Howto setup a Mikrotik RouterOS with Suricata as IDS
June 1, 2014
Lets say you’ve a Mikrotik router as your internet router and you would like to detect bad traffic that is going over it, so basically you would like to have an IDS (Intrusion detection system). This article shows how you can setup a IDS with a Mikrotik router and Suricata running on a Ubuntu 14.04 (but it runs on any other Linux). This is no high performance setup for 10Gbit links, as in this case you would use a SPAN port a manged switch and you would need to tune the drivers, Linux and Suricata a bit (a lot actually for 10Gbit … and the server hardware is not cheap/small). This setup is for the SOHO (small office home office) space where you use the Mikrotik as your Internet router, be it for Cable or DSL. I use this setup at home and I’ve installed Ubuntu 14.04 64bit Server as virtual machine on my home server. No special switch or hardware is required as we facilitate the TaZmen Sniffer Protocol (TZSP) which is supported by Mikrotik. It is even possible to sent the data over a Layer-3 connection, you just need the bandwidth for the traffic you want to sent to Suricata.
I assume that Ubuntu 14.04 is installed (minimal server install is recommended).
Mikrotik Setup
You just need to configure it to copy the traffic to the Linux server with these commands:
/tool sniffer set filter-stream=yes streaming-enabled=yes streaming-server=xxx.xxx.xxx.xxx
/tool sniffer start
xxx.xxx.xxx.xxx
is the IP of the Linux server
Basic Suricata Setup
First we change into the super user mode for every command we execute later:
sudo bash
Now we add the stable Suricata PPA to our system. At the time of writing the stable version is 2.0.1.
add-apt-repository ppa:oisf/suricata-stable
apt-get update
apt-get install suricata oinkmaster
Now we download the open/free Emerging Threats rules for the first tests. (There are also commercial rules available.)
cd /etc/suricata/
wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
tar -xzf emerging.rules.tar.gz
We use the reference.config from ET:
mv reference.config reference.config.orig
ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config
And we need to create one file and one directory:
touch /etc/suricata/threshold.config
mkdir /var/log/suricata
In the 2.0.1 packages one file got forgotten, so check if it is also missing in your version and if so download it manually.
ll /etc/suricata/rules/dns-events.rules
If it is missing … do following:
cd /etc/suricata/rules
wget https://raw.githubusercontent.com/inliniac/suricata/master/rules/dns-events.rules
Test Suricata alone
To make the first test call it like this (wait for some minutes):
suricata -c /etc/suricata/suricata.yaml -i eth0
you should get some files in /var/log/suricata
root@nids:/var/log/suricata# ll
total 364
drwxr-xr-x 2 root root 4096 Jun 1 13:45 ./
drwxrwxr-x 10 root syslog 4096 Jun 1 13:32 ../
-rw-r--r-- 1 root root 46195 Jun 1 13:51 eve.json
-rw-r--r-- 1 root root 25138 Jun 1 13:51 fast.log
-rw-r--r-- 1 root root 0 Jun 1 13:36 http.log
-rw-r--r-- 1 root root 236014 Jun 1 13:51 stats.log
-rw-r--r-- 1 root root 1846 Jun 1 13:36 unified2.alert.1401622567
-rw-r--r-- 1 root root 42445 Jun 1 13:51 unified2.alert.1401623113
Test the Mikrotik sniffer stream
Check if you get traffic by first downloading trafr from here and copy it to /usr/local/bin
and extract and test it like this:
cd /usr/local/bin/
tar xzf trafr.tgz
./trafr
If you get -bash: ./trafr: No such file or directory
, take a look at this post. Now check with tcpdump if you’re getting any packets (hit CTRL-C to stop)
trafr -s | tcpdump -r - -n
If you don’t get packets something is wrong with the Mikrotik setup or the packets getting filtered/blocked.
Connect Suricata with Mikrotik sniffer stream
I assume that you got packets and are now ready for your first run of Suricata with the Mikrotik sniffer stream. Just enter following command …
trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
.. and open a second console and type following
tail -f /var/log/suricata/fast.log
your should see output like this (this are just examples)
06/01/2014-14:50:22.703188 [**] [1:2012648:3] ET POLICY Dropbox Client Broadcasting [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} xxx.xxx.xxx.xxx:17500 -> 255.255.255.255:17500
06/01/2014-14:57:16.608473 [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:443 -> xxx.xxx.xxx.xxx:49503
06/01/2014-15:26:03.601539 [**] [1:2006380:13] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:58188 -> xxx.xxx.xxx.xxx:8080
If you got also some entries its good, it works – we need to make it permanent now.
Auto-Update ET Rules
Now that every works we need to configure it in a way to get new rules every night. For this we add following line at the end of /etc/oinkmaster.conf
url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
To test it we run following command:
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
So the config works we create /etc/cron.daily/suricataUpdateRules
with following content:
#!/bin/bash
/usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules |& grep -i "error" > /dev/null
/bin/kill -USR2 `pidof suricata`
After we created it we need to make it executable:
chmod 755 /etc/cron.daily/suricataUpdateRules
Init Script
The last step is to make a init script so everything is started automatically, for this create a file /etc/init/suricata.conf
with following content:
# suricata
description "Intruder Detection System Daemon"
start on runlevel [2345]
stop on runlevel [!2345]
expect fork
exec /usr/local/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml -r - &
Stop the test Suricata command and try it with the init script:
start suricata
You should get something like this:
suricata start/running, process 8003
But to make sure everything is really running, call
ps aux | grep -E "(suri|trafr)"
and you should get following output:
root 8003 0.1 0.0 2020 272 ? S 14:50 0:00 trafr -s
root 8005 8.8 17.5 841852 360556 ? Sl 14:50 0:15 suricata -c /etc/suricata/suricata.yaml -r -
And that’s it. Your IDS is running in a basic configuration. You now need to tune your rules and maybe you want to install a Web GUI for your IDS. I can recommend following to look at:
1 Comment »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress
Entries and comments feeds.
Valid XHTML and CSS.
37 queries. 0.064 seconds.
[…] you most likely know I’m running NIDS (Network Intrusion detection systems) to monitor the traffic going into and […]
Pingback by dietiwag.org Forum deanonymizes users – on purpose or hacked? | Robert Penz Blog — February 9, 2015 #