Howto setup a Mikrotik RouterOS with Suricata as IDS

June 1, 2014

Lets say you’ve a Mikrotik router as your internet router and you would like to detect bad traffic that is going over it, so basically you would like to have an IDS (Intrusion detection system). This article shows how you can setup a IDS with a Mikrotik router and Suricata running on a Ubuntu 14.04 (but it runs on any other Linux). This is no high performance setup for 10Gbit links, as in this case you would use a SPAN port a manged switch and you would need to tune the drivers, Linux and Suricata a bit (a lot actually for 10Gbit … and the server hardware is not cheap/small). This setup is for the SOHO (small office home office) space where you use the Mikrotik as your Internet router, be it for Cable or DSL. I use this setup at home and I’ve installed Ubuntu 14.04 64bit Server as virtual machine on my home server. No special switch or hardware is required as we facilitate the TaZmen Sniffer Protocol (TZSP) which is supported by Mikrotik. It is even possible to sent the data over a Layer-3 connection, you just need the bandwidth for the traffic you want to sent to Suricata.

I assume that Ubuntu 14.04 is installed (minimal server install is recommended).

Mikrotik Setup

You just need to configure it to copy the traffic to the Linux server with these commands:

/tool sniffer set filter-stream=yes streaming-enabled=yes
/tool sniffer start is the IP of the Linux server

Basic Suricata Setup

First we change into the super user mode for every command we execute later:

sudo bash

Now we add the stable Suricata PPA to our system. At the time of writing the stable version is 2.0.1.

add-apt-repository ppa:oisf/suricata-stable
apt-get update
apt-get install suricata oinkmaster

Now we download the open/free Emerging Threats rules for the first tests. (There are also commercial rules available.)

cd /etc/suricata/
tar -xzf emerging.rules.tar.gz

We use the reference.config from ET:

mv reference.config reference.config.orig
ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config

And we need to create one file and one directory:

touch /etc/suricata/threshold.config
mkdir /var/log/suricata

In the 2.0.1 packages one file got forgotten, so check if it is also missing in your version and if so download it manually.

ll /etc/suricata/rules/dns-events.rules

If it is missing … do following:

cd /etc/suricata/rules

Test Suricata alone

To make the first test call it like this (wait for some minutes):

suricata -c /etc/suricata/suricata.yaml -i eth0

you should get some files in /var/log/suricata

root@nids:/var/log/suricata# ll
total 364
drwxr-xr-x  2 root root     4096 Jun  1 13:45 ./
drwxrwxr-x 10 root syslog   4096 Jun  1 13:32 ../
-rw-r--r--  1 root root    46195 Jun  1 13:51 eve.json
-rw-r--r--  1 root root    25138 Jun  1 13:51 fast.log
-rw-r--r--  1 root root        0 Jun  1 13:36 http.log
-rw-r--r--  1 root root   236014 Jun  1 13:51 stats.log
-rw-r--r--  1 root root     1846 Jun  1 13:36 unified2.alert.1401622567
-rw-r--r--  1 root root    42445 Jun  1 13:51 unified2.alert.1401623113

Test the Mikrotik sniffer stream

Check if you get traffic by first downloading trafr from here and copy it to /usr/local/bin and extract and test it like this:

cd /usr/local/bin/
tar xzf trafr.tgz

If you get -bash: ./trafr: No such file or directory, take a look at this post.  Now check with tcpdump if you’re getting any packets (hit CTRL-C to stop)

trafr -s | tcpdump -r - -n

If you don’t get packets something is wrong with the Mikrotik setup or the packets getting filtered/blocked.

Connect Suricata with Mikrotik sniffer stream

I assume that you got packets and are now ready for your first run of Suricata with the Mikrotik sniffer stream. Just enter following command …

trafr -s | suricata -c /etc/suricata/suricata.yaml -r -

.. and open a second console and type following

tail -f /var/log/suricata/fast.log

your should see output like this (this are just examples)

06/01/2014-14:50:22.703188 [**] [1:2012648:3] ET POLICY Dropbox Client Broadcasting [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} ->
06/01/2014-14:57:16.608473 [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} ->
06/01/2014-15:26:03.601539 [**] [1:2006380:13] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} ->

If you got also some entries its good, it works – we need to make it permanent now.

Auto-Update ET Rules

Now that every works we need to configure it in a way to get new rules every night. For this we add following line at the end of /etc/oinkmaster.conf

url =

To test it we run following command:

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

So the config works we create /etc/cron.daily/suricataUpdateRules with following content:

/usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules |& grep -i "error" > /dev/null
/bin/kill -USR2 `pidof suricata`

After we created it we need to make it executable:

chmod 755 /etc/cron.daily/suricataUpdateRules

Init Script

The last step is to make a init script so everything is started automatically, for this create a file /etc/init/suricata.conf with following content:

# suricata
description "Intruder Detection System Daemon"
start on runlevel [2345]
stop on runlevel [!2345]
expect fork
exec /usr/local/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml -r - &

Stop the test Suricata command and try it with the init script:

start suricata

You should get something like this:

suricata start/running, process 8003

But to make sure everything is really running, call

ps aux | grep -E "(suri|trafr)"

and you should get following output:

root      8003  0.1  0.0   2020   272 ?        S    14:50   0:00 trafr -s
root      8005  8.8 17.5 841852 360556 ?       Sl   14:50   0:15 suricata -c /etc/suricata/suricata.yaml -r -

And that’s it. Your IDS is running in a basic configuration. You now need to tune your rules and maybe you want to install a Web GUI for your IDS. I can recommend following to look at:

1 Comment »

RSS feed for comments on this post. TrackBack URI

  1. […] you most likely know I’m running NIDS (Network Intrusion detection systems) to monitor the traffic going into and […]

    Pingback by Forum deanonymizes users – on purpose or hacked? | Robert Penz Blog — February 9, 2015 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 69 queries. 0.240 seconds.