Suricata on Mikrotik(IDS+IPS) = Part 3 - Configuration of the IDS Part
Configuration
- Disclaimer:
- this one is only for ubuntu 18.04 and login as root user to be sure
- In the real environment it is best not to run as root user but for the sake of just testing it I opted to run as root
- configure the following rules on your mikrotik router:
/tool sniffer set streaming-enabled=yes streaming-server=<ip_of_the_server>/tool sniffer set filter-ip-address=<an_example_filter_ip>tool sniffer print ; tool sniffer start ; tool snifer stop
Lets Start...
1. Configure the correct time zone and NTP synchronization
systemctl start systemd-timesync
systemctl status systemd-timesyncd
dpkg-reconfigure tzdata
systemctl status systemd-timesyncd
dpkg-reconfigure tzdata
2. Add the suricata in the repository
add-apt-repository
ppa:oisf/suricata-stable
3. Update the package database:
apt
update -y && apt upgrade -y
4. Install Suricata:
apt
install -y suricata
5. Install Python:
apt-get
install -y python-pip
pip install pyyaml
pip install pyyaml
6. Update and configure Suricata:
pip install
https://github.com/OISF/suricata-update/archive/master.zip
suricata-update
suricata-update list-sources
suricata-update update-sources
suricata-update list-sources
suricata-update enable-source ptresearch/attackdetection
suricata-update enable-source oisf/trafficid
suricata-update enable-source sslbl/ssl-fp-blacklist
suricata-update
suricata-update
suricata-update list-sources
suricata-update update-sources
suricata-update list-sources
suricata-update enable-source ptresearch/attackdetection
suricata-update enable-source oisf/trafficid
suricata-update enable-source sslbl/ssl-fp-blacklist
suricata-update
7. Install trafr in order for suricata to check mikrotik traffic :
dpkg --add-architecture i386
apt-get update && apt-get install -y libc6:i386
wget http://www.mikrotik.com/download/trafr.tgz
tar xzf trafr.tgz
apt-get update && apt-get install -y libc6:i386
wget http://www.mikrotik.com/download/trafr.tgz
tar xzf trafr.tgz
8. Check if trafr is working
./trafr -s
9. Move the trafr to /usr/local/bin
mv trafr /usr/local/bin/
10. Run trafr along with suricata
/usr/local/bin/trafr -s | suricata -c /etc/suricata/suricata.yaml -r /dev/stdin
11. Depending on where you run the script or the configuration of the suricata log run a tail -f command to check the logs for fast.log
References:
- https://sudonull.com/post/7613-Raise-IDS-NMS-Mikrotik-and-Suricata-with-a-web-interface
- https://flexcomp.pl/microtik-ubuntu-ids
Comments
Post a Comment