Microtik + Ubuntu = IDS

Konfiguracja Microtik
/tool sniffer set streaming-enabled=yes streaming-server=<ip_of_the_server>
/tool sniffer set filter-ip-address=<an_example_filter_ip>
tool sniffer print ; tool sniffer start ; tool snifer stop

Konfiguracja Ubuntu 16.04 LTS (trafr used port udp 37008)

apt install libc6-amd64 suricata snort

cd /etc/suricata/
wget -c https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
tar -xzf emerging.rules.tar.gz

cd root
wget -c https://mikrotik.com/download/trafr.tgz
tar zxf trafr.tgz
cp -a /root/trafr /sbin/

trafr -s | /usr/sbin/tcpdump -nr -
trafr test.pcap 10.5.3.254
tcpdump -ttnnr test.pcap

 

trafr -s | suricata -c /etc/suricata/suricata-debian.yaml -r -
tail -f /var/log/suricata/fast.log

vi /etc/oinkmaster.conf
add url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

vi /etc/cron.daily/suricataUpdateRules
add #!/bin/bash
/usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules |& grep -i "error" > /dev/null
/bin/kill -USR2 `pidof suricata`

chmod 755 /etc/cron.daily/suricataUpdateRules

vi /etc/init/suricata.conf
add # suricata
description "Intruder Detection System Daemon"
start on runlevel [2345]
stop on runlevel [!2345]
expect fork
exec /sbin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata-debian.yaml -r - &

vi /etc/rc.local
add /sbin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata-debian.yaml -r - &

IDS (Intrusion Detection Systems) systemy wykrywania intruzów.

IPS (Intrusion Prevention Systems) systemy zapobiegające przeprowadzaniu ataków