Suricata on Mikrotik(IDS+IPS) = Part 4 - Configuration of the IPS Part

 Configuration

  • Disclaimer: 
    • this one again is only for ubuntu 18.04 and login as root user to be sure
    • Make sure you have a good understanding of the suricata rules before doing this
    • This might cause some disconnection from the site or services you are visiting and even the internet if not properly configured.
    • In the real environment it is best not to run as root user but for the sake of just testing it I opted to run as root
    • configure the following rules on your mikrotik router:
      • /ip firewall filter add action=drop chain=input comment="Block bad actors" src-address-list=Blocked
      • /ip firewall filter add action=drop chain=forward comment="Drop any traffic going to bad actors" dst-address-list=Blocked
      • create a user group with all policies checked except telnet
      • create a user allowing your local addresses with the group you created earlier
Lets Start...

1.    Install PHP

        apt install php -y

2. Navigate to your php directory and downlad the php api and fast2mikrotik.php

wget https://raw.githubusercontent.com/BenMenking/routeros- api/master/routeros_api.class.php
wget https://raw.githubusercontent.com/enricagra/suricata-mikrotik/main/fast2mikrotik.php

3.    Update Edit the fast2mikrotik.php with your desired editor

               nano fast2mikrotik.php

       Edit the following based on your requirements:

       




4.    Install PECL inotify extension and its required packages

             apt install php php-dev
                               pecl install inotify
             

5.    Configure the inotify

                touch /etc/php/7.2/mods-available/inotify.ini 
                                
              Edit the inotify with your desired editor like this                 
                nano /etc/php/7.2/mods-available/inotify.ini

     and input the following:
            
            "extension=inotify.so"

     navigate to: /etc/php/7.2/apache2 and edit the php.ini of your 
     desired editor: nano php.ini and add "extension=inotify.so"

     

6.    Check the inotify setup

   phpenmod inotify 
 service apache2 restart
    
    run: php -r "var_dump(function_exists('inotify_init'));"
    to check and it should show the following:

    "bool(true)"

7.    Go the the directory where the fast2mikrotik.php is located and run it:

       cd /var/www/suricata
       php -f fast2mikrotik.php  

8. Run trafr along with suricata again

               /usr/local/bin/trafr -s | suricata -c /etc/suricata/suricata.yaml -r /dev/stdin

9. Check the address list with "blocked" list assigned in in mikrotik



      
    Noticed that the results coming from the suricata is now blocked    in the Mikrotik router


  *Again make sure if this one will be deployed on a larger              environment it is best to know better the suricata rules so as     not to create interruptions in larger and complex environments.


               
        References:
  • https://sudonull.com/post/7613-Raise-IDS-NMS-Mikrotik-and-Suricata-with-a-web-interface
  • https://flexcomp.pl/microtik-ubuntu-ids

Comments

Post a Comment

Popular Posts