-
-
-
- Austria (27)
- General (16)
- HowTo (122)
- IT Security (129)
- Linux (127)
- Networking (65)
- Other (3)
-
- CDemu - a free, gpl cd/dvd-rom device emulator for linux
- heatpumpMonitor - Monitoring a Stiebel Eltron LWZ
- ignis backup tool - the heat-strengthened backup tool
-
- December 2021 (2)
- September 2019 (1)
- May 2019 (1)
- April 2019 (1)
- January 2019 (1)
- October 2018 (1)
- August 2018 (1)
- February 2018 (1)
- September 2017 (1)
- August 2017 (2)
- May 2017 (1)
- April 2017 (1)
- February 2017 (1)
- January 2017 (2)
- December 2016 (1)
- November 2016 (2)
- October 2016 (1)
- September 2016 (1)
- August 2016 (1)
- July 2016 (2)
- April 2016 (1)
- March 2016 (3)
- February 2016 (4)
- January 2016 (2)
- December 2015 (2)
- November 2015 (2)
- September 2015 (2)
- July 2015 (5)
- June 2015 (4)
- May 2015 (2)
- February 2015 (1)
- January 2015 (4)
- December 2014 (1)
- November 2014 (5)
- October 2014 (4)
- September 2014 (1)
- August 2014 (4)
- July 2014 (3)
- June 2014 (5)
- May 2014 (5)
- April 2014 (1)
- March 2014 (2)
- February 2014 (3)
- January 2014 (5)
- December 2013 (2)
- November 2013 (3)
- September 2013 (3)
- August 2013 (2)
- May 2013 (4)
- April 2013 (1)
- March 2013 (1)
- February 2013 (3)
- December 2012 (3)
- November 2012 (3)
- October 2012 (1)
- September 2012 (2)
- June 2012 (1)
- May 2012 (1)
- April 2012 (1)
- March 2012 (1)
- February 2012 (1)
- January 2012 (1)
- December 2011 (4)
- November 2011 (1)
- August 2011 (1)
- March 2011 (1)
- October 2010 (1)
- May 2010 (3)
- January 2010 (1)
- September 2009 (1)
- August 2009 (5)
- July 2009 (5)
- June 2009 (4)
- May 2009 (1)
- April 2009 (1)
- January 2009 (1)
- December 2008 (6)
- November 2008 (6)
- October 2008 (2)
- September 2008 (11)
- August 2008 (4)
- July 2008 (7)
- June 2008 (2)
- May 2008 (7)
- April 2008 (5)
- March 2008 (9)
- February 2008 (15)
- January 2008 (11)
- December 2007 (3)
Howto setup a Mikrotik RouterOS with Suricata as IDS
June 1, 2014
Lets say you’ve a Mikrotik router as your internet router and you would like to detect bad traffic that is going over it, so basically you would like to have an IDS (Intrusion detection system). This article shows how you can setup a IDS with a Mikrotik router and Suricata running on a Ubuntu 14.04 (but it runs on any other Linux). This is no high performance setup for 10Gbit links, as in this case you would use a SPAN port a manged switch and you would need to tune the drivers, Linux and Suricata a bit (a lot actually for 10Gbit … and the server hardware is not cheap/small). This setup is for the SOHO (small office home office) space where you use the Mikrotik as your Internet router, be it for Cable or DSL. I use this setup at home and I’ve installed Ubuntu 14.04 64bit Server as virtual machine on my home server. No special switch or hardware is required as we facilitate the TaZmen Sniffer Protocol (TZSP) which is supported by Mikrotik. It is even possible to sent the data over a Layer-3 connection, you just need the bandwidth for the traffic you want to sent to Suricata.
I assume that Ubuntu 14.04 is installed (minimal server install is recommended).
Mikrotik Setup
You just need to configure it to copy the traffic to the Linux server with these commands:
/tool sniffer set filter-stream=yes streaming-enabled=yes streaming-server=xxx.xxx.xxx.xxx
/tool sniffer start
xxx.xxx.xxx.xxx is the IP of the Linux server
Basic Suricata Setup
First we change into the super user mode for every command we execute later:
sudo bash
Now we add the stable Suricata PPA to our system. At the time of writing the stable version is 2.0.1.
add-apt-repository ppa:oisf/suricata-stable
apt-get update
apt-get install suricata oinkmaster
Now we download the open/free Emerging Threats rules for the first tests. (There are also commercial rules available.)
cd /etc/suricata/
wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
tar -xzf emerging.rules.tar.gz
We use the reference.config from ET:
mv reference.config reference.config.orig
ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config
And we need to create one file and one directory:
touch /etc/suricata/threshold.config
mkdir /var/log/suricata
In the 2.0.1 packages one file got forgotten, so check if it is also missing in your version and if so download it manually.
ll /etc/suricata/rules/dns-events.rules
If it is missing … do following:
cd /etc/suricata/rules
wget https://raw.githubusercontent.com/inliniac/suricata/master/rules/dns-events.rules
Test Suricata alone
To make the first test call it like this (wait for some minutes):
suricata -c /etc/suricata/suricata.yaml -i eth0
you should get some files in /var/log/suricata
root@nids:/var/log/suricata# ll
total 364
drwxr-xr-x 2 root root 4096 Jun 1 13:45 ./
drwxrwxr-x 10 root syslog 4096 Jun 1 13:32 ../
-rw-r--r-- 1 root root 46195 Jun 1 13:51 eve.json
-rw-r--r-- 1 root root 25138 Jun 1 13:51 fast.log
-rw-r--r-- 1 root root 0 Jun 1 13:36 http.log
-rw-r--r-- 1 root root 236014 Jun 1 13:51 stats.log
-rw-r--r-- 1 root root 1846 Jun 1 13:36 unified2.alert.1401622567
-rw-r--r-- 1 root root 42445 Jun 1 13:51 unified2.alert.1401623113
Test the Mikrotik sniffer stream
Check if you get traffic by first downloading trafr from here and copy it to /usr/local/bin and extract and test it like this:
cd /usr/local/bin/
tar xzf trafr.tgz
./trafr
If you get -bash: ./trafr: No such file or directory, take a look at this post. Now check with tcpdump if you’re getting any packets (hit CTRL-C to stop)
trafr -s | tcpdump -r - -n
If you don’t get packets something is wrong with the Mikrotik setup or the packets getting filtered/blocked.
Connect Suricata with Mikrotik sniffer stream
I assume that you got packets and are now ready for your first run of Suricata with the Mikrotik sniffer stream. Just enter following command …
trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
.. and open a second console and type following
tail -f /var/log/suricata/fast.log
your should see output like this (this are just examples)
06/01/2014-14:50:22.703188 [**] [1:2012648:3] ET POLICY Dropbox Client Broadcasting [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} xxx.xxx.xxx.xxx:17500 -> 255.255.255.255:17500
06/01/2014-14:57:16.608473 [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:443 -> xxx.xxx.xxx.xxx:49503
06/01/2014-15:26:03.601539 [**] [1:2006380:13] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:58188 -> xxx.xxx.xxx.xxx:8080
If you got also some entries its good, it works – we need to make it permanent now.
Auto-Update ET Rules
Now that every works we need to configure it in a way to get new rules every night. For this we add following line at the end of /etc/oinkmaster.conf
url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
To test it we run following command:
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
So the config works we create /etc/cron.daily/suricataUpdateRules with following content:
#!/bin/bash
/usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules |& grep -i "error" > /dev/null
/bin/kill -USR2 `pidof suricata`
After we created it we need to make it executable:
chmod 755 /etc/cron.daily/suricataUpdateRules
Init Script
The last step is to make a init script so everything is started automatically, for this create a file /etc/init/suricata.conf with following content:
# suricata
description "Intruder Detection System Daemon"
start on runlevel [2345]
stop on runlevel [!2345]
expect fork
exec /usr/local/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml -r - &
Stop the test Suricata command and try it with the init script:
start suricata
You should get something like this:
suricata start/running, process 8003
But to make sure everything is really running, call
ps aux | grep -E "(suri|trafr)"
and you should get following output:
root 8003 0.1 0.0 2020 272 ? S 14:50 0:00 trafr -s
root 8005 8.8 17.5 841852 360556 ? Sl 14:50 0:15 suricata -c /etc/suricata/suricata.yaml -r -
And that’s it. Your IDS is running in a basic configuration. You now need to tune your rules and maybe you want to install a Web GUI for your IDS. I can recommend following to look at:
1 Comment »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress
Entries and comments feeds.
Valid XHTML and CSS.
36 queries. 0.052 seconds.
[…] you most likely know I’m running NIDS (Network Intrusion detection systems) to monitor the traffic going into and […]
Pingback by dietiwag.org Forum deanonymizes users – on purpose or hacked? | Robert Penz Blog — February 9, 2015 #