc()) {
        $x = AddToFirewall($row);
        $SQL2 = "UPDATE block_queue set que_processed = 1 WHERE que_id = " . $row['que_id'] . ";";
        if (!$result2 = $db->query($SQL2)) {
          die('There was an error running the query [' . $db->error . ']');
        }
        $rslt = mysqli_free_result($result2);
      }
      $rslt = mysqli_free_result($result);
      sleep(5); /* Sleep 5 seconds then do again */
      mysqli_ping($db);
    }
  $db->close();
?>
Sorry for so many post converting the post (a great job and an excellent tool) in my troubleshooting. Thanks.
Hmmmm...can you post the definition of your block_queue table?
mysql> show table create block_queue;
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Mon Apr 10, 2017 12:38 pm


Hmmmm...can you post the definition of your block_queue table?
mysql> show table create block_queue;
Here:
mysql> SHOW CREATE TABLE block_queue\G;
*************************** 1. row ***************************
       Table: block_queue
Create Table: CREATE TABLE `block_queue` (
  `que_id` int(11) NOT NULL AUTO_INCREMENT,
  `que_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'When the block was added',
  `que_ip_adr` varchar(64) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The IP address to block',
  `que_timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL COMMENT 'How long to block for',
  `que_sig_name` varchar(256) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The name of the signature that caused the block',
  `que_sig_gid` int(10) NOT NULL COMMENT 'The signature group ID',
  `que_sig_sid` int(10) NOT NULL COMMENT 'The signature ID',
  `que_event_timestamp` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'When the event was triggered',
  `que_processed` int(11) NOT NULL DEFAULT '0' COMMENT 'If this item has been processed (0=no, <>0=yes)',
  PRIMARY KEY (`que_id`),
  KEY `que_added` (`que_added`)
) ENGINE=InnoDB AUTO_INCREMENT=644 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Queue of ip addresses to block on firewall'
1 row in set (0.00 sec)

ERROR: 
No query specified
mysql> check table block_queue;
+--------------------+-------+----------+----------+
| Table              | Op    | Msg_type | Msg_text |
+--------------------+-------+----------+----------+
| snorby.block_queue | check | status   | OK       |
+--------------------+-------+----------+----------+
1 row in set (0.01 sec)
Note: Now for 1h I leave/enter shell and script is adding lines on Mikrotik. However, I dont know how stable it will be this... I will keep monitoring all day, if you know how could I debug it please let me know.
I enabled logs mysql too, with this output constantly:
suricata pid:19102') AND `run_at` <= '2017-04-10 13:06:48' AND `failed_at` IS NULL) ORDER BY `priority`, `run_at` LIMIT 5
170410 13:06:50    49 Query     SELECT * FROM block_queue WHERE que_processed = 0
170410 13:06:53    51 Query     SELECT `id`, `priority`, `attempts`, `handler`, `run_at`, `locked_at`, `failed_at` FROM `delayed_jobs` WHERE ((`locked_at` IS NULL OR `locked_at` < '2017-04-10 09:06:53' OR `locked_by` = 'delayed_job host:suricata pid:19102') AND `run_at` <= '2017-04-10 13:06:53' AND `failed_at` IS NULL) ORDER BY `priority`, `run_at` LIMIT 5
170410 13:06:55    49 Query     SELECT * FROM block_queue WHERE que_processed = 0
Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Tue Apr 11, 2017 4:59 am


Hmmmm...can you post the definition of your block_queue table?
mysql> show table create block_queue;
Here:
mysql> SHOW CREATE TABLE block_queue\G;
*************************** 1. row ***************************
       Table: block_queue
Create Table: CREATE TABLE `block_queue` (
  `que_id` int(11) NOT NULL AUTO_INCREMENT,
  `que_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'When the block was added',
  `que_ip_adr` varchar(64) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The IP address to block',
  `que_timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL COMMENT 'How long to block for',
  `que_sig_name` varchar(256) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The name of the signature that caused the block',
  `que_sig_gid` int(10) NOT NULL COMMENT 'The signature group ID',
  `que_sig_sid` int(10) NOT NULL COMMENT 'The signature ID',
  `que_event_timestamp` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'When the event was triggered',
  `que_processed` int(11) NOT NULL DEFAULT '0' COMMENT 'If this item has been processed (0=no, <>0=yes)',
  PRIMARY KEY (`que_id`),
  KEY `que_added` (`que_added`)
) ENGINE=InnoDB AUTO_INCREMENT=644 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Queue of ip addresses to block on firewall'
1 row in set (0.00 sec)

ERROR: 
No query specified
mysql> check table block_queue;
+--------------------+-------+----------+----------+
| Table              | Op    | Msg_type | Msg_text |
+--------------------+-------+----------+----------+
| snorby.block_queue | check | status   | OK       |
+--------------------+-------+----------+----------+
1 row in set (0.01 sec)
Note: Now for 1h I leave/enter shell and script is adding lines on Mikrotik. However, I dont know how stable it will be this... I will keep monitoring all day, if you know how could I debug it please let me know.
I enabled logs mysql too, with this output constantly:
suricata pid:19102') AND `run_at` <= '2017-04-10 13:06:48' AND `failed_at` IS NULL) ORDER BY `priority`, `run_at` LIMIT 5
170410 13:06:50    49 Query     SELECT * FROM block_queue WHERE que_processed = 0
170410 13:06:53    51 Query     SELECT `id`, `priority`, `attempts`, `handler`, `run_at`, `locked_at`, `failed_at` FROM `delayed_jobs` WHERE ((`locked_at` IS NULL OR `locked_at` < '2017-04-10 09:06:53' OR `locked_by` = 'delayed_job host:suricata pid:19102') AND `run_at` <= '2017-04-10 13:06:53' AND `failed_at` IS NULL) ORDER BY `priority`, `run_at` LIMIT 5
170410 13:06:55    49 Query     SELECT * FROM block_queue WHERE que_processed = 0
Thanks.
OK, I'm thinking that perhaps there were bad records in the block_queue table from the initial trigger implementation using max's code. If those records expired then it shouldn't occur again. Keep me updated.

Thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik

Tue Apr 11, 2017 8:04 am


Hmmmm...can you post the definition of your block_queue table?
mysql> show table create block_queue;
Here:
mysql> SHOW CREATE TABLE block_queue\G;
*************************** 1. row ***************************
       Table: block_queue
Create Table: CREATE TABLE `block_queue` (
  `que_id` int(11) NOT NULL AUTO_INCREMENT,
  `que_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'When the block was added',
  `que_ip_adr` varchar(64) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The IP address to block',
  `que_timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL COMMENT 'How long to block for',
  `que_sig_name` varchar(256) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The name of the signature that caused the block',
  `que_sig_gid` int(10) NOT NULL COMMENT 'The signature group ID',
  `que_sig_sid` int(10) NOT NULL COMMENT 'The signature ID',
  `que_event_timestamp` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'When the event was triggered',
  `que_processed` int(11) NOT NULL DEFAULT '0' COMMENT 'If this item has been processed (0=no, <>0=yes)',
  PRIMARY KEY (`que_id`),
  KEY `que_added` (`que_added`)
) ENGINE=InnoDB AUTO_INCREMENT=644 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Queue of ip addresses to block on firewall'
1 row in set (0.00 sec)

ERROR: 
No query specified
mysql> check table block_queue;
+--------------------+-------+----------+----------+
| Table              | Op    | Msg_type | Msg_text |
+--------------------+-------+----------+----------+
| snorby.block_queue | check | status   | OK       |
+--------------------+-------+----------+----------+
1 row in set (0.01 sec)
Note: Now for 1h I leave/enter shell and script is adding lines on Mikrotik. However, I dont know how stable it will be this... I will keep monitoring all day, if you know how could I debug it please let me know.
I enabled logs mysql too, with this output constantly:
suricata pid:19102') AND `run_at` <= '2017-04-10 13:06:48' AND `failed_at` IS NULL) ORDER BY `priority`, `run_at` LIMIT 5
170410 13:06:50    49 Query     SELECT * FROM block_queue WHERE que_processed = 0
170410 13:06:53    51 Query     SELECT `id`, `priority`, `attempts`, `handler`, `run_at`, `locked_at`, `failed_at` FROM `delayed_jobs` WHERE ((`locked_at` IS NULL OR `locked_at` < '2017-04-10 09:06:53' OR `locked_by` = 'delayed_job host:suricata pid:19102') AND `run_at` <= '2017-04-10 13:06:53' AND `failed_at` IS NULL) ORDER BY `priority`, `run_at` LIMIT 5
170410 13:06:55    49 Query     SELECT * FROM block_queue WHERE que_processed = 0
Thanks.
OK, I'm thinking that perhaps there were bad records in the block_queue table from the initial trigger implementation using max's code. If those records expired then it shouldn't occur again. Keep me updated.

Thanks!
Hi again!

In last 12h server had been running without problems. I dont know if it was for code, for triggers or something but its running correctly. I will be monitoring it today all day to check if script go down or not.
While... I will test your new update, OSSEC, it sounds really good. Could I install server on suricata's server and check agents, dont? I will receive all logs on suricata's server and I will check it on his own web GUI or Mikrotik if any IP have been banned.

Thanks for all your support Tom.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik

Tue Apr 11, 2017 8:10 am


Hmmmm...can you post the definition of your block_queue table?
mysql> show table create block_queue;
Here:
mysql> SHOW CREATE TABLE block_queue\G;
*************************** 1. row ***************************
       Table: block_queue
Create Table: CREATE TABLE `block_queue` (
  `que_id` int(11) NOT NULL AUTO_INCREMENT,
  `que_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'When the block was added',
  `que_ip_adr` varchar(64) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The IP address to block',
  `que_timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL COMMENT 'How long to block for',
  `que_sig_name` varchar(256) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The name of the signature that caused the block',
  `que_sig_gid` int(10) NOT NULL COMMENT 'The signature group ID',
  `que_sig_sid` int(10) NOT NULL COMMENT 'The signature ID',
  `que_event_timestamp` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'When the event was triggered',
  `que_processed` int(11) NOT NULL DEFAULT '0' COMMENT 'If this item has been processed (0=no, <>0=yes)',
  PRIMARY KEY (`que_id`),
  KEY `que_added` (`que_added`)
) ENGINE=InnoDB AUTO_INCREMENT=644 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Queue of ip addresses to block on firewall'
1 row in set (0.00 sec)

ERROR: 
No query specified
mysql> check table block_queue;
+--------------------+-------+----------+----------+
| Table              | Op    | Msg_type | Msg_text |
+--------------------+-------+----------+----------+
| snorby.block_queue | check | status   | OK       |
+--------------------+-------+----------+----------+
1 row in set (0.01 sec)
Note: Now for 1h I leave/enter shell and script is adding lines on Mikrotik. However, I dont know how stable it will be this... I will keep monitoring all day, if you know how could I debug it please let me know.
I enabled logs mysql too, with this output constantly:
suricata pid:19102') AND `run_at` <= '2017-04-10 13:06:48' AND `failed_at` IS NULL) ORDER BY `priority`, `run_at` LIMIT 5
170410 13:06:50    49 Query     SELECT * FROM block_queue WHERE que_processed = 0
170410 13:06:53    51 Query     SELECT `id`, `priority`, `attempts`, `handler`, `run_at`, `locked_at`, `failed_at` FROM `delayed_jobs` WHERE ((`locked_at` IS NULL OR `locked_at` < '2017-04-10 09:06:53' OR `locked_by` = 'delayed_job host:suricata pid:19102') AND `run_at` <= '2017-04-10 13:06:53' AND `failed_at` IS NULL) ORDER BY `priority`, `run_at` LIMIT 5
170410 13:06:55    49 Query     SELECT * FROM block_queue WHERE que_processed = 0
Thanks.
OK, I'm thinking that perhaps there were bad records in the block_queue table from the initial trigger implementation using max's code. If those records expired then it shouldn't occur again. Keep me updated.

Thanks!
Hi again!

In last 12h server had been running without problems. I dont know if it was for code, for triggers or something but its running correctly. I will be monitoring it today all day to check if script go down or not.
While... I will test your new update, OSSEC, it sounds really good. Could I install server on suricata's server and check agents, dont? I will receive all logs on suricata's server and I will check it on his own web GUI or Mikrotik if any IP have been banned.

Thanks for all your support Tom.
Glad to hear it is running well. Yes, install OSSEC server on same server as suricata.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 12, 2017 1:28 pm

OSSEC installed and running fine (excelent & easy manual).
Some question, I installed too web UI for OSSEC and its running fine too, but I would like to have logs from anothers servers to check integrity, logs, etc.

Most important question. Should I install agent on servers or since everything is addressed to Mikrotik I do not need to have the agents sending logs to the server?
Could I install agents on servers to have logs on web UI?
What did you think about install ntop too to check on graphic all office's traffic taking advantage of all mikrotik traffic goes to that server?

Thanks as always.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 12, 2017 1:45 pm

OSSEC installed and running fine (excelent & easy manual).
Two question, I installed too web UI for OSSEC and its running fine too, but I would like to have logs from anothers servers to check integrity, logs, etc.

Most important question. Should I install agent on servers or since everything is addressed to Mikrotik I do not need to have the agents sending logs to the server?
Could I install agents on servers to have logs on web UI?

Thanks as always.
From what I read the Web UI is no longer being maintained. Just an FYI. I never installed it.

Yes, you can install agents on other hosts, send logs to server, and trigger active events from those hosts on server. I have multiple agents sending their logs to the server and I can trigger an active response to the Mikrotik from any agent activity.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 12, 2017 2:40 pm

OSSEC installed and running fine (excelent & easy manual).
Two question, I installed too web UI for OSSEC and its running fine too, but I would like to have logs from anothers servers to check integrity, logs, etc.

Most important question. Should I install agent on servers or since everything is addressed to Mikrotik I do not need to have the agents sending logs to the server?
Could I install agents on servers to have logs on web UI?

Thanks as always.
From what I read the Web UI is no longer being maintained. Just an FYI. I never installed it.

Yes, you can install agents on other hosts, send logs to server, and trigger active events from those hosts on server. I have multiple agents sending their logs to the server and I can trigger an active response to the Mikrotik from any agent activity.
Ok, it sounds good, I will do it same to you.
And what do you think about ntop? any trouble in have in same server both services? I have Snorby on port 3000 but I could change ntop another port.

How could I enable notifications from Suricata/Snorby in email? I enabled Snorby emails in /opt/snorby/config/initializers/mail_config.rb
 ActionMailer::Base.delivery_method = :smtp
 ActionMailer::Base.smtp_settings = {
   :address              => "mail.mydomain.com",
   :port                 => Port_Sent_Email,
   :domain               => "mydomain.com",
   :user_name            => "myusername",
   :password             => "mypassword",
   :authentication       => "plain",
   :enable_starttls_auto => true
 }
But I don't see any logs neither any sent to my email.

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 13, 2017 12:01 pm

OSSEC installed and running fine (excelent & easy manual).
Two question, I installed too web UI for OSSEC and its running fine too, but I would like to have logs from anothers servers to check integrity, logs, etc.

Most important question. Should I install agent on servers or since everything is addressed to Mikrotik I do not need to have the agents sending logs to the server?
Could I install agents on servers to have logs on web UI?

Thanks as always.
From what I read the Web UI is no longer being maintained. Just an FYI. I never installed it.

Yes, you can install agents on other hosts, send logs to server, and trigger active events from those hosts on server. I have multiple agents sending their logs to the server and I can trigger an active response to the Mikrotik from any agent activity.
Ok, it sounds good, I will do it same to you.
And what do you think about ntop? any trouble in have in same server both services? I have Snorby on port 3000 but I could change ntop another port.

How could I enable notifications from Suricata/Snorby in email? I enabled Snorby emails in /opt/snorby/config/initializers/mail_config.rb
 ActionMailer::Base.delivery_method = :smtp
 ActionMailer::Base.smtp_settings = {
   :address              => "mail.mydomain.com",
   :port                 => Port_Sent_Email,
   :domain               => "mydomain.com",
   :user_name            => "myusername",
   :password             => "mypassword",
   :authentication       => "plain",
   :enable_starttls_auto => true
 }
But I don't see any logs neither any sent to my email.

Thanks.
I didn't have any problems running ntop on the same server. Yes, just change the port. With regards to email from suricata, I can't help you there as I haven't implemented that feature.
 
User avatar
maximan
Trainer
Trainer
Posts: 543
Joined: Sat May 29, 2004 12:10 am
Location: Rio Cuarto, Argentina
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 20, 2017 7:22 pm

Hello to all

I release 2 project at GitHub:

https://github.com/elmaxid/ips-mikrotik-suricata: Module to connect Suricata / Barnyard2 to MikroTik for IPS on an eventual alert

** Features
* Detect an Alert from Suricata and connect to RouterOS to block de Attack source IP Address
* Notification:
* Email
* Telegram (API Bot)
https://github.com/elmaxid/webpanel_ips ... k_suricata: WebPanel for Manager Alerts Rules for IPS MikroTik Suricata

I will write an article on wiki to implement this combo to make an IPS with Suricata and RouterOS.

Regards

M.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 26, 2017 8:54 am

Hi, yesterday I had a false positive with this:
fast.log.2:04/25/2017-14:05:58.149205 [**] [1:2002994:7] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack [**] [Classification: Misc activity] [Priority: 3] {TCP}

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002994; classtype:misc-activity; sid:2002994; rev:7;)

I'm seeing that rule which if it detects 30 count in 60 sec it will drop the traffic, its okay and mikotik dropped all traffic, but my question is. Are there way to upload that limit or add my public IP as whitelist?

Maybe adding in threshold.config this to avoid ban IP?
suppress gen_id 1, sig_id 2002994, track by_src, ip my_ip_public

Any idea to upload limit? I won't like remove that rule from that IP really but if there isn't another solution I will have to do it.

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 26, 2017 9:32 am

Hi, yesterday I had a false positive with this:
fast.log.2:04/25/2017-14:05:58.149205 [**] [1:2002994:7] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack [**] [Classification: Misc activity] [Priority: 3] {TCP}

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002994; classtype:misc-activity; sid:2002994; rev:7;)

I'm seeing that rule which if it detects 30 count in 60 sec it will drop the traffic, its okay and mikotik dropped all traffic, but my question is. Are there way to upload that limit or add my public IP as whitelist?

Maybe adding in threshold.config this to avoid ban IP?
suppress gen_id 1, sig_id 2002994, track by_src, ip my_ip_public

Any idea to upload limit? I won't like remove that rule from that IP really but if there isn't another solution I will have to do it.

Thanks.
In oinkmaster.conf you can modify rules are they are loaded. In this case, you can change the count and seconds parameter on this rule using the following directive:
modifysid 2002994 "count 30, seconds 60;" "count 60; seconds 120;"
Look for the modifysid directive in your oinkmaster.conf. For more info check out https://redmine.openinfosecfoundation.o ... Oinkmaster
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 26, 2017 9:58 am

Hi, yesterday I had a false positive with this:
fast.log.2:04/25/2017-14:05:58.149205 [**] [1:2002994:7] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack [**] [Classification: Misc activity] [Priority: 3] {TCP}

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002994; classtype:misc-activity; sid:2002994; rev:7;)

I'm seeing that rule which if it detects 30 count in 60 sec it will drop the traffic, its okay and mikotik dropped all traffic, but my question is. Are there way to upload that limit or add my public IP as whitelist?

Maybe adding in threshold.config this to avoid ban IP?
suppress gen_id 1, sig_id 2002994, track by_src, ip my_ip_public

Any idea to upload limit? I won't like remove that rule from that IP really but if there isn't another solution I will have to do it.

Thanks.
In oinkmaster.conf you can modify rules are they are loaded. In this case, you can change the count and seconds parameter on this rule using the following directive:
modifysid 2002994 "count 30, seconds 60;" "count 60; seconds 120;"
Look for the modifysid directive in your oinkmaster.conf. For more info check out https://redmine.openinfosecfoundation.o ... Oinkmaster
Thanks you very much as always. I added it to my file.

A question, I had in threshold.config another rules (suppress gen_id 1, sig_id 2020565 for example). I added it to oinkmaster.conf too. Suricata checks both files?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 26, 2017 10:07 am

Hi, yesterday I had a false positive with this:
fast.log.2:04/25/2017-14:05:58.149205 [**] [1:2002994:7] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack [**] [Classification: Misc activity] [Priority: 3] {TCP}

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002994; classtype:misc-activity; sid:2002994; rev:7;)

I'm seeing that rule which if it detects 30 count in 60 sec it will drop the traffic, its okay and mikotik dropped all traffic, but my question is. Are there way to upload that limit or add my public IP as whitelist?

Maybe adding in threshold.config this to avoid ban IP?
suppress gen_id 1, sig_id 2002994, track by_src, ip my_ip_public

Any idea to upload limit? I won't like remove that rule from that IP really but if there isn't another solution I will have to do it.

Thanks.
In oinkmaster.conf you can modify rules are they are loaded. In this case, you can change the count and seconds parameter on this rule using the following directive:
modifysid 2002994 "count 30, seconds 60;" "count 60; seconds 120;"
Look for the modifysid directive in your oinkmaster.conf. For more info check out https://redmine.openinfosecfoundation.o ... Oinkmaster
Thanks you very much as always. I added it to my file.

A question, I had in threshold.config another rules (suppress gen_id 1, sig_id 2020565 for example). I added it to oinkmaster.conf too. Suricata checks both files?
Oinkmaster checks for new rules from the public sources and loads them. That is where the modifysid directive will take place.

Suricata uses the rules to determine how it matches patterns against the network traffic and suppresses those rules you've put in threshold.config.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 26, 2017 10:25 am

Hi, yesterday I had a false positive with this:
fast.log.2:04/25/2017-14:05:58.149205 [**] [1:2002994:7] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack [**] [Classification: Misc activity] [Priority: 3] {TCP}

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002994; classtype:misc-activity; sid:2002994; rev:7;)

I'm seeing that rule which if it detects 30 count in 60 sec it will drop the traffic, its okay and mikotik dropped all traffic, but my question is. Are there way to upload that limit or add my public IP as whitelist?

Maybe adding in threshold.config this to avoid ban IP?
suppress gen_id 1, sig_id 2002994, track by_src, ip my_ip_public

Any idea to upload limit? I won't like remove that rule from that IP really but if there isn't another solution I will have to do it.

Thanks.
In oinkmaster.conf you can modify rules are they are loaded. In this case, you can change the count and seconds parameter on this rule using the following directive:
modifysid 2002994 "count 30, seconds 60;" "count 60; seconds 120;"
Look for the modifysid directive in your oinkmaster.conf. For more info check out https://redmine.openinfosecfoundation.o ... Oinkmaster
Thanks you very much as always. I added it to my file.

A question, I had in threshold.config another rules (suppress gen_id 1, sig_id 2020565 for example). I added it to oinkmaster.conf too. Suricata checks both files?
Oinkmaster checks for new rules from the public sources and loads them. That is where the modifysid directive will take place.

Suricata uses the rules to determine how it matches patterns against the network traffic and suppresses those rules you've put in threshold.config.
Nice, thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 26, 2017 2:01 pm

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 3:48 am

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
Are you referring to maximan's implementation?
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 8:09 am

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 8:20 am

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 8:28 am

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 11:44 am

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login)
How could I enable it?

Thanks.
Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 1:49 pm

Are you referring to maximan's implementation?
No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 2:51 pm


No no, I'm using your main implementation. I have Mikrotik enabled with logs and I receive some emails when router drops something but I would like to get emails too, is it possible?

Thanks.
There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 27, 2017 3:02 pm


There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik?
I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
Check these settings in php.ini:

http://php.net/manual/en/mail.configuration.php
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Apr 28, 2017 8:28 am


I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The email from Mikrotik isn't very useful because the info isn't complete (Not cause, not rule ID, etc)
Here a example (body is empty):

firewall,info [DROP_BLOCK] input: in:A_Router_Mail/Nas_XXXX_eth2 out:(none), src-mac f8:8e:85:e2:49:18, proto TCP (SYN), 91.197.234.22:43276->192.168.3.2:3380, len 44

thanks.
Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
Check these settings in php.ini:

http://php.net/manual/en/mail.configuration.php
I got a test successfully but I don't receive emails from script suricata-block. How could I debug it more? I have alerts on Snorby which I think that I should have an email from script.

Here my test.php which I receive alerts:
<?php
$to = "mydomain@mydomain.com";
$subject = "My subject";
$txt = "Hello world!";
$headers = "From: mydomain@mydomain.com" . "\r\n" .
"CC: mydomain@mydomain.com";

mail($to,$subject,$txt,$headers);
?>
Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Apr 28, 2017 8:33 am


Check the update to suricata_block.php that I just made. :)
Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
Check these settings in php.ini:

http://php.net/manual/en/mail.configuration.php
I got a test successfully but I don't receive emails from script suricata-block. How could I debug it more? I have alerts on Snorby which I think that I should have an email from script.

Here my test.php which I receive alerts:
<?php
$to = "mydomain@mydomain.com";
$subject = "My subject";
$txt = "Hello world!";
$headers = "From: mydomain@mydomain.com" . "\r\n" .
"CC: mydomain@mydomain.com";

mail($to,$subject,$txt,$headers);
?>
Thanks.
You did update suricata_block.php with the new one? That is the same code as in suricata_block.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Apr 28, 2017 9:26 am


Thanks! Its an email very useful :D :D
I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine.

Thanks again for your job.
I have a little problem, when the event notification turns on? If I use from shell mail -s "test" xxxx@hotmail.com I get it, but not with script suricata_block.php. Should I enable anything more?

I can't see any log from that script. How could I debug it? Thanks again.
Check these settings in php.ini:

http://php.net/manual/en/mail.configuration.php
I got a test successfully but I don't receive emails from script suricata-block. How could I debug it more? I have alerts on Snorby which I think that I should have an email from script.

Here my test.php which I receive alerts:
<?php
$to = "mydomain@mydomain.com";
$subject = "My subject";
$txt = "Hello world!";
$headers = "From: mydomain@mydomain.com" . "\r\n" .
"CC: mydomain@mydomain.com";

mail($to,$subject,$txt,$headers);
?>
Thanks.
You did update suricata_block.php with the new one? That is the same code as in suricata_block.
Solved! I use Debian and I had to declare variable before with this:

$email_alert = true;

Now I receive emails from alerts. Thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri May 05, 2017 2:12 pm

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat May 06, 2017 5:37 am

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue May 09, 2017 1:06 pm

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue May 09, 2017 3:34 pm

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
If that is the actual contents of the log, "192.168.X.X" then the reason it is failing is because the script can't find a full IP address.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed May 10, 2017 8:40 am

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
If that is the actual contents of the log, "192.168.X.X" then the reason it is failing is because the script can't find a full IP address.
Uhmm so I understand that its works fine, when an event ocurrs script will get full IP I understand, don't?

Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed May 10, 2017 8:57 am

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it?
I have logs with info, as
/etc/ossec/logs/active-responses.log
Here a example:
Thu May  4 10:51:19 CEST 2017 /etc/ossec/active-response/bin/mikrotik-fw.sh add - - 1493887879.417847 100074 (mail.xxx.dom) 192.168.X.X->/var/log/syslog -
I think that I am getting blank result and for that reason mikrotik doesn't add any rule, here output exec scrip:
#sh -x mikrotik-fw.sh 
+ ACTION=
+ USER=
+ IP=
+ ALERTID=
+ RULEID=
+ dirname mikrotik-fw.sh
+ LOCAL=.
+ cd .
+ cd ../
+ pwd
+ PWD=/etc/ossec/active-response
+ date
+ echo Fri May  5 13:15:39 CEST 2017 mikrotik-fw.sh        
+ echo 
+ cut -d . -f 1
+ ALERTTIME=
+ echo 
+ cut -d . -f 2
+ ALERTLAST=
+ sed -n //,/^$/{/^$/!p} /etc/ossec/active-response/../logs/alerts/alerts.log
+ tail -n1
sed: -e expression #1, char 0: no previous regular expression
+ LOGLINE=
mikrotik-fw.sh: 2: mikrotik-fw.sh: Syntax error: redirection unexpected
Any idea? thanks as always!
Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
If that is the actual contents of the log, "192.168.X.X" then the reason it is failing is because the script can't find a full IP address.
Uhmm so I understand that its works fine, when an event ocurrs script will get full IP I understand, don't?

Thanks!
Yes, if the event from the log file contains the full IP address, it works.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed May 10, 2017 11:57 am


Can you show the line from the alerts.log that it is trying to match against? The script is trying to find an IP address in line that triggered the active response.
Sorry for late reply. Here a example alerts.log:

** Alert 1494324377.869344: mail - syslog,sshd,
2017 May 09 12:06:17 (mail.mydomain.com) 192.168.X.X->/var/log/auth.log
Rule: 5739 (level 4) -> 'SSHD configuration error (AuthorizedKeysCommand)'
May 9 12:00:30 mail sshd[10831]: error: Could not stat AuthorizedKeysCommand "/usr/local/bin/ssh-ldap-pubkey-wrapper": No such file or directory

Thanks!
If that is the actual contents of the log, "192.168.X.X" then the reason it is failing is because the script can't find a full IP address.
Uhmm so I understand that its works fine, when an event ocurrs script will get full IP I understand, don't?

Thanks!
Yes, if the event from the log file contains the full IP address, it works.
Nice! So, I feel calmer without see attackers :)

Which it will be your next update? I wait it to test it :D

Thanks (one more time).
 
lorenzo95
just joined
Posts: 3
Joined: Fri May 29, 2015 8:02 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon May 29, 2017 2:04 am

Wow, this is fantastic :) . A great way to do it without having to use an inline IPS.
Just one question: can we do it without snorby? Could you maybe provide a full sql schema instead of just your additions for barnyard to write to?

I usually use suricata with evebox (json api) so I was just trying to think of a way to use this solution without having to install ruby and such.

Edit: would this schema work when imported into a database named snorby?
https://github.com/firnsy/barnyard2/blo ... eate_mysql

Thanks
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon May 29, 2017 10:41 am

Wow, this is fantastic :) . A great way to do it without having to use an inline IPS.
Just one question: can we do it without snorby? Could you maybe provide a full sql schema instead of just your additions for barnyard to write to?

I usually use suricata with evebox (json api) so I was just trying to think of a way to use this solution without having to install ruby and such.

Edit: would this schema work when imported into a database named snorby?
https://github.com/firnsy/barnyard2/blo ... eate_mysql

Thanks
Yes. I use Suricata as well so as long as the alerts get moved into the snorby structure using barnyard2 all should be good. And yes, adding the database structure you linked to is what is needed.

Tom
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Jun 05, 2017 12:44 pm

Hi,

Tried to implement this solution. I use Ubuntu 16.04 with mysql 5.7.18. When I put a trigger in place I get this while loading barnyard2:

Code: Select all

ERROR: database mysql_error: Unknown column 'event.id' in 'field list'
SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES (1,2211,3232235876,3109214298,4,5,0,44,12662,0,0,64,17,46481);]
Fatal Error, Quitting..
Without a trigger my events are exporting fine. It seems my db cannot handle nested querry. Any ideas what is wrong?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Jun 05, 2017 3:09 pm

Hi,

Tried to implement this solution. I use Ubuntu 16.04 with mysql 5.7.18. When I put a trigger in place I get this while loading barnyard2:

Code: Select all

ERROR: database mysql_error: Unknown column 'event.id' in 'field list'
SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES (1,2211,3232235876,3109214298,4,5,0,44,12662,0,0,64,17,46481);]
Fatal Error, Quitting..
Without a trigger my events are exporting fine. It seems my db cannot handle nested querry. Any ideas what is wrong?
Can you check the definition of the event table in the database?
show columns from event;
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Jun 05, 2017 5:28 pm

Code: Select all

+-----------+------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------------+------+-----+---------+-------+
| sid | int(10) unsigned | NO | PRI | NULL | |
| cid | int(10) unsigned | NO | PRI | NULL | |
| signature | int(10) unsigned | NO | MUL | NULL | |
| timestamp | datetime | NO | MUL | NULL | |
+-----------+------------------+------+-----+---------+-------+
4 rows in set (0.00 sec)
It was created using schema in barnyard2 repository.
 
User avatar
mlpaul
just joined
Posts: 13
Joined: Thu Apr 20, 2017 11:02 pm
Location: Ohio, United States

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Jun 05, 2017 7:23 pm

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error.

I am really eager to try this as it seems fairly interesting,

Thanks!
error.JPG
You do not have the required permissions to view the files attached to this post.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 4:38 am

Code: Select all

+-----------+------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------------+------+-----+---------+-------+
| sid | int(10) unsigned | NO | PRI | NULL | |
| cid | int(10) unsigned | NO | PRI | NULL | |
| signature | int(10) unsigned | NO | MUL | NULL | |
| timestamp | datetime | NO | MUL | NULL | |
+-----------+------------------+------+-----+---------+-------+
4 rows in set (0.00 sec)
It was created using schema in barnyard2 repository.
OK, that doesn't match the snort/snorby schema. I've included the snort/snorby schema in the post. Create the database with that schema and all should be good.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 4:41 am

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error.

I am really eager to try this as it seems fairly interesting,

Thanks!
error.JPG
Does my reply from Mon Feb 27, 2017 10:44 am help?
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 12:33 pm

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error.

I am really eager to try this as it seems fairly interesting,

Thanks!
error.JPG
Does my reply from Mon Feb 27, 2017 10:44 am help?
Try with changing delimiter:
DELIMITER ;;
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr`
  FOR EACH ROW BEGIN
  DECLARE this_event INT(11) default 0;
  DECLARE this_event_signature INT(10) default 0;
  DECLARE this_event_timestamp TIMESTAMP;
  DECLARE this_sig INT(10) default 0;
  DECLARE this_sig_name VARCHAR(256) default "";
  DECLARE this_sig_gid INT(10) default 0;
  DECLARE timeout VARCHAR(12) default "";
  DECLARE interested INT default 0;
  DECLARE direction VARCHAR(3) default "";
  DECLARE ip_src VARCHAR(64) default "";
  DECLARE ip_dst VARCHAR(64) default "";
  SELECT event.id, event.signature, event.timestamp
  INTO this_event, this_event_signature, this_event_timestamp
  FROM event
  WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
  SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
  INTO this_sig, this_sig_gid, this_sig_name
  FROM signature
  WHERE signature.sig_id = this_event_signature;
  SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
  INTO interested, direction, timeout
  FROM sigs_to_block
  WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
  IF (interested > 0) THEN
   IF (direction = "src") THEN
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_src),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    ELSE
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_dst),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    END IF;
  END IF;
END;;
DELIMITER ;
Last edited by rapiertg on Tue Jun 06, 2017 3:39 pm, edited 1 time in total.
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 2:26 pm

Ok, new record are added to firewall's access list. One issue with it, is that they are added as unsigned long. Somehow they are not converted to addresses.
You do not have the required permissions to view the files attached to this post.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 2:44 pm

Ok, new record are added to firewall's access list. One issue with it, is that they are added as unsigned long. Somehow they are not converted to addresses.
Check the records in the block_queue table. Should be populated with IP v4 addresses. They are converted from numeric to IP v4 address by the trigger with inet_ntoa function.
 
User avatar
mlpaul
just joined
Posts: 13
Joined: Thu Apr 20, 2017 11:02 pm
Location: Ohio, United States

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 3:56 pm

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error.

I am really eager to try this as it seems fairly interesting,

Thanks!
error.JPG
Does my reply from Mon Feb 27, 2017 10:44 am help?
Try with changing delimiter:
DELIMITER ;;
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr`
  FOR EACH ROW BEGIN
  DECLARE this_event INT(11) default 0;
  DECLARE this_event_signature INT(10) default 0;
  DECLARE this_event_timestamp TIMESTAMP;
  DECLARE this_sig INT(10) default 0;
  DECLARE this_sig_name VARCHAR(256) default "";
  DECLARE this_sig_gid INT(10) default 0;
  DECLARE timeout VARCHAR(12) default "";
  DECLARE interested INT default 0;
  DECLARE direction VARCHAR(3) default "";
  DECLARE ip_src VARCHAR(64) default "";
  DECLARE ip_dst VARCHAR(64) default "";
  SELECT event.id, event.signature, event.timestamp
  INTO this_event, this_event_signature, this_event_timestamp
  FROM event
  WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
  SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
  INTO this_sig, this_sig_gid, this_sig_name
  FROM signature
  WHERE signature.sig_id = this_event_signature;
  SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
  INTO interested, direction, timeout
  FROM sigs_to_block
  WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
  IF (interested > 0) THEN
   IF (direction = "src") THEN
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_src),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    ELSE
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_dst),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    END IF;
  END IF;
END;;
DELIMITER ;
Thanks for the reply! I tried this and got a new error,
ERROR 1054 (42S22) at line 2: Unknown column 'sid' in 'NEW'
Also tomfisk, i tried adding it straight to the triggers tab in phpMyAdmin, but i get the same error that is presented on the command line. I think it may have something to do with the iphdr table. Is there anything specific i have to do with that to get it to work?

Thanks guys!
 
rapiertg
just joined
Posts: 16
Joined: Fri Feb 26, 2016 8:26 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 4:31 pm

Ok, new record are added to firewall's access list. One issue with it, is that they are added as unsigned long. Somehow they are not converted to addresses.
Check the records in the block_queue table. Should be populated with IP v4 addresses. They are converted from numeric to IP v4 address by the trigger with inet_ntoa function.
Working great. Somehow I had maximan's trigger instead of Yours, which handle conversion elsewhere. Thanks!
 
User avatar
mlpaul
just joined
Posts: 13
Joined: Thu Apr 20, 2017 11:02 pm
Location: Ohio, United States

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 8:38 pm

I figured out my mistake, sorry guys im kinda stupid lol, i had to install barnyard2... -_-
 
User avatar
mlpaul
just joined
Posts: 13
Joined: Thu Apr 20, 2017 11:02 pm
Location: Ohio, United States

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 06, 2017 11:38 pm

Hey tom, i think there is an issue with the routeros_api.class.php file i got. Is there a dedicated link to the one you used? I got mine from https://github.com/BenMenking/routeros- ... .class.php and when i run it, i get errors such as:
PHP Warning:  fwrite() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 332
PHP Warning:  fwrite() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 339
PHP Warning:  fread() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 255
PHP Warning:  socket_get_status() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 302
PHP Notice:  Undefined offset: 0 in /usr/local/bin/suricata_block.php on line 125
Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jun 07, 2017 5:05 am

Hey tom, i think there is an issue with the routeros_api.class.php file i got. Is there a dedicated link to the one you used? I got mine from https://github.com/BenMenking/routeros- ... .class.php and when i run it, i get errors such as:
PHP Warning:  fwrite() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 332
PHP Warning:  fwrite() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 339
PHP Warning:  fread() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 255
PHP Warning:  socket_get_status() expects parameter 1 to be resource, boolean given in /usr/local/bin/routeros_api.class.php on line 302
PHP Notice:  Undefined offset: 0 in /usr/local/bin/suricata_block.php on line 125
Thanks!
Here's the comment block at the top of my routeros_api.class.php file and my reference for the file is https://github.com/BenMenking/routeros- ... master.zip
/*****************************
 *
 * RouterOS PHP API class v1.6
 * Author: Denis Basta
 * Contributors:
 *    Nick Barnes
 *    Ben Menking (ben [at] infotechsc [dot] com)
 *    Jeremy Jefferson (http://jeremyj.com)
 *    Cristian Deluxe (djcristiandeluxe [at] gmail [dot] com)
 *    Mikhail Moskalev (mmv.rus [at] gmail [dot] com)
 *
 * http://www.mikrotik.com
 * http://wiki.mikrotik.com/wiki/API_PHP_class
 *
 ******************************/
 
SystemErrorMessage
Member
Member
Posts: 383
Joined: Sat Dec 22, 2012 9:04 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Jun 29, 2017 8:39 am

This looks like one of the things i've been searching for however i would like to know how much CPU is needed for this. Would using a quad core ARM A17 with gigabit ethernet would be sufficient for gigabit speeds? I would like to keep things as low power as possible and my routerboard has a usb port which can power it.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Jun 29, 2017 9:17 am

This looks like one of the things i've been searching for however i would like to know how much CPU is needed for this. Would using a quad core ARM A17 with gigabit ethernet would be sufficient for gigabit speeds? I would like to keep things as low power as possible and my routerboard has a usb port which can power it.
When it comes to running suricata it really depends on your traffic mix. If you have lots of users on your network then you'll have more unique sessions to keep track of. In general, the more memory you have available, the better off you will be. I'm running on a quad core ARM A9 with gigabit ethernet (4gb memory) with loads peaking around 200mbs and with typically less than 100 sessions. The A17 is supposed to be 60% higher performance. So I'd give it a qualified "yes" if you have the memory to support your sessions. There is an entire chapter on suricata performance in their documentation which might be worth a read: http://suricata.readthedocs.io/en/lates ... index.html
 
SystemErrorMessage
Member
Member
Posts: 383
Joined: Sat Dec 22, 2012 9:04 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Jun 29, 2017 3:30 pm

This looks like one of the things i've been searching for however i would like to know how much CPU is needed for this. Would using a quad core ARM A17 with gigabit ethernet would be sufficient for gigabit speeds? I would like to keep things as low power as possible and my routerboard has a usb port which can power it.
When it comes to running suricata it really depends on your traffic mix. If you have lots of users on your network then you'll have more unique sessions to keep track of. In general, the more memory you have available, the better off you will be. I'm running on a quad core ARM A9 with gigabit ethernet (4gb memory) with loads peaking around 200mbs and with typically less than 100 sessions. The A17 is supposed to be 60% higher performance. So I'd give it a qualified "yes" if you have the memory to support your sessions. There is an entire chapter on suricata performance in their documentation which might be worth a read: http://suricata.readthedocs.io/en/lates ... index.html
Thanks, so basically its all down to how many thousands of torrent connections i want to be able to support for memory usage or how many fps gamers there'll be on the network (a lot of fps games send many minimal sized packets) for cpu usage. I might need a better machine.
 
Guram
just joined
Posts: 1
Joined: Tue Jul 04, 2017 2:09 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jul 04, 2017 2:17 pm

Hello, I'm try to implement this one, but I don't know how to test it, works or not. Please help my!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jul 04, 2017 2:56 pm

Hello, I'm try to implement this one, but I don't know how to test it, works or not. Please help my!
There are several tutorials on testing the alerts on Suricata. For example, look at paragraph 1.5 of this tutorial to test if the rules are firing.

https://web.nsrc.org/workshops/2015/pac ... g-test.htm
 
Percanta
newbie
Posts: 39
Joined: Tue Feb 24, 2009 1:00 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 10, 2017 5:48 pm

Good day
Thank you for sharing this , my comments:
looking the blocked ips (public) i notice the most times are caused by the same clients (ip private) so i decided not send this traffic again to suricata during the blocked time, then i stopped packet sniff and i use mangle
/ip fi ma
add action=sniff-tzsp out-interface=LAN chain=forward sniff-target=172.18.1.4 sniff-target-port=37008 src-address-list=!Blocked

Maybe it'd be great to know lan ip in the comment of the address list and/or telegram, i know i could search it on snorby web but it'd more practical like this
/ip firewall address-list> pr wh list =Blocked
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 D ;;; From suricata, ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 397 => 1:2522792 => event timestamp: 2017-08-10 08:28:38, Address=192.168.X.X
Blocked 46.28.110.244 aug/10/2017 13:28:41 3m12s

ive' added this to mikrotik-fw.sh for send telegram message (ossec active response)
rm $tmpfile
curl --data chat_id=-0000000 --data-urlencode "text="'"'"OSSEC HIDS >> $LOGLINE"'"'", Timeout 23:59:59" https://api.telegram.org/bot00000:ewrj4lrjlrkj5lwrfwjrj5/sendMessage
Regards
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Aug 14, 2017 6:08 am

Thanks for your comments Percanta. I will look at adding in the IP of the internal source/destination to the comment.

Tom
 
Percanta
newbie
Posts: 39
Joined: Tue Feb 24, 2009 1:00 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Aug 14, 2017 4:48 pm

Good day
i've made this,
added a new column for queue_block table
ALTER TABLE block_queue ADD que_ip_adrlan VARCHAR(64) COLLATE utf8_unicode_ci NOT NULL;
modify trigger
                         
....                         
                           INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_src,
                               `que_ip_adrlan = NEW.ip_dst,`
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          ELSE
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_dst,
                               `que_ip_adrlan = NEW.ip_src,`
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          END IF;
                        END IF;
                      END;;
                      DELIMITER ;
Now we can use the other ip address, for example
$API->comm("/ip/firewall/address-list/add", array(
      "list" => "Blocked",
      "address" => $thisrow['que_ip_adr'],
      "timeout" => $timeremaining,
      "comment" => "From suricata, " . $thisrow[ 'que_ip_adrlan' ] .    $thisrow['que_sig_name'] . " => " . $thisrow['que_sig_gid'] . ":" . $thisrow['que_sig_sid'] .
         " => event timestamp: " . $thisrow['que_event_timestamp'],));
Tom i have a doubt, how did u choose the 20 signatures to block?? i see around 1000 in signature table :lol: :lol: :lol: , or where can i get info about how to choose them, thank you

regards
 
User avatar
otgooneo
Trainer
Trainer
Posts: 581
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Aug 15, 2017 5:07 am

Sorry for being lazy. But does any one have pre-configured image, which supports to install it and change minor configurations like IP address, username and password?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Aug 15, 2017 5:18 am

Good day
i've made this,
added a new column for queue_block table
ALTER TABLE block_queue ADD que_ip_adrlan VARCHAR(64) COLLATE utf8_unicode_ci NOT NULL;
modify trigger
                         
....                         
                           INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_src,
                               `que_ip_adrlan = NEW.ip_dst,`
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          ELSE
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_dst,
                               `que_ip_adrlan = NEW.ip_src,`
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          END IF;
                        END IF;
                      END;;
                      DELIMITER ;
Now we can use the other ip address, for example
$API->comm("/ip/firewall/address-list/add", array(
      "list" => "Blocked",
      "address" => $thisrow['que_ip_adr'],
      "timeout" => $timeremaining,
      "comment" => "From suricata, " . $thisrow[ 'que_ip_adrlan' ] .    $thisrow['que_sig_name'] . " => " . $thisrow['que_sig_gid'] . ":" . $thisrow['que_sig_sid'] .
         " => event timestamp: " . $thisrow['que_event_timestamp'],));
Tom i have a doubt, how did u choose the 20 signatures to block?? i see around 1000 in signature table :lol: :lol: :lol: , or where can i get info about how to choose them, thank you

regards
Thanks for the code updates Percanta!

With regard to the number of signatures I block...this is on a home "lab" network so instead of blocking all activity, I wait to see what activity is coming in and then block specific signatures or blocks of signatures. If this was on a corporate network, I would take the other approach...block every signature and then look at excluding specific activity that is valid.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 23, 2017 2:40 pm

A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 24, 2017 7:31 am

In my nightly process to update the rules, I issue the following command to suricata:
pkill -USR2 -u snort -f /usr/bin/suricata
This might help with the problem.
A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 24, 2017 12:22 pm

In my nightly process to update the rules, I issue the following command to suricata:
pkill -USR2 -u snort -f /usr/bin/suricata
This might help with the problem.
A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
Yes, It can help, do you start after process again with any particular script or with normal script?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 24, 2017 12:29 pm

I do it in my oinkupdate.sh script.
#!/bin/bash                                             
/usr/local/bin/oinkmaster.pl -C /etc/suricata/oinkmaster.conf -o /etc/suricata/rules                            
chown snort:snort /etc/suricata/rules/*                 
pkill -USR2 -u snort -f /usr/bin/suricata               
/etc/init.d/aanval restart                              
/etc/init.d/barnyard2 stop                              
sleep 5                                                 
/etc/init.d/barnyard2 start
In my nightly process to update the rules, I issue the following command to suricata:
pkill -USR2 -u snort -f /usr/bin/suricata
This might help with the problem.
A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
Yes, It can help, do you start after process again with any particular script or with normal script?

Thanks.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 24, 2017 1:42 pm

I do it in my oinkupdate.sh script.
#!/bin/bash                                             
/usr/local/bin/oinkmaster.pl -C /etc/suricata/oinkmaster.conf -o /etc/suricata/rules                            
chown snort:snort /etc/suricata/rules/*                 
pkill -USR2 -u snort -f /usr/bin/suricata               
/etc/init.d/aanval restart                              
/etc/init.d/barnyard2 stop                              
sleep 5                                                 
/etc/init.d/barnyard2 start
In my nightly process to update the rules, I issue the following command to suricata:
pkill -USR2 -u snort -f /usr/bin/suricata
This might help with the problem.
A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to kill old process automatically?

I normally each week, stop daemon and re-start all again.

Thanks!
Yes, It can help, do you start after process again with any particular script or with normal script?

Thanks.
Good idea, done too :) thanks!
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 12:46 pm

Very much I ask - help!
Everything was done step by step.
After creating the table, sigs_to_block and TRIGGER barnyard2 stopped writing to the database.
Ends with an error:
Aug 30 11:43:14 sv-ips-01 barnyard2: FATAL ERROR: database mysql_error: In aggregated query without GROUP BY, expression #2 of SELECT list contains nonaggregated column 'snorby.sigs_to_block.src_or_dst'; this is incompatible with sql_mode=only_full_group_by#012#011SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES (1,22527,1539234099,3274620322,4,5,0,45,0,0,0,0,6,1289);]
ОК.
I turned on the desired mode in mySQL:
mysql> select @@sql_mode;
+------------------------+
| @@sql_mode             |
+------------------------+
| NO_ENGINE_SUBSTITUTION |
+------------------------+
1 row in set (0,00 sec)
It did not help!
How to fix it?
What's my mistake?
There are no answers on the Internet ...
Help me please!
OS: Ubuntu 16.04.3 AMD64
Barnyard2 Version 2.1.14 (Build 337)
As I understand, this is not working properly trigger ..
I created the trigger like this:
mysql -u root -p snorby < trigger_code.sql
trigger_code.sql:
DELIMITER ;;
                      CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr` FOR EACH ROW
                      BEGIN
                        DECLARE this_event INT(11) default 0;
                        DECLARE this_event_signature INT(10) default 0;
                        DECLARE this_event_timestamp TIMESTAMP;
                        DECLARE this_sig INT(10) default 0;
                        DECLARE this_sig_name VARCHAR(256) default "";
                        DECLARE this_sig_gid INT(10) default 0;
                        DECLARE timeout VARCHAR(12) default "";
                        DECLARE interested INT default 0;
                        DECLARE direction VARCHAR(3) default "";
                        DECLARE ip_src VARCHAR(64) default "";
                        DECLARE ip_dst VARCHAR(64) default "";
                        SELECT event.id, event.signature, event.timestamp
                        INTO this_event, this_event_signature, this_event_timestamp
                        FROM event
                        WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
                        SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
                        INTO this_sig, this_sig_gid, this_sig_name
                        FROM signature
                        WHERE signature.sig_id = this_event_signature;
                        SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
                        INTO interested, direction, timeout
                        FROM sigs_to_block
                        WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
                        IF (interested > 0) THEN
                         IF (direction = "src") THEN
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_src,
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          ELSE
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_dst,
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          END IF;
                        END IF;
                      END;;
DELIMITER ;
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 2:33 pm

OK.
I drop trigger:
mysql> use snorby;
mysql> drop trigger `after_iphdr_insert`;
run barnyard2.
Everything is great. He works!
Aug 30 14:22:47 sv-ips-01 barnyard2:         --== Initialization Complete ==--
Aug 30 14:22:47 sv-ips-01 barnyard2: Barnyard2 initialization completed successfully (pid=11329)
Aug 30 14:22:47 sv-ips-01 barnyard2: Using waldo file '/var/log/suricata/suricata.waldo':#012    spool directory = /var/log/suricata/#012
Aug 30 14:22:47 sv-ips-01 barnyard2: Opened spool file '/var/log/suricata//unified2.alert.1504074207'
......
Aug 30 14:25:08 sv-ips-01 barnyard2: INFO [dbProcessSignatureInformation()]: [Event: 2633] with [gid: 1] [sid: 2522988] [rev: 3068] [classif...
Aug 30 14:30:26 sv-ips-01 barnyard2: INFO [dbProcessSignatureInformation()]: [Event: 2685] with [gid: 1] [sid: 2403336] [rev: 3794] [classif...
What's wrong with the trigger?
How should its code be written correctly?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 2:51 pm

You must have MySQL version 5.7.5 or greater. I believe you will need to disable the ONLY_FULL_GROUP_BY sql_mode with the following:
  1. sudo nano /etc/mysql/my.cnf
  2. Add this to the end of the file
    [mysqld]  
    sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
  3. sudo service mysql restart to restart MySQL
Very much I ask - help!
Everything was done step by step.
After creating the table, sigs_to_block and TRIGGER barnyard2 stopped writing to the database.
Ends with an error:
Aug 30 11:43:14 sv-ips-01 barnyard2: FATAL ERROR: database mysql_error: In aggregated query without GROUP BY, expression #2 of SELECT list contains nonaggregated column 'snorby.sigs_to_block.src_or_dst'; this is incompatible with sql_mode=only_full_group_by#012#011SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES (1,22527,1539234099,3274620322,4,5,0,45,0,0,0,0,6,1289);]
ОК.
I turned on the desired mode in mySQL:
mysql> select @@sql_mode;
+------------------------+
| @@sql_mode             |
+------------------------+
| NO_ENGINE_SUBSTITUTION |
+------------------------+
1 row in set (0,00 sec)
It did not help!
How to fix it?
What's my mistake?
There are no answers on the Internet ...
Help me please!
OS: Ubuntu 16.04.3 AMD64
Barnyard2 Version 2.1.14 (Build 337)
As I understand, this is not working properly trigger ..
I created the trigger like this:
mysql -u root -p snorby < trigger_code.sql
trigger_code.sql:
DELIMITER ;;
                      CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr` FOR EACH ROW
                      BEGIN
                        DECLARE this_event INT(11) default 0;
                        DECLARE this_event_signature INT(10) default 0;
                        DECLARE this_event_timestamp TIMESTAMP;
                        DECLARE this_sig INT(10) default 0;
                        DECLARE this_sig_name VARCHAR(256) default "";
                        DECLARE this_sig_gid INT(10) default 0;
                        DECLARE timeout VARCHAR(12) default "";
                        DECLARE interested INT default 0;
                        DECLARE direction VARCHAR(3) default "";
                        DECLARE ip_src VARCHAR(64) default "";
                        DECLARE ip_dst VARCHAR(64) default "";
                        SELECT event.id, event.signature, event.timestamp
                        INTO this_event, this_event_signature, this_event_timestamp
                        FROM event
                        WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
                        SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
                        INTO this_sig, this_sig_gid, this_sig_name
                        FROM signature
                        WHERE signature.sig_id = this_event_signature;
                        SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
                        INTO interested, direction, timeout
                        FROM sigs_to_block
                        WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
                        IF (interested > 0) THEN
                         IF (direction = "src") THEN
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_src,
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          ELSE
                            INSERT INTO block_queue
                         SET que_ip_adr =NEW.ip_dst,
                                que_timeout = timeout,
                                que_sig_name = this_sig_name,
                                que_sig_gid = this_sig_gid,
                                que_sig_sid = this_sig,
                                que_event_timestamp = this_event_timestamp;
                          END IF;
                        END IF;
                      END;;
DELIMITER ;
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 3:25 pm

You must have MySQL version 5.7.5 or greater. I believe you will need to disable the ONLY_FULL_GROUP_BY sql_mode with the following:
  1. sudo nano /etc/mysql/my.cnf
  2. Add this to the end of the file
    [mysqld]  
    sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
  3. sudo service mysql restart to restart MySQL
OK.
I did everything as you wrote.
mysql> select @@sql_mode;
+------------------------------------------------------------------------------------------------------------------------+
| @@sql_mode                                                                                                             |
+------------------------------------------------------------------------------------------------------------------------+
| STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION |
+------------------------------------------------------------------------------------------------------------------------+
1 row in set (0,00 sec)
I create a trigger again:
mysql -u root -p snorby < trigger_code.sql
And run barnyard2...
.......
HM
......
And he does not fall!
It turns out, the trigger should be added only after the mode on:
sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
Note.
In Ubuntu in the settings file to the path:
/etc/mysql/mysql.conf.d/mysqld.cnf
Let's see the created Trigger:
mysql> use snorby;
mysql> SHOW TRIGGERS

| after_iphdr_insert | INSERT | iphdr | BEGIN
....
END | AFTER  | 2017-08-30 15:04:14.71 | STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION | root@localhost | utf8                 | utf8_general_ci      | utf8_unicode_ci
The trigger should be created only after the settings MySQL...

Thank you!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 3:44 pm

Excellent! Glad it worked!
You must have MySQL version 5.7.5 or greater. I believe you will need to disable the ONLY_FULL_GROUP_BY sql_mode with the following:
  1. sudo nano /etc/mysql/my.cnf
  2. Add this to the end of the file
    [mysqld]  
    sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
  3. sudo service mysql restart to restart MySQL
OK.
I did everything as you wrote.
mysql> select @@sql_mode;
+------------------------------------------------------------------------------------------------------------------------+
| @@sql_mode                                                                                                             |
+------------------------------------------------------------------------------------------------------------------------+
| STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION |
+------------------------------------------------------------------------------------------------------------------------+
1 row in set (0,00 sec)
I create a trigger again:
mysql -u root -p snorby < trigger_code.sql
And run barnyard2...
.......
HM
......
And he does not fall!
It turns out, the trigger should be added only after the mode on:
sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
Note.
In Ubuntu in the settings file to the path:
/etc/mysql/mysql.conf.d/mysqld.cnf
Let's see the created Trigger:
mysql> use snorby;
mysql> SHOW TRIGGERS

| after_iphdr_insert | INSERT | iphdr | BEGIN
....
END | AFTER  | 2017-08-30 15:04:14.71 | STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION | root@localhost | utf8                 | utf8_general_ci      | utf8_unicode_ci
The trigger should be created only after the settings MySQL...

Thank you!
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 3:59 pm

It's me again ...
I run suricata_block.pxp from the command line:
php -f /usr/bin/suricata_block.php
He gives me this in the console:
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
Is this normal? Or am I wrong again somewhere?
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 4:05 pm

suricata_block.php adds the following addresses to MikroTik:
But it's not right!
Image
How to fix?
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 5:01 pm

suricata_block.php adds the following addresses to MikroTik:
But it's not right!
Image
How to fix?
I decided it myself.
I did not use the correct trigger.
The correct trigger (the contents of the trigger_code.sql file):
DELIMITER ;;
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr` FOR EACH ROW
BEGIN
  DECLARE this_event INT(11) default 0;
  DECLARE this_event_signature INT(10) default 0;
  DECLARE this_event_timestamp TIMESTAMP;
  DECLARE this_sig INT(10) default 0;
  DECLARE this_sig_name VARCHAR(256) default "";
  DECLARE this_sig_gid INT(10) default 0;
  DECLARE timeout VARCHAR(12) default "";
  DECLARE interested INT default 0;
  DECLARE direction VARCHAR(3) default "";
  DECLARE ip_src VARCHAR(64) default "";
  DECLARE ip_dst VARCHAR(64) default "";
  SELECT event.id, event.signature, event.timestamp
  INTO this_event, this_event_signature, this_event_timestamp
  FROM event
  WHERE event.sid = NEW.sid and event.cid = NEW.cid;  
  SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
  INTO this_sig, this_sig_gid, this_sig_name
  FROM signature
  WHERE signature.sig_id = this_event_signature;
  SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
  INTO interested, direction, timeout
  FROM sigs_to_block
  WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
  IF (interested > 0) THEN
   IF (direction = "src") THEN
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_src),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    ELSE
      INSERT INTO block_queue
   SET que_ip_adr = inet_ntoa(NEW.ip_dst),
          que_timeout = timeout,
          que_sig_name = this_sig_name,
          que_sig_gid = this_sig_gid,
          que_sig_sid = this_sig,
          que_event_timestamp = this_event_timestamp;
    END IF;
  END IF;
END;;
DELIMITER ;
Image
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 30, 2017 5:02 pm

It's me again ...
I run suricata_block.pxp from the command line:
php -f /usr/bin/suricata_block.php
He gives me this in the console:
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
Is this normal? Or am I wrong again somewhere?
The same is solved by installing the program, for example Postfix...
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 31, 2017 2:46 am

The warning for mysqli is normal. If you want to send email notifications, then you'll have to change the location to sendmail on your system. Do
whereis sendmail
and modify suricata_block.php as necessary.
It's me again ...
I run suricata_block.pxp from the command line:
php -f /usr/bin/suricata_block.php
He gives me this in the console:
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
sh: /usr/sbin/sendmail: No such file or directory
PHP Warning:  mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /usr/bin/suricata_block.php on line 157
Is this normal? Or am I wrong again somewhere?
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Sep 08, 2017 4:32 pm

My great gratitude to tomfisk.
Thanks to his article, I received a powerful and flexible system.
Just what I wanted.
Thank you to the MicroTik team for their RouteOS.
In general, thank you guys!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Nov 17, 2017 10:55 am

Hi,

How could I add an IP as whitelist?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Nov 17, 2017 11:13 am

Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Nov 17, 2017 12:27 pm

Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Thanks tomfisk! great job as always
 
fosilt
just joined
Posts: 5
Joined: Thu Jan 28, 2016 5:29 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Nov 23, 2017 6:28 am

Thanks for the tutorial.

I had a question, is it possible to combine this scripts with SELKS ? or any guide so I can integrated SELKS with Mikrotik ?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Nov 23, 2017 10:18 am

It is possible to customize and/or build a SELKS distribution and there are guides here https://github.com/StamusNetworks/SELKS ... zing-SELKS and here https://github.com/StamusNetworks/SELKS ... ding-SELKS. Including this functionality into the SELKS distribution would be possible, but it would require analysis of what packages would need to be included in a SELKS distribution and specific instructions on how to configure. I don't know if the suricata implementation in SELKS includes for example, MySQL and barnyard2, or if it is configured as an inline IPS using with linux firewall rule processing.
Thanks for the tutorial.

I had a question, is it possible to combine this scripts with SELKS ? or any guide so I can integrated SELKS with Mikrotik ?
 
fosilt
just joined
Posts: 5
Joined: Thu Jan 28, 2016 5:29 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Nov 23, 2017 10:34 am

It is possible to customize and/or build a SELKS distribution and there are guides here https://github.com/StamusNetworks/SELKS ... zing-SELKS and here https://github.com/StamusNetworks/SELKS ... ding-SELKS. Including this functionality into the SELKS distribution would be possible, but it would require analysis of what packages would need to be included in a SELKS distribution and specific instructions on how to configure. I don't know if the suricata implementation in SELKS includes for example, MySQL and barnyard2, or if it is configured as an inline IPS using with linux firewall rule processing.
Thanks for the tutorial.

I had a question, is it possible to combine this scripts with SELKS ? or any guide so I can integrated SELKS with Mikrotik ?
I had install SELK4.0nodesktop , and try to combine with your scripts with installed library dependencies . How I know if the scripts did worked ? Which mikrotik interface should be sniffed ?

Thank you
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Nov 23, 2017 10:45 am

The Mikrotik interface to sniff should be the one that is connected to your ISP. That is where all of the traffic in/out of your network is. Make sure tzsp2pcap is running. In /var/log/suricata/ check suricata.log to make sure it started successfuly and fast.log to see if events are being flagged.
It is possible to customize and/or build a SELKS distribution and there are guides here https://github.com/StamusNetworks/SELKS ... zing-SELKS and here https://github.com/StamusNetworks/SELKS ... ding-SELKS. Including this functionality into the SELKS distribution would be possible, but it would require analysis of what packages would need to be included in a SELKS distribution and specific instructions on how to configure. I don't know if the suricata implementation in SELKS includes for example, MySQL and barnyard2, or if it is configured as an inline IPS using with linux firewall rule processing.
Thanks for the tutorial.

I had a question, is it possible to combine this scripts with SELKS ? or any guide so I can integrated SELKS with Mikrotik ?
I had install SELK4.0nodesktop , and try to combine with your scripts with installed library dependencies . How I know if the scripts did worked ? Which mikrotik interface should be sniffed ?

Thank you
 
nata1234
just joined
Posts: 1
Joined: Mon Dec 04, 2017 1:02 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Dec 04, 2017 1:16 am

Someone who can help me, I need sent Mikrotik from the Suricata, without MySQl some easy php like https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Dec 08, 2017 9:33 am

I've included a script, fast2mikrotik.php, that will do what I think you are looking for. Check the original post.
Someone who can help me, I need sent Mikrotik from the Suricata, without MySQl some easy php like https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS
 
smolki
just joined
Posts: 3
Joined: Tue Jan 23, 2018 10:28 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 23, 2018 10:33 am

Hi i need help with fast mikrotik.php script. Its only showing Targets but nothing happens. Scripts is not connecting to the Mikrotik.
All necessary services are set in MT.
 
smolki
just joined
Posts: 3
Joined: Tue Jan 23, 2018 10:28 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 23, 2018 10:42 am

Hi i need help with fast mikrotik.php script. Its only showing Targets but nothing happens. Scripts is not connecting to the Mikrotik.
All necessary services are set in MT.

Can anyone confirm that php is working ?
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 12:59 pm

Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Hi, re-open this reply. How could I do a whitelist for all entry for one IP?

I had this: suppress gen_id 1, sig_id 20003XX, track by_src, ip 213.XX.XX.XX

But my IP was banned again with this:
1:20003XX:13] ET P2P BitTorrent peer sync [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.X.X:55618 -> 213.XX.XX.XX:873

Why? Should I use in file 20003XX:13? How maybe my IP can be banned for more causes, I would ask if its possible add my IP as whitelist.

Thanks!!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 1:18 pm

I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address.
Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Hi, re-open this reply. How could I do a whitelist for all entry for one IP?

I had this: suppress gen_id 1, sig_id 20003XX, track by_src, ip 213.XX.XX.XX

But my IP was banned again with this:
1:20003XX:13] ET P2P BitTorrent peer sync [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.X.X:55618 -> 213.XX.XX.XX:873

Why? Should I use in file 20003XX:13? How maybe my IP can be banned for more causes, I would ask if its possible add my IP as whitelist.

Thanks!!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 1:28 pm

I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address.
Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Hi, re-open this reply. How could I do a whitelist for all entry for one IP?

I had this: suppress gen_id 1, sig_id 20003XX, track by_src, ip 213.XX.XX.XX

But my IP was banned again with this:
1:20003XX:13] ET P2P BitTorrent peer sync [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.X.X:55618 -> 213.XX.XX.XX:873

Why? Should I use in file 20003XX:13? How maybe my IP can be banned for more causes, I would ask if its possible add my IP as whitelist.

Thanks!!
Awesome your fast reply...
this ?
suppress gen_id 0, track_by_src, ip 213.98.XX.XX

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 1:59 pm

This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address.
Hi,

How could I add an IP as whitelist?

Thanks.
I put a line in threshold.config indicating the specific rule and IP address to suppress.
suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2
Hi, re-open this reply. How could I do a whitelist for all entry for one IP?

I had this: suppress gen_id 1, sig_id 20003XX, track by_src, ip 213.XX.XX.XX

But my IP was banned again with this:
1:20003XX:13] ET P2P BitTorrent peer sync [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.X.X:55618 -> 213.XX.XX.XX:873

Why? Should I use in file 20003XX:13? How maybe my IP can be banned for more causes, I would ask if its possible add my IP as whitelist.

Thanks!!
Awesome your fast reply...
this ?
suppress gen_id 0, track_by_src, ip 213.98.XX.XX

Thanks.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 2:33 pm

This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 30, 2018 2:39 pm

You'd have to ask the developers that question...just what I found in the documentation :)
This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 10:33 am

You'd have to ask the developers that question...just what I found in the documentation :)
This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
:( With that rule router yet banned my IP again. What am i doing wrong?
I added with both id
suppress gen_id 1, sig_id 0, track_by_src, ip 192.168.XX.XX
suppress gen_id 0, sig_id 0, track_by_src, ip 192.168.XX.XX

Line in fast.log
01/31/2018-09:18:26.904899  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 192.168.XX.XX:58471 -> 213.98.XX.XX:873
BTW: I use suricata 1.4.7, but in his website there are version 2.0.2 and 4.0.3. Anyone test it?

Thanks.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 11:06 am

Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from the IP you want to ignore set that it doesn't get sent to suricata in the first place. Set up a filter to exclude the address from the packet sniffer like this:
set file-limit=3000KiB filter-interface=ether1 filter-ip-address=!192.168.xx.xx/32 filter-stream=\
    yes streaming-enabled=yes streaming-server=192.168.xx.xx
So packets from that address never get into suricata in the first place.
You'd have to ask the developers that question...just what I found in the documentation :)
This:
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?
:( With that rule router yet banned my IP again. What am i doing wrong?
I added with both id
suppress gen_id 1, sig_id 0, track_by_src, ip 192.168.XX.XX
suppress gen_id 0, sig_id 0, track_by_src, ip 192.168.XX.XX

Line in fast.log
01/31/2018-09:18:26.904899  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 192.168.XX.XX:58471 -> 213.98.XX.XX:873
BTW: I use suricata 1.4.7, but in his website there are version 2.0.2 and 4.0.3. Anyone test it?

Thanks.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 11:49 am

Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from the IP you want to ignore set that it doesn't get sent to suricata in the first place. Set up a filter to exclude the address from the packet sniffer like this:
set file-limit=3000KiB filter-interface=ether1 filter-ip-address=!192.168.xx.xx/32 filter-stream=\
    yes streaming-enabled=yes streaming-server=192.168.xx.xx
So packets from that address never get into suricata in the first place.
I can't add that IP. If I try to save the changes, MK doesn't accept it and its reseted to 0.0.0.0 again
I attach picture, maybe I am doing something bad.
Image
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 11:54 am

The "!" goes in the little box before the IP address. Just click on it and it should change to "!".
Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from the IP you want to ignore set that it doesn't get sent to suricata in the first place. Set up a filter to exclude the address from the packet sniffer like this:
set file-limit=3000KiB filter-interface=ether1 filter-ip-address=!192.168.xx.xx/32 filter-stream=\
    yes streaming-enabled=yes streaming-server=192.168.xx.xx
So packets from that address never get into suricata in the first place.
I can't add that IP. If I try to save the changes, MK doesn't accept it and its reseted to 0.0.0.0 again
I attach picture, maybe I am doing something bad.
Image
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 12:04 pm

The "!" goes in the little box before the IP address. Just click on it and it should change to "!".
Im stupid, I know it. Thanks as always tomfisk.
I am going to test new version 4.0.3.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jan 31, 2018 2:06 pm

I have installed a new VPS with new suricata 4.0.3, its installed correctly and I can start it good:
root@suricatanew:/# trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
31/1/2018 -- 07:01:57 - <Notice> - This is Suricata version 4.0.3 RELEASE
31/1/2018 -- 07:02:02 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
I see traffic on stats.log
Date: 1/31/2018 -- 07:05:53 (uptime: 0d, 00h 00m 16s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 275968
decoder.bytes                              | Total                     | 277270818

I tested new method (with php). I have the script running but MK doesn't add any IP. I have configured details correctly to login API (same I used old suricata).
In MK I only changed Sniffer to old server to new server (I get packets).

When I execute php I only see same logs, example:
root@suricatanew:/etc/init.d# php -f fast2mikrotik.php &
[1] 543
root@suricatanew:/etc/init.d# Target will be: 94.31.29.64
Target will be: 94.31.29.64
Target will be: 94.31.29.64
Target will be: 94.31.29.64
Any idea? Thanks! Maybe I am forgotten any simple thing.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 01, 2018 8:37 am

Oops! Looks like I left some debug code in fast2mikrotik.php :(
  echo "Target will be: " . $target . "\r\n";
  return true;
  try {
      $API->connect($mikrotik_addr, $mikrotik_user, $mikrotik_pwd);
  } catch (Exception $e) {
      die('Unable to connect to RouterOS. Error:' . $e);
  }
Delete the "echo" and "return" lines...should work then :) :)
I have installed a new VPS with new suricata 4.0.3, its installed correctly and I can start it good:
root@suricatanew:/# trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
31/1/2018 -- 07:01:57 - <Notice> - This is Suricata version 4.0.3 RELEASE
31/1/2018 -- 07:02:02 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
I see traffic on stats.log
Date: 1/31/2018 -- 07:05:53 (uptime: 0d, 00h 00m 16s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 275968
decoder.bytes                              | Total                     | 277270818

I tested new method (with php). I have the script running but MK doesn't add any IP. I have configured details correctly to login API (same I used old suricata).
In MK I only changed Sniffer to old server to new server (I get packets).

When I execute php I only see same logs, example:
root@suricatanew:/etc/init.d# php -f fast2mikrotik.php &
[1] 543
root@suricatanew:/etc/init.d# Target will be: 94.31.29.64
Target will be: 94.31.29.64
Target will be: 94.31.29.64
Target will be: 94.31.29.64
Any idea? Thanks! Maybe I am forgotten any simple thing.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 01, 2018 9:39 am

Oops! Looks like I left some debug code in fast2mikrotik.php :(
Delete the "echo" and "return" lines...should work then :) :)
I went to write that too :) I removed it and it works fine. Thanks tomfisk.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 01, 2018 12:10 pm

I am having troubles to create "white list". I create it but IDS continue adding thats IPs to blocks.

suppress gen_id 1, sig_id 2240001
suppress gen_id 1, sig_id 2220006, track by_src, ip 192.168.XX.XX

I added it too in MK in "Packet Sniffer" but not luck neither. MK continue stopping traffic from that IPs. I think that its a bug why I don't understand that I am doing wrong, I followed manual.

NOTE: Maybe someone has my own problem. I had commented line threshold-file: /etc/suricata/threshold.config in file suricata.yaml
Fixed.
 
User avatar
bekax5
Member Candidate
Member Candidate
Posts: 110
Joined: Thu Apr 30, 2015 11:27 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 01, 2018 11:29 pm

I am really tempted on setting Suricata with Mtik integration.
I want to run suricata on a QNAP as a VM and I already bought an Intel NIC for this purpose, however I noticed that the current QNAP versions do not support promiscuous mode for VMs, as such if I try to mirror the WAN interface I end up only getting multicast and broadcast packets.
This sniffer stream appears to be a perfect solution, however it does stop FastPath and FastTrack right?
I'm afraid RB3011 will be struggling with Gigabit WAN.
Apologies for the novice questions =)
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Feb 02, 2018 2:40 am

Yes, sniffer does stop FastPath and FastTrack. I have an RB951G-2HnD running with a sniffer and I am still able to achieve my ISP's full bandwidth of 350mbs. Just my observation...I'm not a networking professional so I can't fully address your concern. Perhaps you can turn on the sniffer and do a bandwidth test?
I am really tempted on setting Suricata with Mtik integration.
I want to run suricata on a QNAP as a VM and I already bought an Intel NIC for this purpose, however I noticed that the current QNAP versions do not support promiscuous mode for VMs, as such if I try to mirror the WAN interface I end up only getting multicast and broadcast packets.
This sniffer stream appears to be a perfect solution, however it does stop FastPath and FastTrack right?
I'm afraid RB3011 will be struggling with Gigabit WAN.
Apologies for the novice questions =)
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Feb 02, 2018 1:24 pm

Definitely Suricata has any bug with threshold.
suppress gen_id 1, sig_id 2020565, track by_src, ip 8.8.8.8
And I receive an alert:
The IP address 8.8.8.8 has been blocked due to the following rule match:

The signature ID is [1:2020565:1] ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
    event timestamp: 02/02/2018-12:18:30.409788 blocked for: 01:00:00

Unfortunately I have to remove that rules from directory rules, if not all time IPs as Google o my own IP are banned,

I don't understand why... but I have threshold uncomment in suricata.yaml... anyone occurs same?

Thanks.
 
swright
just joined
Posts: 1
Joined: Wed Jan 31, 2018 11:44 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Feb 03, 2018 12:36 am

Definitely Suricata has any bug with threshold.
suppress gen_id 1, sig_id 2020565, track by_src, ip 8.8.8.8
And I receive an alert:
The IP address 8.8.8.8 has been blocked due to the following rule match:

The signature ID is [1:2020565:1] ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
    event timestamp: 02/02/2018-12:18:30.409788 blocked for: 01:00:00

Unfortunately I have to remove that rules from directory rules, if not all time IPs as Google o my own IP are banned,

I don't understand why... but I have threshold uncomment in suricata.yaml... anyone occurs same?

Thanks.
Have you tried to create a "pass" rule? Example:
pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:1;)

I am trying out the fast2mikrotik.php, which works great by the way Tomfisk. I have found that this way tends to block rather aggressively. I have been able to white list by using a pass rules, and am getting it toned down. Thanks for all the work Tomfisk!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 08, 2018 3:33 pm

Maybe for anyone is useful this tool:
https://www.stamus-networks.com/open-source/

Integrate suricata + ELKS in a dashboard. I added Tomfisk's script and my MK ban IPs and I can check logs on a website. Final result is very pretty.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Feb 12, 2018 12:06 pm

Hi,
I am using a Debian 9 (before I used Ubuntu 16 and it works), but with this Debian 9 + php7 , script fas2mikrotik fails with this:
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Line 328:
$STATUS = socket_get_status($this->socket);
if ($LENGTH > 0) {
$this->debug('>>> [' . $LENGTH . ', ' . $STATUS['unread_bytes'] . ']' . $_);
}
Any idea? I am not developer, if not sysadmin and I am stuck in this.

Thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Feb 13, 2018 4:57 am

It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters?
$mikrotik_addr = "__someip__";
$mikrotik_user = "admin";
$mikrotik_pwd = "__somesecret__";
Hi,
I am using a Debian 9 (before I used Ubuntu 16 and it works), but with this Debian 9 + php7 , script fas2mikrotik fails with this:
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Line 328:
$STATUS = socket_get_status($this->socket);
if ($LENGTH > 0) {
$this->debug('>>> [' . $LENGTH . ', ' . $STATUS['unread_bytes'] . ']' . $_);
}
Any idea? I am not developer, if not sysadmin and I am stuck in this.

Thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 8:41 am

It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters?
$mikrotik_addr = "__someip__";
$mikrotik_user = "admin";
$mikrotik_pwd = "__somesecret__";
Its strange tomfisk, I am using a new server but in same net and I copied (using SCP) the script which it worked in another server. The difference between both server is that one is Ubuntu 16 and another is Debian 9. In both php installed from repository.
Any idea to debug it?

Thanks as always.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 8:46 am

Since I didn't write that code I'm at a loss as well.
It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters?
$mikrotik_addr = "__someip__";
$mikrotik_user = "admin";
$mikrotik_pwd = "__somesecret__";
Its strange tomfisk, I am using a new server but in same net and I copied (using SCP) the script which it worked in another server. The difference between both server is that one is Ubuntu 16 and another is Debian 9. In both php installed from repository.
Any idea to debug it?

Thanks as always.
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 10:05 am

Since I didn't write that code I'm at a loss as well.
I understand, I enabled debug (to test connection) and it works:
Connection attempt #1 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #2 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #3 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #4 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #5 to 192.168.100.1:8728...
<<< [6] /login
Error...
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [31] /ip/firewall/address-list/print
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [14] =.proplist=.id
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] ?address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [29] /ip/firewall/address-list/add
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [13] =list=Blocked
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] =address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [17] =timeout=01:00:00
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [131] =comment=From suricata, [1:2402000:4717] ET DROP Dshield Block Listed Source group 1 => event timestamp: 02/14/2018-08:57:59.910517
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Disconnected...


I will try to solve it :) thanks!
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 10:13 am

So it looks like it doesn't get connected :o :o :? :?
Since I didn't write that code I'm at a loss as well.
I understand, I enabled debug (to test connection) and it works:
Connection attempt #1 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #2 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #3 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #4 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #5 to 192.168.100.1:8728...
<<< [6] /login
Error...
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [31] /ip/firewall/address-list/print
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [14] =.proplist=.id
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] ?address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [29] /ip/firewall/address-list/add
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [13] =list=Blocked
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] =address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [17] =timeout=01:00:00
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [131] =comment=From suricata, [1:2402000:4717] ET DROP Dshield Block Listed Source group 1 => event timestamp: 02/14/2018-08:57:59.910517
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Disconnected...


I will try to solve it :) thanks!
 
aarango
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Nov 30, 2016 7:55 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Feb 14, 2018 1:45 pm

So it looks like it doesn't get connected :o :o :? :?
Since I didn't write that code I'm at a loss as well.
I understand, I enabled debug (to test connection) and it works:
Connection attempt #1 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #2 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #3 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #4 to 192.168.100.1:8728...
<<< [6] /login
Connection attempt #5 to 192.168.100.1:8728...
<<< [6] /login
Error...
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [31] /ip/firewall/address-list/print
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [14] =.proplist=.id
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] ?address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [29] /ip/firewall/address-list/add
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [13] =list=Blocked
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [24] =address=191.101.167.252
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [17] =timeout=01:00:00
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 363
<<< [131] =comment=From suricata, [1:2402000:4717] ET DROP Dshield Block Listed Source group 1 => event timestamp: 02/14/2018-08:57:59.910517
PHP Warning:  fwrite(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 371
PHP Warning:  fread(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 277
PHP Warning:  socket_get_status(): supplied resource is not a valid stream resource in /etc/init.d/routeros_api.class.php on line 328
Disconnected...


I will try to solve it :) thanks!
Solved! I had a rule in my router to reject connections to API from another subnet. Thanks :D
 
User avatar
Nollitik
Member Candidate
Member Candidate
Posts: 257
Joined: Tue Dec 07, 2010 8:16 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Apr 17, 2018 6:57 am

This is awesome...if only I could get this on a RB450G...is there?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Apr 17, 2018 1:17 pm

This is awesome...if only I could get this on a RB450G...is there?
Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions.
 
User avatar
Nollitik
Member Candidate
Member Candidate
Posts: 257
Joined: Tue Dec 07, 2010 8:16 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 18, 2018 11:04 pm

This is awesome...if only I could get this on a RB450G...is there?
Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions.
So, are you saying one has to have a separate Suricata box for this to work? The RB450G only has 512MB RAM. I already have a Pfsense machine in front of my 450G...was just thinking it would be cool to have at least Intrusion detection on Mikrotik.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Apr 18, 2018 11:33 pm

This is awesome...if only I could get this on a RB450G...is there?
Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions.
So, are you saying one has to have a separate Suricata box for this to work? The RB450G only has 512MB RAM. I already have a Pfsense machine in front of my 450G...was just thinking it would be cool to have at least Intrusion detection on Mikrotik.
Yep, that's the deal with this implementation. I'm not sure you could run a decent intrusion detection in a metarouter.
 
Faceless
just joined
Posts: 18
Joined: Sat Mar 03, 2018 4:03 pm
Location: Ukraine
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Apr 26, 2018 7:19 pm

Do I need calea packege to restream packets .Snort need calea. Alsa will hap ac2 4 core cPU handle suricata+ few qos+25filter rules?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Apr 27, 2018 1:08 am

Do I need calea packege to restream packets .Snort need calea. Alsa will hap ac2 4 core cPU handle suricata+ few qos+25filter rules?
No, just stream packets with the sniffer tool to the suricata host. Yes, I don't see any problem with the ability to handle that configuration.
 
fosilt
just joined
Posts: 5
Joined: Thu Jan 28, 2016 5:29 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Aug 23, 2018 11:34 am

Maybe for anyone is useful this tool:
https://www.stamus-networks.com/open-source/

Integrate suricata + ELKS in a dashboard. I added Tomfisk's script and my MK ban IPs and I can check logs on a website. Final result is very pretty.
Hi , aarango
Do you have tried SELKs from stamus network ?
 
halimzhz
newbie
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Sep 15, 2018 7:00 pm

Dear All,

I have few question about this script:

1- I would like to know this script is running on background or i have to run with cron ?
2- Is it any output log for any activity sending to Mikrotik?

Currently i'm running with logstash + python for filtering fast.log and its very slow and too much delay

Please advice and thank you so much
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Sep 16, 2018 8:16 am

1. These scripts are running in the background and are started as a service.
2. You can get an email alert when an IP address has been blocked by changing the $email_alert variable in suricata_block.php
Dear All,

I have few question about this script:

1- I would like to know this script is running on background or i have to run with cron ?
2- Is it any output log for any activity sending to Mikrotik?

Currently i'm running with logstash + python for filtering fast.log and its very slow and too much delay

Please advice and thank you so much
 
halimzhz
newbie
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Sep 17, 2018 1:48 am

Dear Tomfisk,

Thank you so much to answer my question, actually i have so many question to ask, any possiblity if i can direct with you on Whatsapp or Skype ? Or can you enable your private message on this forum ?

Please help. Thank you so much
 
halimzhz
newbie
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Sep 18, 2018 4:17 pm

Hi,

What i understand the packet sniffer capturing from Mikrotik are the packet before the firewall rules, so is it possible to get any packet only after get thru the firewall rules ?

Please advice, TQ
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Sep 18, 2018 5:17 pm

Hi Halimzhz,

I don't think it is possible to get the packets only after they've gone through the firewall. The first firewall rule drops all packets from blocked IP addresses. I've look to see if the next rule could run the traffic through a virtual interface (possible), but then you'd have to get the traffic back into the firewall chain (I'm not sure how this would happen).

With regard to your request for some help, my day job keeps me pretty busy but I can try the best I can to provide some help. I don't see a PM option. I really don't want to post my contact info here, but if you want to share your WA I'll contact you.
Hi,

What i understand the packet sniffer capturing from Mikrotik are the packet before the firewall rules, so is it possible to get any packet only after get thru the firewall rules ?

Please advice, TQ
 
halimzhz
newbie
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Sep 18, 2018 6:06 pm

Dear Tomfisk,

Thank you so much to reply me, for your information the concept of forward packet to suricata is so nice and suricata will filter the packet with some rules, but that seem fine when you have a very minimal suricata rules, but when u filter the suricata with tons of rules for example u filter by blocklist.de, your suricata will keep receive the same packet again and again, that make the the script keep sending again and again to mikrotik and the process become slow and too much delay, that why i'm asking is it possible to get the packet just after get thru the mikrotik firewall rules, someone advice me to buy 2nd mikrotik device and make it as secondary, the first mikrotik will do a job of firewall and the secondary will do a packet sniffer process to suricata, i hope that is not good idea because i have to spend more.

Please advice. TQ so much
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Sep 19, 2018 5:36 am

I understand what you are saying. Have you looked at the number of packets that would be blocked vs. the total volume? There would be a threshold where passing the packets after the firewall would make sense. I'm not sure what that threshold would be, but I would suspect that it would have to be a "significant" volume to make a difference. If you've implemented suricata and the firewall rules then you should be able to look at the packets dropped by the firewall rule vs. the total number of packets.

If the volume is significant, I agree with the advice you received, the only real option is the get another Mikrotik to handle the post-firewall filtering.
Dear Tomfisk,

Thank you so much to reply me, for your information the concept of forward packet to suricata is so nice and suricata will filter the packet with some rules, but that seem fine when you have a very minimal suricata rules, but when u filter the suricata with tons of rules for example u filter by blocklist.de, your suricata will keep receive the same packet again and again, that make the the script keep sending again and again to mikrotik and the process become slow and too much delay, that why i'm asking is it possible to get the packet just after get thru the mikrotik firewall rules, someone advice me to buy 2nd mikrotik device and make it as secondary, the first mikrotik will do a job of firewall and the secondary will do a packet sniffer process to suricata, i hope that is not good idea because i have to spend more.

Please advice. TQ so much
 
halimzhz
newbie
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Sep 19, 2018 5:51 pm

Dear Tomfisk,

I have another idea but before that i feel so sorry because my bad english, but i will try to explain what i'm thinking about, i dont know is this possible or not, let say when the script start, the script will look first or grab from Mikrotik the list of banned ip and keep on script memory or as log, then the script will start looking into fast.log and doing filtering and before submit to Mikrotik for ban the IP, the script look first what on memory, on that way the script will not keep submitting to Mikrotik just to get the answer the ip is added or not, or maybe another way as u did on mysql database but everytime u restart the script, have to make sure the record on both Mikrotik and mysql database are clean, this is crazy, but main point is to make not too much delay on busy network

Please advice and thank you for your time
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Sep 20, 2018 6:22 am

OK, I thought you wanted to stop scanning traffic that was already blocked by a firewall rule.

So you're saying don't delete and re-add a firewall rule if it already exists for in IP address? Let me look at suricata_block.php and see if that can be added as an option.
Dear Tomfisk,

I have another idea but before that i feel so sorry because my bad english, but i will try to explain what i'm thinking about, i dont know is this possible or not, let say when the script start, the script will look first or grab from Mikrotik the list of banned ip and keep on script memory or as log, then the script will start looking into fast.log and doing filtering and before submit to Mikrotik for ban the IP, the script look first what on memory, on that way the script will not keep submitting to Mikrotik just to get the answer the ip is added or not, or maybe another way as u did on mysql database but everytime u restart the script, have to make sure the record on both Mikrotik and mysql database are clean, this is crazy, but main point is to make not too much delay on busy network

Please advice and thank you for your time
 
halimzhz
newbie
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Sep 21, 2018 3:37 am

Dear Tomfisk

I would like to ask you a favor, for your information my fast.log a look a bit different, let me show you:

09/21/2018-08:08:15.059030 [wDrop] [**] [1:207:1] Suricata Rules [**] [Classification: (null)] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:36610 -> nnn.nnn.nnn.nnn:993

For your information i have 2 type of rules, first is alert and second is drop, 'alert' purpose just for monitoring and drop is what i plan to send out to Mikrotik, so for any drop rules will notify on fast.log as 'wDrop', so i need a script to monitor the line with word 'wDrop' and ignore for 'alert', actually i run this kind of script since years ago but its run by Logstash + Python, i'm so frustrated because too much delay for ban any IP because Logstash are cpu/memory hunger even my machine is dual xeon and 32GB RAM.

Seriously i willing to pay if you have time to spend for this. feel shame to put my mobile number here, but please skype me live:8f0c760bc11cde9

Thank you so much
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Sep 25, 2018 6:23 am

Hi Halimzhz,
Sorry for the delayed reply. I'm sorry but I really don't have time to be able to help you with this. This solution uses the insert trigger from barnyard2 to grab events that subsequently get processed. It only processes those rules that match what is in the sigs_to_block table in mysql. So the fast.log processing is done by barnyard2. So if you put your wDrop rule description in sigs_to_block table, it should work?

Tom
Dear Tomfisk

I would like to ask you a favor, for your information my fast.log a look a bit different, let me show you:

09/21/2018-08:08:15.059030 [wDrop] [**] [1:207:1] Suricata Rules [**] [Classification: (null)] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:36610 -> nnn.nnn.nnn.nnn:993

For your information i have 2 type of rules, first is alert and second is drop, 'alert' purpose just for monitoring and drop is what i plan to send out to Mikrotik, so for any drop rules will notify on fast.log as 'wDrop', so i need a script to monitor the line with word 'wDrop' and ignore for 'alert', actually i run this kind of script since years ago but its run by Logstash + Python, i'm so frustrated because too much delay for ban any IP because Logstash are cpu/memory hunger even my machine is dual xeon and 32GB RAM.

Seriously i willing to pay if you have time to spend for this. feel shame to put my mobile number here, but please skype me live:8f0c760bc11cde9

Thank you so much
 
tomeks11
just joined
Posts: 6
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Nov 06, 2018 5:03 pm

Do I have to run suricata through trafr?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 2:18 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
 
tomeks11
just joined
Posts: 6
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 9:15 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
I found this information in threads about Snort. I wonder how Suricata receives packets from the mikrotik sniffer with the Tazmen Sniffer Protocol (TZSP)
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 10:08 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
I found this information in threads about Snort. I wonder how Suricata receives packets from the mikrotik sniffer with the Tazmen Sniffer Protocol (TZSP)
1. Packet sniffer on Mikrotik is used, streaming output to specific IP address.
2. tzsp2pcap is used to receive stream (/usr/local/bin/tzsp2pcap -f)
3. Output from tzsp2pcap goes to suricata (/usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -)
 
tomeks11
just joined
Posts: 6
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 1:56 pm

1. Packet sniffer on Mikrotik is used, streaming output to specific IP address.
2. tzsp2pcap is used to receive stream (/usr/local/bin/tzsp2pcap -f)
3. Output from tzsp2pcap goes to suricata (/usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -)
Thank you. This image was not found in the description.
I made it so that the suricata reads from the interface and also worked.

So I have a suricate to run like this :
/usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -
?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 07, 2018 3:46 pm

1. Packet sniffer on Mikrotik is used, streaming output to specific IP address.
2. tzsp2pcap is used to receive stream (/usr/local/bin/tzsp2pcap -f)
3. Output from tzsp2pcap goes to suricata (/usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -)
Thank you. This image was not found in the description.
I made it so that the suricata reads from the interface and also worked.

So I have a suricate to run like this :
/usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -
?
Yes, that's correct.
 
tomeks11
just joined
Posts: 6
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Nov 26, 2018 2:43 pm

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked
you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web server would not have to support the SYN
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Nov 27, 2018 1:51 am

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked
you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web server would not have to support the SYN
So this is to stop any traffic from going back to a blocked address. There is already a rule to stop any inbound traffic from a blocked address as well.
 
tomeks11
just joined
Posts: 6
Joined: Thu Mar 23, 2017 11:53 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Nov 27, 2018 9:31 am

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked
you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web server would not have to support the SYN
So this is to stop any traffic from going back to a blocked address. There is already a rule to stop any inbound traffic from a blocked address as well.
The rule "ip firewall add action = drop chain = input comment =" Block bad actors" src-address-list = Blocked it does not stop the dstnat traffic eg to the web server inside the network. I checked on the web server, 'syn' packets are still coming
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Nov 27, 2018 10:24 pm

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked
you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the internal web server would not have to support the SYN
So this is to stop any traffic from going back to a blocked address. There is already a rule to stop any inbound traffic from a blocked address as well.
The rule "ip firewall add action = drop chain = input comment =" Block bad actors" src-address-list = Blocked it does not stop the dstnat traffic eg to the web server inside the network. I checked on the web server, 'syn' packets are still coming
Oh...yes, I'm not attempting to block internet network traffic.
 
Matthew1471
just joined
Posts: 9
Joined: Wed Feb 20, 2019 1:10 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 21, 2019 11:37 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
Can't find trafr officially listed on the MikroTik downloads page either. It's referenced on the Wiki but looks pulled?

Presumably "tzsp2pcap" is the drop in replacement and MikroTik moved to the TZSP protocol..
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 21, 2019 11:46 am

Do I have to run suricata through trafr?
Nope. Haven't heard of trafr until your message.
Can't find trafr officially listed on the MikroTik downloads page either. It's referenced on the Wiki but looks pulled?

Presumably "tzsp2pcap" is the drop in replacement and MikroTik moved to the TZSP protocol..
That would most likely be a correct assumption.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Mar 02, 2019 9:05 pm

Hi Tom,
Just trying to understand what all this work is LOL.
I gather you are using a computer with linux OS, that is performing some functions on incoming wan data?
So what is the architecture - modem to router to computer back to router?

What are you trying to stop? Presumably most people do not allow unsolicited traffic in (such traffic is dropped).
Thus are you simply scanning outgoing traffic???

What are you scanning, looking for bad IPs? suspicious packet traffic ???
Im a bit bamboozled by what is actually going on here?

Thanks in advance for answering such basic questions..........
With such info, I will know whether or not for a homeowner the investment in resources is worth it. ;-)
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Mar 03, 2019 8:49 am

Hi,

First of all, I think it is important for you to understand what a network threat detection engine, like Suricata, does. It ingests network packets, runs those packets against a set of rules, and then reports on those packets which match the rules. Suricata also provides the ability to do intrusion prevention (IPS) against those IP's where the rules matched. So in a typical installation, you'd dedicate a system that would sit on your network perimeter and do this work.

But with the Mikrotik router being more capable than most, then we can use the Mikrotik as a component in the solution. First of all, using the packet sniffer capability of the Mikrotik we can capture packets and send them to Suricata. Which packets you send is up to you, but I send only inbound packets. Suricata does it's thing and the triggered packets and the associated rules end up in a MySQL database. When this occurs, a trigger writes the needed info in a table that is constantly scanned by a php program. When this happens, the php program sends the necessary info to write a firewall entry to the Mikrotik. So now the Mikrotik now plays the role of IPS.

In the end, it depends on how much IDS/IPS your ISP does in catching the bad actors on their perimeter as to whether or not this effort is worth it. Here in Indonesia, my ISP doesn't do any IDS/IPS on their perimeter, so it all comes to my network. So in my case, it's a vital piece of keeping bad actors off my systems.

Hope this helps.

Tom
Hi Tom,
Just trying to understand what all this work is LOL.
I gather you are using a computer with linux OS, that is performing some functions on incoming wan data?
So what is the architecture - modem to router to computer back to router?

What are you trying to stop? Presumably most people do not allow unsolicited traffic in (such traffic is dropped).
Thus are you simply scanning outgoing traffic???

What are you scanning, looking for bad IPs? suspicious packet traffic ???
Im a bit bamboozled by what is actually going on here?

Thanks in advance for answering such basic questions..........
With such info, I will know whether or not for a homeowner the investment in resources is worth it. ;-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Mar 03, 2019 10:31 pm

Great explanation Tom, it sounds a bit of what layer7 firewall does on the Mikrotik, looking for a pattern of packets etc..........
I have read that using layer7 rules really loads the MT CPU so what you in affect are doing is offloading such work and using the MT at the very front end and to implement the outcome(filter rules) (bad IPs). I imagine the time lag to sniff a packet and have the MT put up a rule or add IPs to an existing rule is very short?

Don't laugh but if I have my basic rules setup.
establish related
drop invalid
(my specific allow rules)
drop all else.

Q1. Do I really need all this IDS IDP, synflood, tarpit, blacklists etc etc etc........
In other words, I don't expect anybody to gain access to my router or on my devices based on unsolicited incoming traffic (inbound as you state).

However,. what I don't have control over is folks accessing sites or clicking on emails with bad stuff without knowing it.
Thus where I see the router coming into play is stopping bad outbound traffic (because returns from the bad actor will be allowed back in (established related) and thus one had to nip this before the traffic is allowed out. Thus some layer7 rules are probably a good idea here.
Q2. Does your program or methods address this aspect?

Q3. What is the difference between all the stuff you are managing and my simple technique of:
- adding raw rules to capture all probes on common ports (that I dont use, so prerouting capture has no negative effects).
- adding filter rules to capture all probes common ports I do use, but in order so after they have met my needs (for example DST port,,,,,,,,,,, - I only port forward with known WANIPs allowed source-address-list and to devices on own VLAN). Then in raw, I drop all those captured IPs. My logic good or bad is that I will stop the majority of bad actors for a set time be it 4hours or 2days and that is just as effective as any other set of blacklists etc...........
However, why bother when I already have drop rules on my router (other than stopping repeated attempts or multi port attempts at router).

Any input or clarification or guidance most appreciated as I know very little on this front and always willing to learn.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Mar 04, 2019 5:23 am

Yes, time lag is very short. Less than 2 seconds.

Q1. Simple answer, of course, is "that depends". I do have services that I have open to the wild, so in my case I do want to stop someone trying to gain access through those services. If you don't have any services published, and are just a consumer of the internet, then certainly that removes a big reason for doing so. Just be sure that you really don't have any services published...like IOT devices.

Q2. Yes, Suricata can be used to scan outbound traffic looking for potential threats. I do some of this, minimal, but it is supported. Just make sure your filter on the sniffer is passing outbound traffic to Suricata.

Q3. You don't know what you don't know. Before I implemented this I ran suricata against my traffic to see what what happening. Like I said, in Indonesia I was seeing hundreds of hits an hour. On my server that is in the US, I was seeing maybe a dozen soft hits in a day, that the Mikrotik could handle with the basic firewall rules.
Great explanation Tom, it sounds a bit of what layer7 firewall does on the Mikrotik, looking for a pattern of packets etc..........
I have read that using layer7 rules really loads the MT CPU so what you in affect are doing is offloading such work and using the MT at the very front end and to implement the outcome(filter rules) (bad IPs). I imagine the time lag to sniff a packet and have the MT put up a rule or add IPs to an existing rule is very short?

Don't laugh but if I have my basic rules setup.
establish related
drop invalid
(my specific allow rules)
drop all else.

Q1. Do I really need all this IDS IDP, synflood, tarpit, blacklists etc etc etc........
In other words, I don't expect anybody to gain access to my router or on my devices based on unsolicited incoming traffic (inbound as you state).

However,. what I don't have control over is folks accessing sites or clicking on emails with bad stuff without knowing it.
Thus where I see the router coming into play is stopping bad outbound traffic (because returns from the bad actor will be allowed back in (established related) and thus one had to nip this before the traffic is allowed out. Thus some layer7 rules are probably a good idea here.
Q2. Does your program or methods address this aspect?

Q3. What is the difference between all the stuff you are managing and my simple technique of:
- adding raw rules to capture all probes on common ports (that I dont use, so prerouting capture has no negative effects).
- adding filter rules to capture all probes common ports I do use, but in order so after they have met my needs (for example DST port,,,,,,,,,,, - I only port forward with known WANIPs allowed source-address-list and to devices on own VLAN). Then in raw, I drop all those captured IPs. My logic good or bad is that I will stop the majority of bad actors for a set time be it 4hours or 2days and that is just as effective as any other set of blacklists etc...........
However, why bother when I already have drop rules on my router (other than stopping repeated attempts or multi port attempts at router).

Any input or clarification or guidance most appreciated as I know very little on this front and always willing to learn.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Mar 04, 2019 4:17 pm

Good points.
Yes I have ports open for septic device and solar device with source address list for static company IPs to access.
Having a source address list in my NAT rule renders the port invisible on scans
Yes I have iot devices but they are all on vlans and not on the same vlan and only have access to the internet.

By the way I was subscribing to MOAB (very decent service for pennies) but since i can write this off for taxes using
this service at the moment, since I know I am not savvy and the additional security shouldnt hurt..
https://axiomcyber.com/shield/

So the question becomes, is it worth it for me to wander down the suricata (ossec) route??
 
haj
just joined
Posts: 3
Joined: Tue Jun 04, 2019 11:32 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 04, 2019 11:45 am

Hey,

Currently we don't have Mikrotik. We have some "homebuilt" Linux routers running our internal routing and firewalling, along with Suricata.
We block bad IPs with a couple of ipset sets and iptables rules.

How does Mikrotik's perform when they have to block a list of say 200.000 IPs?
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Jun 05, 2019 2:08 pm

Hey,

Currently we don't have Mikrotik. We have some "homebuilt" Linux routers running our internal routing and firewalling, along with Suricata.
We block bad IPs with a couple of ipset sets and iptables rules.

How does Mikrotik's perform when they have to block a list of say 200.000 IPs?
Hi Haj,

I really can't answer the question about performance. I'd pose that to one of the Mikrotik engineers.

But I would question why you'd be blocking 200,000 IPs? I have looked at my list of frequent offenders and have found that I've been able to consolidate some of the IP addresses into ranges. If you have 200,000 IP addresses then I'd assume that you could identify some pretty significant ranges and block the range rather than individual addresses.

Tom
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Dec 13, 2019 3:05 am

Hi all,
Could someone please point me to a resource that shows me how to set up Suricata from scratch? I have a server running Ubuntu 19.10 and a mikrotik RB751g-2hnd router. The router is the gateway to my home network. It handles PPPOE authentication with my ISP. I already have the firewall configured and have open dns configured too. I want to add some more network layer detection and prevention now.

Pranav
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Dec 13, 2019 5:14 am

Hi all,
Could someone please point me to a resource that shows me how to set up Suricata from scratch? I have a server running Ubuntu 19.10 and a mikrotik RB751g-2hnd router. The router is the gateway to my home network. It handles PPPOE authentication with my ISP. I already have the firewall configured and have open dns configured too. I want to add some more network layer detection and prevention now.

Pranav
I guess I would start here https://redmine.openinfosecfoundation.o ... stallation. The Wiki does provide some good basic information on getting all set up. With regard to specific rules configuration, you may have to dig a little more deeply with Google to find examples that match what you want to do.
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Dec 14, 2019 3:57 pm

Hi,
I have suricata setup on my Linux machine. I have enabled the Mikrotik to stream like this.
[pranav1@ConShield] /tool> sniffer
[pranav1@ConShield] /tool sniffer> print
only-headers: no
memory-limit: 100KiB
memory-scroll: yes
file-name:
file-limit: 1000KiB
streaming-enabled: yes
streaming-server: xxx.xxx.x.x
filter-stream: yes
filter-interface: airtel #This is the pppoe interface for my broadband connection
filter-mac-address:
filter-mac-protocol:
filter-ip-address:
filter-ipv6-address:
filter-ip-protocol:
filter-port:
filter-cpu:
filter-size:
filter-direction: any
filter-operator-between-entries: or
running: yes

I do not see any activity in suricata. What am I missing?
Pranav
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Dec 15, 2019 4:26 am

You have tzsp2pcap running to capture stream and send to suricata? Here are my processes on my suricata host:
snort      656     1  0 Nov18 ?        05:27:05 /usr/local/bin/tzsp2pcap -f
snort      658     1  4 Nov18 ?        1-02:37:00 /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin
snort    24966     1  8 00:01 ?        00:45:40 /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -l /var/log/suricata -d /var/log/suricata -f unified2.alert -w /var/log/suricata/barnyard2.waldo -D
snort    26872     1  0 Nov21 ?        00:06:14 /usr/bin/php -f /usr/local/bin/suricata_block.php
Hi,
I have suricata setup on my Linux machine. I have enabled the Mikrotik to stream like this.
[pranav1@ConShield] /tool> sniffer
[pranav1@ConShield] /tool sniffer> print
only-headers: no
memory-limit: 100KiB
memory-scroll: yes
file-name:
file-limit: 1000KiB
streaming-enabled: yes
streaming-server: xxx.xxx.x.x
filter-stream: yes
filter-interface: airtel #This is the pppoe interface for my broadband connection
filter-mac-address:
filter-mac-protocol:
filter-ip-address:
filter-ipv6-address:
filter-ip-protocol:
filter-port:
filter-cpu:
filter-size:
filter-direction: any
filter-operator-between-entries: or
running: yes

I do not see any activity in suricata. What am I missing?
Pranav
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Dec 15, 2019 5:50 pm

Hi,
I am sending the stream from the sniffer tool directly to a Linux box on which I have installed suricata. Do I need an intermediate tool?

Pranav
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Dec 16, 2019 3:07 am

Yes, the format from the sniffer stream needs to be converted with tzsp2pcap.
Hi,
I am sending the stream from the sniffer tool directly to a Linux box on which I have installed suricata. Do I need an intermediate tool?

Pranav
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Dec 16, 2019 11:49 am

Hi Tom,
Thanks for confirming the use of tzsp2pcap. Is there any documentation on how to get it going? I have cloned its source and see the make file but I suspect I need to install headers etc., to build the program.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Dec 16, 2019 1:09 pm

Hi Tom,
Thanks for confirming the use of tzsp2pcap. Is there any documentation on how to get it going? I have cloned its source and see the make file but I suspect I need to install headers etc., to build the program.
Check this blog entry for instructions on compiling [url]https://bløgg.no/2015/03/ids-with-mikrotik-and-snort/[/url]. It's pretty straight-forward once you have the build-essential installed and the required library. build-essential pulls everything needed for your platform.
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Mon Dec 16, 2019 6:29 pm

Hi Tom,
https://bløgg.no/2015/03/ids-with-mikrotik-and-snort/ did the trick in terms of getting packets. I believe my streaming is working but now, do I use snort and then send to suricata? Sorry, I remain puzzled about the pipeline here. I plan to implement the IPS functionality but will use IDS and tune it first.

What I have done so far is to have the tzsp2pcap utility log packets to a directory and have suricata read the packets from that directory.
sudo tzsp2pcap -o "/home/pranav/pcap/file_%s.pcap" -G 10
I have then run suricata like this.
sudo suricata -c /etc/suricata/suricata.yaml -r /home/pranav/pcap --pcap-file-continuous --pcap-file-delete

I am ok with the writing to disk but am open to other ways of doing this. How do I test this installation? The ideal way would be for me to run an exploit but I do not have that capability. I did try a port scan but did not see any alerts. I may not have suricata configured correctly so am happy to ask in the appropriate forum.
Pranav
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Dec 17, 2019 5:09 am

I believe that will work going through a file...here is how I start my instance of suricata:

nohup /usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin &

So pipe the output of tzsp2pcap into suricata through stdin.

If you ran a port scan, and those ports are open at the mikrotik, you should see suricata fire a rule. Maybe open up one or more of the of the ports during the time you are running the port scan?
Hi Tom,
https://bløgg.no/2015/03/ids-with-mikrotik-and-snort/ did the trick in terms of getting packets. I believe my streaming is working but now, do I use snort and then send to suricata? Sorry, I remain puzzled about the pipeline here. I plan to implement the IPS functionality but will use IDS and tune it first.

What I have done so far is to have the tzsp2pcap utility log packets to a directory and have suricata read the packets from that directory.
sudo tzsp2pcap -o "/home/pranav/pcap/file_%s.pcap" -G 10
I have then run suricata like this.
sudo suricata -c /etc/suricata/suricata.yaml -r /home/pranav/pcap --pcap-file-continuous --pcap-file-delete

I am ok with the writing to disk but am open to other ways of doing this. How do I test this installation? The ideal way would be for me to run an exploit but I do not have that capability. I did try a port scan but did not see any alerts. I may not have suricata configured correctly so am happy to ask in the appropriate forum.
Pranav
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Dec 17, 2019 5:28 pm

Hi Tom,
Many thanks. I tried reading the output of tzsp2pcap from the command line and suricata launched without a problem How have you defined your network? I went to /interface on my mikrotik, and specified the different address ranges I have. Something like
192.168.88.0/24, 192.168.3.0/24

I ask because I have tried port scanning and no alert has been triggered. Moreover, the stats.log file is also empty so something is not working.
Pranav
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Dec 18, 2019 2:27 am

Your sniffer streaming from the mikrotik is set up and you are seeing data? Your streaming server is your suricata host? The interface is the port connected to your ISP?

/tool sniffer set filter-interface=ether1 filter-ip-address=!1.2.3.4/32 filter-stream=yes streaming-enabled=yes streaming-server=192.168.3.1
Hi Tom,
Many thanks. I tried reading the output of tzsp2pcap from the command line and suricata launched without a problem How have you defined your network? I went to /interface on my mikrotik, and specified the different address ranges I have. Something like
192.168.88.0/24, 192.168.3.0/24

I ask because I have tried port scanning and no alert has been triggered. Moreover, the stats.log file is also empty so something is not working.
Pranav
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Dec 18, 2019 4:41 pm

Hi Tom,
Your sniffer streaming from the mikrotik is set up and you are seeing data?
PL] Yes.
Your streaming server is your suricata host?
PL] Yes.
The interface is the port connected to your ISP?
PL] Ahem, I have a pppoe connection so that is the interface I have defined for sniffing. Should I define the physical port instead?

[pranav1@ConShield] /tool sniffer> print
only-headers: no
memory-limit: 100KiB
memory-scroll: yes
file-name:
file-limit: 1000KiB
streaming-enabled: yes
streaming-server: 192.168.3.2
filter-stream: yes
filter-interface: airtel
filter-mac-address:
filter-mac-protocol:
filter-ip-address:
filter-ipv6-address:
filter-ip-protocol:
filter-port:
filter-cpu:
filter-size:
filter-direction: any
filter-operator-between-entries: or
running: yes
[pranav1@ConShield] /tool sniffer>
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Dec 19, 2019 2:13 am

Hi Tom,
Your sniffer streaming from the mikrotik is set up and you are seeing data?
PL] Yes.
Your streaming server is your suricata host?
PL] Yes.
The interface is the port connected to your ISP?
PL] Ahem, I have a pppoe connection so that is the interface I have defined for sniffing. Should I define the physical port instead?

[pranav1@ConShield] /tool sniffer> print
only-headers: no
memory-limit: 100KiB
memory-scroll: yes
file-name:
file-limit: 1000KiB
streaming-enabled: yes
streaming-server: 192.168.3.2
filter-stream: yes
filter-interface: airtel
filter-mac-address:
filter-mac-protocol:
filter-ip-address:
filter-ipv6-address:
filter-ip-protocol:
filter-port:
filter-cpu:
filter-size:
filter-direction: any
filter-operator-between-entries: or
running: yes
[pranav1@ConShield] /tool sniffer>
OK, just wanted to make sure you are getting data. Which version of suricata are you running?
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Dec 19, 2019 7:35 pm

Hi Tom,
I suspect the problem was that I was using the pppoe interface. https://groups.google.com/forum/#!topic ... UUNgIGqsv4
gave me a clue;
I have run the test script mentioned at the above URL and am getting alerts ever since I set the sniffer interface to ether1 on the Mikrotik.

Many thanks for your help.
Pranav
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Dec 20, 2019 3:24 am

Glad you got it working Pranav!
Hi Tom,
I suspect the problem was that I was using the pppoe interface. https://groups.google.com/forum/#!topic ... UUNgIGqsv4
gave me a clue;
I have run the test script mentioned at the above URL and am getting alerts ever since I set the sniffer interface to ether1 on the Mikrotik.

Many thanks for your help.
Pranav
 
G00dm4n
newbie
Posts: 35
Joined: Sat Oct 20, 2018 1:07 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Jun 14, 2020 3:17 am

Hi guys,

I find here some info for using Suricata IDS/IPS with Mikrotik.
I also found there's a good build from Stamus Networks who is good and stable - SELKS.
Can someone post more straight and updated manual of using Microtik together with SELKS5 or SELKS6 RC1.
I prefer we get straight to latest - SELKS6 Release Candidate 1. All is same as SELKS5, just some names and places of the scripts can be different.
(Later we can do extended manual how to build proper and efficient Suricata instlation for users who not prefer using SELKS ISO.)
Since Sniffer tool in Mikrotik is pretty straight forward to set up we can just skip this... but here it is:
tool sniffer
set file-limit=0KiB filter-interface=<THE_INTERFACE_WHICH_TRAFFIC_YOU_WILL_SEND> memory-limit=0KiB streaming-enabled=yes streaming-server=<IP_OF_YOUR_SELKS_SERVER>

The SELKS part from another side is a bit more foggy to be set.
The installation is straight forward, but nobody care to explain a good way and method how to use it together with Mikrotik.
So why we don't make it?

What I have get straight until now is:
1. Install SELKS on VM/x86/RaspberyPI B
Suggested minimum configuration is with 2 core CPU, 8GB RAM and at least 50GB Disk space.
2. Do inital SELKS setup by the scripts
2.1. First time run: selks-first-time-setup_stamus
2.2. Upgrade: selks-upgrade_stamus
3. Check and modify the configs by your needs regarding page below
https://github.com/StamusNetworks/SELKS ... time-setup
4. Install the converter from TZSP to PCAP so Surikata understand the stream from Mikrotik
4.1. Using trafr (just consider this is written ib 2004 and is 32bit)
dpkg --add-architecture i386
cd /usr/local/sbin
wget http://www.mikrotik.com/download/trafr.tgz
tar -xf /usr/local/sbin/trafr.tgz
chmod u+x trafr
chown root.root trafr

4.2. Using tzsp2pcap
apt-get install build-essential libpcap0.8-dev
cd /usr/local/sbin
git clone https://github.com/thefloweringash/tzsp2pcap
cd /usr/local/sbin/tzsp2pcap
cc -std=gnu99 -o tzsp2pcap -Wall -Wextra -pedantic -O2 -lpcap tzsp2pcap.c
mv tzsp2pcap /usr/local/sbin/

5. Start capturing the data
5.1. Using trafr
/usr/local/sbin/trafr -s | suricata -c /etc/suricata/suricata.yaml --runmode autofp -v -r /dev/stdin
5.2. Using tzsp2pcap
nohup /usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin &

Here I come to the point I have to put this command in a bash script which supposed to run on startup. (will update it)

From this onward I don't get the clear picture what and how to do it.
By this I meant,
-in which mode to set Suricata initially,
-where to create files for the rules that to be send to Mikrotik router,
-what to do so capturing to start proper after reboot,
-does SELKS6 indeed need the data stream conversion,


I know there's some posts here by TomFisk but they are not very clear and have plenty of "jump here and there".
Also please put your comments and suggestions how we can do this better and more agile.
My idea is to avoid using any cumbersome hardware and keep good performance.
If we can go down to something as NUC or ALIX PC or even RaspberyPI - the smaller, the better.
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Jun 14, 2020 4:26 am

Hi,

So what problem are you trying to solve? SELKS is an IDS/IPS reporting/visualization and management platform that uses Suricata to implement network firewall rules. There is nothing inherent in Suricata to implement the firewall rules through a Microtik device. SELKS doesn't change that. That is why I developed the method described in this post.

Tom
Hi guys,

I find here some info for using Suricata IDS/IPS with Mikrotik.
I also found there's a good build from Stamus Networks who is good and stable - SELKS.
Can someone post more straight and updated manual of using Microtik together with SELKS5 or SELKS6 RC1.
I prefer we get straight to latest - SELKS6 Release Candidate 1. All is same as SELKS5, just some names and places of the scripts can be different.
(Later we can do extended manual how to build proper and efficient Suricata instlation for users who not prefer using SELKS ISO.)
Since Sniffer tool in Mikrotik is pretty straight forward to set up we can just skip this... but here it is:
tool sniffer
set file-limit=0KiB filter-interface=<THE_INTERFACE_WHICH_TRAFFIC_YOU_WILL_SEND> memory-limit=0KiB streaming-enabled=yes streaming-server=<IP_OF_YOUR_SELKS_SERVER>

The SELKS part from another side is a bit more foggy to be set.
The installation is straight forward, but nobody care to explain a good way and method how to use it together with Mikrotik.
So why we don't make it?

What I have get straight until now is:
1. Install SELKS on VM/x86/RaspberyPI B
Suggested minimum configuration is with 2 core CPU, 8GB RAM and at least 50GB Disk space.
2. Do inital SELKS setup by the scripts
2.1. First time run: selks-first-time-setup_stamus
2.2. Upgrade: selks-upgrade_stamus
3. Check and modify the configs by your needs regarding page below
https://github.com/StamusNetworks/SELKS ... time-setup
4. Install the converter from TZSP to PCAP so Surikata understand the stream from Mikrotik
4.1. Using trafr (just consider this is written ib 2004 and is 32bit)
dpkg --add-architecture i386
cd /usr/local/sbin
wget http://www.mikrotik.com/download/trafr.tgz
tar -xf /usr/local/sbin/trafr.tgz
chmod u+x trafr
chown root.root trafr

4.2. Using tzsp2pcap
apt-get install build-essential libpcap0.8-dev
cd /usr/local/sbin
git clone https://github.com/thefloweringash/tzsp2pcap
cd /usr/local/sbin/tzsp2pcap
cc -std=gnu99 -o tzsp2pcap -Wall -Wextra -pedantic -O2 -lpcap tzsp2pcap.c
mv tzsp2pcap /usr/local/sbin/

5. Start capturing the data
5.1. Using trafr
/usr/local/sbin/trafr -s | suricata -c /etc/suricata/suricata.yaml --runmode autofp -v -r /dev/stdin
5.2. Using tzsp2pcap
nohup /usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin &

Here I come to the point I have to put this command in a bash script which supposed to run on startup. (will update it)

From this onward I don't get the clear picture what and how to do it.
By this I meant,
-in which mode to set Suricata initially,
-where to create files for the rules that to be send to Mikrotik router,
-what to do so capturing to start proper after reboot,
-does SELKS6 indeed need the data stream conversion,


I know there's some posts here by TomFisk but they are not very clear and have plenty of "jump here and there".
Also please put your comments and suggestions how we can do this better and more agile.
My idea is to avoid using any cumbersome hardware and keep good performance.
If we can go down to something as NUC or ALIX PC or even RaspberyPI - the smaller, the better.
 
G00dm4n
newbie
Posts: 35
Joined: Sat Oct 20, 2018 1:07 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Jun 14, 2020 12:01 pm

Hi TomFisk,

I see your point.
Maybe you can help me to do step-by-step list what and how to use your methid with SELKS.
As you pointed additional components in SELKS really add lot of load.
I am also interested to use minimum install - just Suricata + necessary interfaces so this can be implemented on low power PC as RaspberyPi and NUC.
Can you help me with this?
The issue is that in the thread here you guys jump directly to solving practical issues. Even I know pretty much how the IDS works and so I miss your points why some things are done.
Also I will appreciate to know exact minimal install configuration, where to set some of files and so on.
Sorry if I look a bit crazy with my demands. But we really need more straight forward method.
I have some resources and at the moment I have time to help with testings.
So why we not try?
Maybe not only Suricata/SELKS... we can try anything useful.
I just need some guidance as I am not getting why and what to do with this Python/PHP ...
 
tomfisk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 16, 2020 12:12 pm

There is someone who used this work as the basis of a github project, https://github.com/elmaxid/ips-mikrotik-suricata
Hi TomFisk,

I see your point.
Maybe you can help me to do step-by-step list what and how to use your methid with SELKS.
As you pointed additional components in SELKS really add lot of load.
I am also interested to use minimum install - just Suricata + necessary interfaces so this can be implemented on low power PC as RaspberyPi and NUC.
Can you help me with this?
The issue is that in the thread here you guys jump directly to solving practical issues. Even I know pretty much how the IDS works and so I miss your points why some things are done.
Also I will appreciate to know exact minimal install configuration, where to set some of files and so on.
Sorry if I look a bit crazy with my demands. But we really need more straight forward method.
I have some resources and at the moment I have time to help with testings.
So why we not try?
Maybe not only Suricata/SELKS... we can try anything useful.
I just need some guidance as I am not getting why and what to do with this Python/PHP ...
 
zbe
just joined
Posts: 1
Joined: Wed Oct 16, 2019 10:13 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 16, 2020 7:58 pm

As a part of my python-learning process I tried to make something similar to your fast2mikrotik but in python. All you need is python-librouteros, python-pyinotify and python-ujson.
It's reading from separate eve-log named alerts.json instead of fast.log. So you need to add that in suricata.yaml. It's also checking for router's uptime and adds whole file in case router has been up for less than 10 minutes. I'm just testing this on raspberry pi where I'm port-mirroring.
Anyway, there's probably some stupid code in here, so if anyone needs it - take it for what it's worth. :P

Edit: Need to add some kind of checking if api connection is already open or else it keeps opening new ones. (added api.close() for now)
#!/usr/bin/env python3

#
# Script for adding alerts from Suricata to Mikrotik routers. 
#
# In suricata.yaml add another eve-log:  
#  - eve-log:
#      enabled: yes
#      filetype: regular
#      filename: alerts.json
#      types:
#        - alert
#

import ssl
import librouteros
from librouteros import connect
from librouteros.query import Key
import ujson
import pyinotify
import re
from time import sleep
from datetime import datetime as dt, timedelta as td, timezone as tz
import os

# Edit these settings:
USERNAME = "suricata"
PASSWORD = "suricata123"
ROUTER_IP = "192.168.88.1"
TIMEOUT = "1d"
PORT = 8729  # api-ssl port
FILEPATH = os.path.abspath("/var/log/suricata/alerts.json")
ROUTER_LIST_NAME = "Suricata"
WAN_IP = "n/a"  # You can add your WAN IP if you are port-mirroring, so it doesn't get mistakenly added. (don't leave empty string)
LOCAL_IP_PREFIX = "192.168."
WHITELIST_IPS = (WAN_IP, LOCAL_IP_PREFIX, "127.0.0.1")
COMMENT_TIME_FORMAT = "%-d %b %Y %H:%M:%S.%f"  # Check datetime strftime formats

# Add all alerts from alerts.json on start?
# Setting this to True will start reading alerts.json from beginning
# and will add whole file to firewall when pyinotify is triggered.
# Just for testing purposes, i.e. not good for systemd service.
ADD_ON_START = False


class EventHandler(pyinotify.ProcessEvent):
    def process_IN_MODIFY(self, event):
        add_to_tik(read_json(FILEPATH))
        check_truncated(FILEPATH)

def check_truncated(fpath):  # Check if logrotate truncated file. (Use 'copytruncate' option for this to work I guess.)
    global last_pos
    
    if last_pos > os.path.getsize(fpath):
        last_pos = 0
    
def seek_to_end(fpath):
    global last_pos
    
    if not ADD_ON_START:
        while True:
            try:
                last_pos = os.path.getsize(fpath)
                return

            except(FileNotFoundError):
                print(f"File: {fpath} not found. Re-trying in 10 seconds..")
                sleep(10)
                continue

def read_json(fpath):
    global last_pos
    
    while True:
        try:
            with open(fpath, "r") as f:
                f.seek(last_pos)
                alerts = [ujson.loads(line) for line in f.readlines()]
                last_pos = f.tell()
                return alerts

        except(FileNotFoundError):
            print(f"File: {fpath} not found. Re-trying in 10 seconds..")
            sleep(10)
            continue
        
def add_to_tik(alerts):
    global last_pos
    global time
    
    ctx = ssl.create_default_context()
    ctx.check_hostname = False
    ctx.set_ciphers('ADH:@SECLEVEL=0')
    
    _address = Key("address")
    _id = Key(".id")
    _list = Key("list")
    
    while True:
        try:
            api = connect(username=USERNAME, password=PASSWORD, host=ROUTER_IP, ssl_wrapper=ctx.wrap_socket, port=PORT)
            break
        
        except librouteros.exceptions.TrapError as e:
            if "invalid user name or password" in str(e):
                print("Invalid username or password.")
            else:
                raise
                
        except ConnectionRefusedError:
            print("Connection refused. (api-ssl disabled in router?)")
        
        except OSError as e:
            if "[Errno 113] No route to host" in str(e):
                print("No route to host. Re-trying in 10 seconds..")
                sleep(10)
                continue
            else:
                raise

    address_list = api.path("/ip/firewall/address-list")
    resources = api.path("system/resource")

    for event in { item['src_ip'] : item for item in alerts }.values():  # Remove duplicate src_ips.
        timestamp = dt.strptime(event["timestamp"], "%Y-%m-%dT%H:%M:%S.%f%z").strftime(COMMENT_TIME_FORMAT)
        
        if event["src_ip"].startswith(WHITELIST_IPS):  # If you are source ip, then add destination ip.
            if event["dest_ip"].startswith(WHITELIST_IPS):  
                continue  # Skip adding anything if both source and destination ips are from WHITELIST_IPS. (just in case)
            
            try:
                address_list.add(list=ROUTER_LIST_NAME, address=event["dest_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: SPort: {event.get('src_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
            except librouteros.exceptions.TrapError as e:
                if "failure: already have such entry" in str(e):  # If such entry already exists, delete it and re-add.
                    for row in address_list.select(_id, _list, _address).where(_address == event["dest_ip"], _list == ROUTER_LIST_NAME):
                        address_list.remove(row[".id"])
                
                    address_list.add(list=ROUTER_LIST_NAME, address=event["dest_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: SPort: {event.get('src_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
                else:
                    raise
            
        else:  # Add source ip.
            try:
                address_list.add(list=ROUTER_LIST_NAME, address=event["src_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: DPort: {event.get('dest_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
            except librouteros.exceptions.TrapError as e:
                if "failure: already have such entry" in str(e):
                    for row in address_list.select(_id, _list, _address).where(_address == event["src_ip"], _list == ROUTER_LIST_NAME):
                        address_list.remove(row[".id"])
                        
                    address_list.add(list=ROUTER_LIST_NAME, address=event["src_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: DPort: {event.get('dest_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
                else:
                    raise
    # If router has been rebooted in past 10 minutes, add whole file, then wait for 10 minutes. (so rules don't get constantly re-added for 10 minutes)
    if check_tik_uptime(resources) and (dt.now(tz.utc) - time) / td(minutes=1) > 10:
        time = dt.now(tz.utc)
        last_pos = 0
        add_to_tik(read_json(FILEPATH))

    api.close()
        
def check_tik_uptime(resources):  # Check if router has been up for less than 10 minutes
    for row in resources:
        uptime = row["uptime"]
   
    if any(letter in uptime for letter in "wdh"):  # If "w", "d" or "h" is in uptime then router is obviously up for more than 10 minutes.
        return False
    
    if "m" in uptime:
        minutes = int(re.search("(\A|\D)(\d*)m", uptime).group(2))  # Find numbers in front of "m".
    else:
        minutes = 0
        
    if minutes >= 10:
        return False
    
    return True

if __name__ == "__main__":
    time = dt.now(tz.utc) - td(minutes=10)  # Set time to 10 minutes before now, so "(dt.now(tz.utc) - time) / td(minutes=1) > 10" is True the first time around.
    last_pos = 0
    seek_to_end(FILEPATH)

    wm = pyinotify.WatchManager()
    handler = EventHandler()
    notifier = pyinotify.Notifier(wm, handler)
    wm.add_watch(FILEPATH, pyinotify.IN_MODIFY)
    notifier.loop()
Edit 2: Ok I changed it a bit so it doesn't pollute log with 'logged in' 'logged out' - it stays connected. Hope this is last edit. :p
#!/usr/bin/env python3

#
# Script for adding alerts from Suricata to Mikrotik routers. 
#
# In suricata.yaml add another eve-log:  
#  - eve-log:
#      enabled: yes
#      filetype: regular
#      filename: alerts.json
#      types:
#        - alert
#

import ssl
import librouteros
from librouteros import connect
from librouteros.query import Key
import ujson
import pyinotify
import re
from time import sleep
from datetime import datetime as dt, timedelta as td, timezone as tz
import os

# Edit these settings:
USERNAME = "suricata"
PASSWORD = "suricata123"
ROUTER_IP = "192.168.88.1"
TIMEOUT = "1d"
PORT = 8729  # api-ssl port
FILEPATH = os.path.abspath("/var/log/suricata/alerts.json")
ROUTER_LIST_NAME = "Suricata"
WAN_IP = "n/a"  # You can add your WAN IP if you are port-mirroring, so it doesn't get mistakenly added. (don't leave empty string)
LOCAL_IP_PREFIX = "192.168."
WHITELIST_IPS = (WAN_IP, LOCAL_IP_PREFIX, "127.0.0.1")  # You can expand this list 
COMMENT_TIME_FORMAT = "%-d %b %Y %H:%M:%S.%f"  # Check datetime strftime formats

# Add all alerts from alerts.json on start?
# Setting this to True will start reading alerts.json from beginning
# and will add whole file to firewall when pyinotify is triggered.
# Just for testing purposes, i.e. not good for systemd service.
ADD_ON_START = False

class EventHandler(pyinotify.ProcessEvent):
    def process_IN_MODIFY(self, event):
        try:
            add_to_tik(read_json(FILEPATH))            
        except ConnectionError:
            connect_to_tik()
            
        check_truncated(FILEPATH)

def check_truncated(fpath):  # Check if logrotate truncated file. (Use 'copytruncate' option for this to work I guess.)
    global last_pos
    
    if last_pos > os.path.getsize(fpath):
        last_pos = 0
    
def seek_to_end(fpath):
    global last_pos
    
    if not ADD_ON_START:
        while True:
            try:
                last_pos = os.path.getsize(fpath)
                return

            except(FileNotFoundError):
                print(f"File: {fpath} not found. Re-trying in 10 seconds..")
                sleep(10)
                continue

def read_json(fpath):
    global last_pos
    
    while True:
        try:
            with open(fpath, "r") as f:
                f.seek(last_pos)
                alerts = [ujson.loads(line) for line in f.readlines()]
                last_pos = f.tell()
                return alerts

        except(FileNotFoundError):
            print(f"File: {fpath} not found. Re-trying in 10 seconds..")
            sleep(10)
            continue
        
def add_to_tik(alerts):
    global last_pos
    global time
    global api
    
    _address = Key("address")
    _id = Key(".id")
    _list = Key("list")
 
    address_list = api.path("/ip/firewall/address-list")
    resources = api.path("system/resource")

    for event in { item['src_ip'] : item for item in alerts }.values():  # Remove duplicate src_ips.
        timestamp = dt.strptime(event["timestamp"], "%Y-%m-%dT%H:%M:%S.%f%z").strftime(COMMENT_TIME_FORMAT)
        
        if event["src_ip"].startswith(WHITELIST_IPS):  # If you are source ip, then add destination ip.
            if event["dest_ip"].startswith(WHITELIST_IPS):  
                continue  # Skip adding anything if both source and destination ips are from WHITELIST_IPS. (just in case)
            
            try:
                address_list.add(list=ROUTER_LIST_NAME, address=event["dest_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: SPort: {event.get('src_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
            except librouteros.exceptions.TrapError as e:
                if "failure: already have such entry" in str(e):  # If such entry already exists, delete it and re-add.
                    for row in address_list.select(_id, _list, _address).where(_address == event["dest_ip"], _list == ROUTER_LIST_NAME):
                        address_list.remove(row[".id"])
                
                    address_list.add(list=ROUTER_LIST_NAME, address=event["dest_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: SPort: {event.get('src_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
                else:
                    raise
            
        else:  # Add source ip.
            try:
                address_list.add(list=ROUTER_LIST_NAME, address=event["src_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: DPort: {event.get('dest_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
            except librouteros.exceptions.TrapError as e:
                if "failure: already have such entry" in str(e):
                    for row in address_list.select(_id, _list, _address).where(_address == event["src_ip"], _list == ROUTER_LIST_NAME):
                        address_list.remove(row[".id"])
                        
                    address_list.add(list=ROUTER_LIST_NAME, address=event["src_ip"], comment=f"[{event['alert']['gid']}:{event['alert']['signature_id']}] {event['alert']['signature']} ::: DPort: {event.get('dest_port')}/{event['proto']} ::: timestamp: {timestamp}", timeout=TIMEOUT)
                
                else:
                    raise
    # If router has been rebooted in past 10 minutes, add whole file, then wait for 10 minutes. (so rules don't get constantly re-added for 10 minutes)
    if check_tik_uptime(resources) and (dt.now(tz.utc) - time) / td(minutes=1) > 10:
        time = dt.now(tz.utc)
        last_pos = 0
        add_to_tik(read_json(FILEPATH))


def check_tik_uptime(resources):  # Check if router has been up for less than 10 minutes
    for row in resources:
        uptime = row["uptime"]
   
    if any(letter in uptime for letter in "wdh"):  # If "w", "d" or "h" is in uptime then router is obviously up for more than 10 minutes.
        return False
    
    if "m" in uptime:
        minutes = int(re.search("(\A|\D)(\d*)m", uptime).group(2))  # Find numbers in front of "m".
    else:
        minutes = 0
        
    if minutes >= 10:
        return False
    
    return True

def connect_to_tik():
    global api
    ctx = ssl.create_default_context()
    ctx.check_hostname = False
    ctx.set_ciphers('ADH:@SECLEVEL=0')

    while True:
        try:
            api = connect(username=USERNAME, password=PASSWORD, host=ROUTER_IP, ssl_wrapper=ctx.wrap_socket, port=PORT)
            break
        
        except librouteros.exceptions.TrapError as e:
            if "invalid user name or password" in str(e):
                print("Invalid username or password.")
            else:
                raise
                
        except ConnectionRefusedError:
            print("Connection refused. (api-ssl disabled in router?)")
        
        except OSError as e:
            if "[Errno 113] No route to host" in str(e):
                print("No route to host. Re-trying in 10 seconds..")
                sleep(10)
                continue
            else:
                raise

if __name__ == "__main__":
    time = dt.now(tz.utc) - td(minutes=10)  # Set time to 10 minutes before now, so "(dt.now(tz.utc) - time) / td(minutes=1) > 10" is True the first time around.
    last_pos = 0
    seek_to_end(FILEPATH)    
    connect_to_tik()

    wm = pyinotify.WatchManager()
    handler = EventHandler()
    notifier = pyinotify.Notifier(wm, handler)
    wm.add_watch(FILEPATH, pyinotify.IN_MODIFY)
    notifier.loop()

Edit 3.1: Here is github link: https://github.com/zzbe/mikrocata Fixed/edited few things. Added option to add other lists you might have after reboot, added ignore.conf for ignoring rules.
Last edited by zbe on Wed Aug 05, 2020 6:37 am, edited 5 times in total.
 
G00dm4n
newbie
Posts: 35
Joined: Sat Oct 20, 2018 1:07 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Jun 20, 2020 3:30 am

Thanks,

I will do some testing when I have time.
In this funny times I have been summoned to join with my team.
After listening that we will start probably at September or so I was requested to join in few days.
Have to put on hold some of my projects for a while.
Will reply ASAP.
 
MTv
just joined
Posts: 9
Joined: Tue Oct 20, 2020 9:39 am
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sat Oct 24, 2020 10:19 pm

Thanks zbe for your script. I wrote a mini instruction for setting up Suricata in conjunction with ROS+Mikrocata on Debian Buster.
 
pitterbrayn
just joined
Posts: 2
Joined: Tue Jan 12, 2021 3:24 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jan 12, 2021 3:27 pm

Sorry for being lazy. But does any one have pre-configured image, which supports to install it and change minor configurations like IP address, username and password?
 
pingpong1428
just joined
Posts: 4
Joined: Tue May 04, 2021 11:00 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue May 11, 2021 5:59 pm

Hello Im using instructions from Tom script fast2 and it works nice, i can writte to mikrotik adress list perfectly.
Im using Por sniffer as instructed, but i cannot when y try to trigger some alerts from other computers on the network, nothing happens.
Only the test i made from server.

i dont know if im making a mistake with the sniffer or what.

any help would be apreciate

Regards
 
pingpong1428
just joined
Posts: 4
Joined: Tue May 04, 2021 11:00 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue May 11, 2021 10:04 pm

ok after reading more i use this https://robert.penz.name/849/howto-setu ... ta-as-ids/

and finally been able to install trafr

now if i made trafr -s | tcpdump -r - -n

im seeing lots of info coming from mikrotik packer sniffer

but when i try to run.

trafr -s | suricata -c /etc/suricata/suricata.yaml -r -

i reiceve

root@suricata1:~# trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
11/5/2021 -- 16:03:42 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - ERROR: Pcap file does not exist


any help, thanks.
 
foresthus
just joined
Posts: 4
Joined: Mon Apr 12, 2021 12:02 am

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Jul 16, 2021 2:38 pm

Are there admins who can share an actual docomentation for this issue. It would be nice if it is in english.

thnx
 
MTv
just joined
Posts: 9
Joined: Tue Oct 20, 2020 9:39 am
Contact:

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Aug 04, 2021 2:56 pm

Made a simple script that processes the generated Suricata eve-log in real time and, based on alerts, adds an ip-address to the MikroTik Address Lists for a specified time for subsequent blocking.
#!/usr/bin/env bash

# Bashcata Variables;
router="" # mikrotik ip;
login="" # user for connect to mikrotik;
privatekey="/root/.ssh/mik_rsa" # private key for ssh;
fw_list="idps_alert" # name firewall list;
fw_timeout="7" # days ban ip;

# - #
script_dir="$(dirname "$(readlink -f "$0")")"
alerts_file="/var/log/suricata/alerts.json"
pid_suricata="$(pidof suricata)"
white_list="${script_dir}/white.list"
mark_ip="${script_dir}/mark.ip"
# - #

# Check files;
if [ ! -e "${white_list}" ]; then touch "${white_list}" ; echo -e "# src_ip\n\n# signature_id" > "${white_list}" ; fi
if [ ! -e "${mark_ip}" ]; then touch "${mark_ip}" ; fi

# Setting the logger utility function;
function logger() {
    find "${script_dir}"/ -maxdepth 1 -name "*.log" -size +100k -exec rm -f {} \;
    echo -e "[$(date "+%d.%m.%Y / %H:%M:%S")]: $1" >> "${script_dir}"/"bash_cata.log"
}

# Tail Conveyor;
tail -q -f "${alerts_file}" --pid="$pid_suricata" -n 500 | while read -r LINE; do

# Parsing Json file via jq;
alerts="$(echo "${LINE}" | jq -c '[.timestamp, .src_ip, .dest_ip, .dest_port, .proto, .alert .signature_id, .alert .signature, .alert .category]' | sed 's/^.//g; s/"//g; s/]//g')"

# White List;
check_list () {
    wl="false"
    if grep -q -E "${src_ip}|${signature_id}" "${white_list}"; then wl="true" ; fi
}

# Mark IP;
check_ip () {
    new_ip="false"
    check_timestamp="$(awk -v t=$(date -d"-${fw_timeout} day" +%Y-%m-%dT%H:%M:%S) '$2<t' "${mark_ip}")"
    for ct in $check_timestamp ; do
        sed -i "/${ct}/d" "${mark_ip}"
    done
    if ! grep -q "${src_ip}" "${mark_ip}"; then new_ip="true" ; echo "${src_ip}, ${timestamp::-12}" >> "${mark_ip}" ; fi
}

# Ban IP;
mik_ban_ip () {
    if [ "$new_ip" = "true" ]; then
        #echo ":: $src_ip :: $dest_ip:$dest_port/$proto :: $signature_id ::"
        comment_mbi=":: $dest_ip:$dest_port/$proto :: [$signature_id] :: $signature :: $category ::"
        cmd_mbi='/ip firewall address-list add list="'${fw_list}'" address="'${src_ip}'" timeout="'${fw_timeout}d'" comment="'$comment_mbi'"'
        if ! else_error_mbi="$(ssh -n -o ConnectTimeout=3 "${login}"@"${router}" -i "${privatekey}" "${cmd_mbi}" 2>&1)"; then
            logger "[!] [@mik_ban_ip] — [:: $src_ip :: $dest_ip:$dest_port/$proto :: $signature_id ::] — Ошибка - ${else_error_mbi}."
            sed -i "/${src_ip}/d" "${mark_ip}"
        fi
    fi
}

for alert in $alerts; do
    IFS=$'\n'
    IFS="," read -r timestamp src_ip dest_ip dest_port proto signature_id signature category <<< "$alert"
    check_list ; if [ "$wl" = "true" ] ; then continue ; fi
    check_ip
    mik_ban_ip
done

done
https://github.com/isMTv/bash_cata
 
OlofL
Member Candidate
Member Candidate
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Sun Feb 13, 2022 12:58 pm

I have not tested RoS7 and containers since they pulled before hitting stable?

But this seems a bit overkill now that Suricata can be ran inside containers and hopefully containers will be back in RoS7 soon? :)
 
OlofL
Member Candidate
Member Candidate
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Tue Jun 21, 2022 11:59 am

Anyone tested this with 7.4beta4 and containers?
 
fewdenis
just joined
Posts: 3
Joined: Fri Apr 26, 2019 1:00 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Wed Nov 30, 2022 6:17 pm

Maybe this can help u:
https://github.com/angolo40/mikrocata2selks
I created this script (based on https://github.com/zzbe/mikrocata ) to help install TZSP interface on debian for connection between Mikrotik and Suricata.
It uses a debian distro from Selks (Suricata and Elk stack).
Also will send Telegram notification.
 
ffries
Member Candidate
Member Candidate
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Fri Dec 30, 2022 5:22 pm

Hello,

Thank you for the hard work and happy new year.

I would like to set up SELKS IDS to monitor a Mikrotik CR2004 router (without active response).
I am planning to run a dedicated server for SELKS with KVM.

Before anything, I need to understand:
1) Should I install a complete Debian system with SELKS on KVM vitualisation or should I use Docker?
2) How to integrate Mikrotik sniffer with SELKS using pcap?
https://help.mikrotik.com/docs/display/ ... et+Sniffer
packets are streamed using Tazmen Sniffer Protocol (TZSP) stream receiver.
So I need https://github.com/thefloweringash/tzsp2pcap with SELKS.
Will tzsp2pcap run inside Docker?

Thank you for your kind answer.
 
An5teifo
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: Suricata IDS/IPS integration with Mikrotik (now with OSSEC)

Thu Feb 09, 2023 2:41 pm

Hello there,

yesterday I installed SELKS and connected it with my Mikrotik --> viewtopic.php?t=193417

Who is online

Users browsing this forum: outtahere and 77 guests