Selks and Mikrotik

[hamed.fa...@gmail.com]

Dear
Mikrotik routers have a sniffer tool, It can sniff and send the traffics to a streaming server by Tazmen Sniffer Protocol.
To use this feature, I has trafr application and download it from mikrotik website.
I run it by this syntax on ubuntu

trafr -s | suricata -c /etc/suricata/suricata.yaml -r -

it receive the traffics and convert to pcap format and then send to suricata
I want to know, how can I use this application on SELKS and run suricata after this application?
Thanks and Best regards,
Hamed

[Peter Manev]

On Tue, Mar 15, 2016 at 9:53 PM, <hamed.fa...@gmail.com> wrote:
> Dear
> Mikrotik routers have a sniffer tool, It can sniff and send the traffics to
> a streaming server by Tazmen Sniffer Protocol.

Is that a proprietary feature/protocol ?

> To use this feature, I has trafr application and download it from mikrotik
> website.
> I run it by this syntax on ubuntu
>
> trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
>
> it receive the traffics and convert to pcap format and then send to suricata
> I want to know, how can I use this application on SELKS and run suricata
> after this application?

The simplest way I could think of is to replay the pcap on the same
interface that suricata already listens to. That way there will be no
config changes needed inside SELKS for example.

If you would like suricata to just read the pcap then you can use:
suricata -c /etc/suricata/suricata.yaml -r /path/to/pcap

> Thanks and Best regards,
> Hamed
>

> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups
> "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to selks+un...@googlegroups.com.
> To post to this group, send email to se...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Regards,
Peter Manev

[Andrey Yurtaykin]

воскресенье, 20 марта 2016 г., 19:46:36 UTC+3 пользователь pevma написал:

On Tue, Mar 15, 2016 at 9:53 PM,  <hamed.fa...@gmail.com> wrote:
> Dear
> Mikrotik routers have a sniffer tool, It can sniff and send the traffics to
> a streaming server by Tazmen Sniffer Protocol.

Is that a proprietary feature/protocol ?

> To use this feature, I has trafr application and download it from mikrotik
> website.
> I run it by this syntax on ubuntu
>
> trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
>
> it receive the traffics and convert to pcap format and then send to suricata
> I want to know, how can I use this application on SELKS and run suricata
> after this application?

The simplest way I could think of is to replay the pcap on the same
interface that suricata already listens to. That way there will be no
config changes needed inside SELKS for example.

If you would like suricata to just read the pcap then you can use:
suricata -c /etc/suricata/suricata.yaml -r /path/to/pcap

Just experimenting with SELKS today, what I got:

mv /etc/apt/sources.list.d/selks.list /home/selks.list.removed.to.prevent.conflict

sudo dpkg --add-architecture i386

sudo apt-get update

sudo apt-get install libc6:i386

wget http://www.mikrotik.com/download/trafr.tgz

./trafr -s | suricata -c /etc/suricata/suricata.yaml --runmode autofp -r -

sample to test ids - http://testmyids.com/

this is a 'monkey setup' yet it works.

[markd...@gmail.com]

I too need this for my Mikrotik rouiter tzsp sniffed packet translation to be read by SELKS

where do I need to put the call the trafr & suricata process...

./trafr -s | suricata -c /etc/suricata/suricata.yaml --runmode autofp -r -

so that it will be used by SELKS instead of the current suricata process that I can see is running on SELK which is 

 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -v --user=logstash

[markd...@gmail.com]

 Ok I think I found where it is called in the /etc/init.d/suricata file where the initial variable DAEMON holds the '/usr/bin/suricata' call in the script

 is this likely to work if I change DAEMON=/usr/bin/suricata
to something like DAEMON='trafr -s | /usr/bin/suricata'

or am I just heading off down the wrong idea here?

[Eric Leblond]

Hi,

On Wed, Apr 5, 2017 at 7:46 PM <markd...@gmail.com> wrote:

 Ok I think I found where it is called in the /etc/init.d/suricata file where the initial variable DAEMON holds the '/usr/bin/suricata' call in the script

 is this likely to work if I change DAEMON=/usr/bin/suricata
to something like DAEMON='trafr -s | /usr/bin/suricata'

or am I just heading off down the wrong idea here?

I'm not sure trafr will daemonize itself so this risk to fail.

If you need to daemonize something like that you may use supervsor or something alike.

BR,

--

Eric

[markd...@gmail.com]

I think you are right that trafr cannot be a daemon. So, I have tried another way using tzsp2pcap to turn the sniffed packets from Mikrotik into pcap and tcpreplay to stream it on to to a dummy interface Eth10

according to this site it is possible - https://bl0gg.ruberg.no/2015/10/streaming-pcap-to-a-dummy-interface/

there is also an example using this with SELKS (indonesian but works in translation) here - http://budi.khoirudin.com/2016/12/mikrotik-selks-attacker-telolet-attacker.html

I have edited the Suricata.yaml and added in Eth10 as a listening interface as per instructions here - https://groups.google.com/forum/#!topic/selks/uNcH9aJmaaw

and updated the /etc/network/interfaces with Eth10 as a listenring interface same as Eth0 , so essentially I have two interfaces that can monitor.
(Eth0 was working with port mirroring from the Mikrotik but I need to use packet sniffer to send packets, not port mirror hence this issue)

So what happens? Well...

I can see the processes are working when I use

# ps aux | grep tcpreplay

I get the following

root@SELKS:~# ps aux | grep tcpreplay

root       759  0.0  0.0  25672  2376 ?        Ss   15:30   0:00 SCREEN -dm -S tzsp2pcap bash -c /usr/local/sbin/tzsp2pcap -f | /usr/bin/tcpreplay --topspeed -i eth10 -

root       771  0.0  0.0  13228  2708 pts/0    Ss+  15:30   0:00 bash -c /usr/local/sbin/tzsp2pcap -f | /usr/bin/tcpreplay --topspeed -i eth10 -

root       773  0.5  0.0  13132  2188 pts/0    S+   15:30   0:04 /usr/bin/tcpreplay --topspeed -i eth10 -

root      3703  0.0  0.0  12732  2044 pts/1    S+   15:44   0:00 grep tcpreplay

but this isnt working to arrive at Suricata  and I do not know why as it seems everything is correct and there is packet flow. The only thing I have done differently to the links is run screen without the /usr/bin preface as when I type it in that way it only runs without it. 

when I run ifconfig and watch the traffic arriving to Eth10 I see RX is 0 and TX is showing all the traffic increase. why is it showing up in the TX nothing in the RX? and also why is nothing is arriving in Suricata which has been working when setup to Eth0 using port mirroring. I have tested a trigger by visiting testmyids.com but nothing. And Evebox shows no traffic at all.

do I need to make Suricata pcap for the tcpreplay stream ? is this is the issue?

[markd...@gmail.com]

This is the Eth0 config (copied for Eth10)  in /etc/network/interfaces

auto eth0

iface eth0 inet manual

up ip link set $IFACE promisc on arp off up

down ip link set $IFACE promisc off down

post-up ethtool -G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done

[markd...@gmail.com]

UPDATE:

It is still not working, but I am now receiving many 'SURICATA FRAG IPv4 Fragmentation overlap' events into Suricata.

I found one problem was that updating the suricata.yaml is very fussy and even spaces in the wrong place can cause it to fail and it doesnt tell you.

I checked suricata-start.log and fixed the spaces and tabs issues until it said it is working and then events started arriving in Suricata but only this fragment overlap.. 

so Evebox shows these events, but that is all I get. 10000 of them in a short space of time and nothing else.

still ifconfig shows RX 0 and TX getting all the traffic.

[itma...@gmail.com]

Hi, last summer i used mikrotik with selks, but in lite setup like use  ./trafr -s | Suricata -c /etc/suricata/suricata.yaml --runmode autofp -r - in console...  after some time i get buffer errors and its crash. So i deleted this vm and forget about it.

Now i have read posts about virtual eth and autostart and so i want to get back to this problem. 

But its does n't work even with ./trafr -s | Suricata -c /etc/suricata/suricata.yaml --runmode autofp -r - in console. just message about succes workers start. And no data in dashboard (like events). If i try check traffic from mikrotik  ./trafr -s | tcpdump -r - it works great 
With best regards,
Eduard

[markd...@gmail.com]

OK I found a workaround but it may have caused other issues as my SELKS is now running out of memory (6GB RAM) after 24 hours use. I log this issue elsewhere.

The problem with 'SURICATA FRAG IPv4 Fragmentation overlap" went away when I changed the packets being sniffed on the Mikrotik from 'all' interfaces to 'wlan1, ether1' which are the wired and wifi LAN interfaces. It is likely that there is some collision using 'All'  and that caused the errors.

I also looked at tweaking the flow-timeout settings in /etc/suricata/suricata.yaml not sure if it made any difference but I reduced them on the UDP only by half based loosely on a suggestion they need reduciing. I have no idea if they should be reduced or increased maybe someone could help clear that up.

my traffic flow is Mikrotik sends sniffed packers with tzsp header to eth1 on SELKS server where screen is running to call tzsp2pcap, which is running as a process and removes the tzsp headers, it then bash pipes the tzsp-free packets to tcpreplay which in turn is streaming UDP packets to eth10 (a dummy interface monitored by SELKS)

(instructions to do this I will add on the Mikrotik site at some point and post a link back here, for now follow the links in previous posts for how to do that. it is a bit fiddly. tbh )

Is this working? I consider it bodged and definitely I need to tweak whatever is in place to something more workable so any help would still be appreciated. but it was working last night. It fell over this morning, I believe for other reasons but they may be related to this. I will report back when I know more.

[markd...@gmail.com]

Hi Eduard, 

I think you are having the same problem I ran into. 

do 'ps aux | grep suricata' and you will see suricata is running already, called at boot up.

so you are just running another instance of suricata, but with trafr. maybe they will just clash.

I was getting nowhere with this too.

 

the suggestion to use tcpreplay may work because you then can run trafr and pipe it to tcpreplay which can then send the resulting stream to an interface.

where suricata can read it.

I have not tested trafr with tcpreplay but found tzsp2pcap (as per my comment here). though I am thinking if you ran into buffer problems with trafr, this may also be related to the problem I had with memory though I have not yet confirmed it was caused by this, neither can I deny it.

On Thursday, April 6, 2017 at 9:47:35 PM UTC+10, itma...@gmail.com wrote:

....