Home

Awesome

Overview:

A simple script that processes the generated Suricata eve-log in real time and, based on alerts, adds an ip-address to the MikroTik Address Lists for a specified time for subsequent blocking;

For work you need:

How-to:

IMPORTANT: In suricata.yaml add another eve-log:

- eve-log:
      enabled: yes
      filetype: regular
      filename: alerts.json
      types:
        - alert

Configuring ssh key authorization:

Create key pair idps_rsa:
# cd ~/.ssh/
# ssh-keygen -t rsa -b 2048 -f idps_rsa
- /root/.ssh/idps_rsa.*
idps_rsa - secret key (for the host from which we are connecting)
idps_rsa.pub - public key (for the host to which we are connecting)

We specify a lot of hosts through a space:

# nano ~/.ssh/config
Host 172.16.5.3
IdentityFile ~/.ssh/mik_rsa
#ConnectTimeout 3
#ServerAliveInterval 900

# chmod 600 ~/.ssh/config
# service sshd restart

Copy script directory to:

# "/home/shells/"
# cd /home/shells/bash_cata/ ; chmod +x bash_cata.sh

Setting up the daemon:

# cp bashcata.service /etc/systemd/system/
# systemctl daemon-reload
# systemctl enable bashcata.service
# systemctl start bashcata.service
# systemctl status bashcata.service

Logrotate: option required "copytruncate"

cp suricata /etc/logrotate.d/

# Sample /etc/logrotate.d/suricata configuration file.
/var/log/suricata/*.log /var/log/suricata/*.json {
    daily
    missingok
    rotate 3
    compress
    delaycompress
    copytruncate
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /run/suricata.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

snif TZSP:

cp tzsp.netdev /etc/systemd/network/

[NetDev]
Name=tzsp0
Kind=dummy

cp tzsp.network /etc/systemd/network/

[Match]
Name=tzsp*

[Link]
MTUBytes=2000

[Network]
Address=172.16.255.249/29
DHCP=no

Enable interface:

# systemctl enable systemd-networkd
# systemctl restart systemd-networkd

Combine tzsp2pcap and tcpreplay into TZSPreplay@.service:

cp TZSPreplay@.service /etc/systemd/system/

[Unit]
Description=TZSP Replay on dev %i
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=simple
ExecStart=/bin/sh -c "/usr/bin/tzsp2pcap -f | /usr/bin/tcpreplay-edit --topspeed --mtu=$(cat /sys/class/net/%I/mtu) --mtu-trunc -i %I -"
Restart=always
RestartSec=3
ProtectSystem=full
ProtectHome=true

[Install]
WantedBy=multi-user.target

Start it on your dummy interface (I'm using name tzsp0, you can have dummy0 or whatever):

# systemctl enable --now TZSPreplay@tzsp0.service

/etc/suricata/suricata.yaml:

af-packet:
  - interface: tzsp0

ROS:

In the "prerouting" chain we direct traffic to Suricata's ip-address. We can specify any interface and chain, as well as create the required number of rules with the action sniff TZSP.

 - Create Address List:
/ip/firewall/address-list/
add list=idps_fwd address=ip-to-monitoring
 - Adding rules TSZP Sniff:
/ip/firewall/mangle/
add chain=forward in-interface-list=ISP dst-address-list=idps_fwd action=sniff-tzsp sniff-target=ip-address-suricata sniff-target-port=37008 comment="TZSP sniffing -> IDPS"
add chain=forward out-interface-list=ISP src-address-list=idps_fwd action=sniff-tzsp sniff-target=ip-address-suricata sniff-target-port=37008
 - Or using marking connection/packet:
add chain=prerouting in-interface-list=ISP protocol=tcp dst-port=443,25,143,587,5222,5281 connection-state=new action=mark-connection new-connection-mark=idps_conn comment="TZSP sniffing -> IDPS"
add chain=prerouting in-interface-list=ISP protocol=udp dst-port=3478 connection-state=new action=mark-connection new-connection-mark=idps_conn
add chain=forward connection-mark=idps_conn action=mark-packet new-packet-mark=idps_pack
add chain=forward packet-mark=idps_pack action=sniff-tzsp sniff-target=ip-address-suricata sniff-target-port=37008
 - Block ip-address's from idps_alert table:
/ip/firewall/raw/
add chain=prerouting src-address-list=idps_alert action=drop comment="Drop IDPS"

Secure SSH:

/ip/ssh/set strong-crypto=yes
/ip/ssh/set always-allow-password-login=no

Restore Adress List:

SSH-exec configuration required. https://wiki.mikrotik.com/wiki/Manual:System/SSH_client#SSH-exec

/system/script/add name="bash_cata" policy="ftp,read,write,test"
---
:delay 25;
:local ip "ip_bash_cata_script";
:if ([/ping address=$ip count=3] = 0) do={
    /log warning message="bash_cata: host $ip - unavalable";
    /system/scheduler/set bash_cata interval="00:04:35";
} else={
    /log/warning message="bash_cata: host $ip - available";
    /system/scheduler/set bash_cata interval="00:00:00";
    /system/ssh-exec address="$ip" port=22 user=root command="touch /.../.../bash_cata/mik.on ; systemctl restart bashcata.service";
}
---
/system/scheduler/add name="bash_cata" start-time=startup interval="00:00:00" policy="ftp,read,write,test" on-event="bash_cata"
/system/scheduler/add name="ram_disk" start-time=startup interval="00:00:00" policy="ftp,read,write,test" on-event="/disk/add type=tmpfs tmpfs-max-size=3M slot=ram-disk"
---
### Сreating a key pair in linux host:
# mkdir mik_exec && cd mik_exec && ssh-keygen -t rsa -b 2048 -m pem -f mik_exec_rsa

Thanks for the Idea: