IPS/IDS with SELK

An5teifo · Wed Feb 08, 2023 4:07 pm

Dear forum,
as I recently migrated from OPNsense fully to Mikrotik I had some concerns as there is no IDS/IPS native available on Mikrotik - but luckily the internet has some solutions which I implemented and where I would like to share some tips and tricks with you:

I found a GitHub project called mikrocata2selks (https://github.com/angolo40/mikrocata2selks) which uses Mikrotiks Packet Sniffer + Surricata + a nice looking Kibana GUI.
Clone the git repo onto your device (dedicated PC, VM, server, etc.) - you should have at least 10 GB RAM and 4 cores as it has to check each received package.

My personal recommendation is not to simply run the easyinstall script but to manually execute the mentioned steps.
In general it does:
1) Creating a dedicated dummy interface where Suricata will listen on.
2) Installing a "converter" for Mikrotiks traffic stream into a Suricata readable format.
3) Installing SELKS (https://github.com/StamusNetworks/SELKS)
4) Using Mikrotiks API to add any bad IPs to a dedicated list which needs to be added on the firewall menu

On Mikrotik router I set a filter to the Packet Sniffer to only forward tcp & udp packages - otherwise it would forward any other packages which Surricata wouldn't understand.

If you have any questions or a better approach feel free to comment it below.

zhans · Thu Feb 09, 2023 3:44 pm

I did what you wrote on your github page.
But

from suri_reloader.log
2023-02-09 13:43:33,159 suri_reloader INFO Ruleset reload triggered
2023-02-09 13:43:33,159 suri_reloader ERROR Unable to connect to socket /var/run/suricata/suricata-command.socket: [Errno 2] No such file or directory
2023-02-09 13:43:34,161 suri_reloader INFO Ruleset reload triggered
2023-02-09 13:43:34,162 suri_reloader ERROR Unable to connect to socket /var/run/suricata/suricata-command.socket: [Errno 2] No such file or directory
2023-02-09 13:43:35,164 suri_reloader INFO Ruleset reload triggered
2023-02-09 13:43:35,165 suri_reloader ERROR Unable to connect to socket /var/run/suricata/suricata-command.socket: [Errno 2] No such file or directory
2023-02-09 13:43:36,166 suri_reloader INFO Ruleset reload triggered

from elasticsearch.log:

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/root/.local/lib/python3.9/site-packages/elasticsearch/connection/http_urllib3.py", line 232, in perform_request
response = self.pool.urlopen(
File "/root/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 785, in urlopen
retries = retries.increment(
File "/root/.local/lib/python3.9/site-packages/urllib3/util/retry.py", line 525, in increment
raise six.reraise(type(error), error, _stacktrace)
File "/root/.local/lib/python3.9/site-packages/urllib3/packages/six.py", line 770, in reraise
raise value
File "/root/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 703, in urlopen
httplib_response = self._make_request(
File "/root/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 398, in _make_request
conn.request(method, url, **httplib_request_kw)
File "/root/.local/lib/python3.9/site-packages/urllib3/connection.py", line 239, in request
super(HTTPConnection, self).request(method, url, body=body, headers=headers)
File "/usr/local/lib/python3.9/http/client.py", line 1253, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/local/lib/python3.9/http/client.py", line 1299, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/local/lib/python3.9/http/client.py", line 1248, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/local/lib/python3.9/http/client.py", line 1008, in _send_output
self.send(msg)
File "/usr/local/lib/python3.9/http/client.py", line 948, in send
self.connect()
File "/root/.local/lib/python3.9/site-packages/urllib3/connection.py", line 205, in connect
conn = self._new_conn()
File "/root/.local/lib/python3.9/site-packages/urllib3/connection.py", line 186, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7fd057643af0>: Failed to establish a new connection: [Errno 111] Connection refused
2023-02-09 13:36:51,038 Traceback (most recent call last):
File "/root/.local/lib/python3.9/site-packages/urllib3/connection.py", line 174, in _new_conn
conn = connection.create_connection(
File "/root/.local/lib/python3.9/site-packages/urllib3/util/connection.py", line 95, in create_connection
raise err
File "/root/.local/lib/python3.9/site-packages/urllib3/util/connection.py", line 85, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused

An5teifo · Sun Feb 19, 2023 11:22 am

Have you verified that all containers are up and running?
It seems that Suricata is not running.

If you enter

sudo docker ps

it should display something like:

CONTAINER ID   IMAGE                                        COMMAND                  CREATED       STATUS                PORTS                                           NAMES
d40a1db11567   jasonish/suricata:master-amd64               "/etc/suricata/new_e…"   10 days ago   Up 5 days                                                             suricata
2a14c989bcbb   ghcr.io/stamusnetworks/scirius:selks         "/opt/scirius/bin/st…"   10 days ago   Up 5 days (healthy)   8000/tcp                                        scirius
056780d2ea0c   elastic/logstash:7.16.1                      "/usr/local/bin/dock…"   10 days ago   Up 5 days (healthy)   5044/tcp, 9600/tcp                              logstash
f225f0973b36   jasonish/evebox:master                       "/docker-entrypoint.…"   10 days ago   Up 5 days                                                             evebox
a4eb8ff92519   docker:latest                                "dockerd-entrypoint.…"   10 days ago   Up 5 days             2375-2376/tcp                                   cron
37701294a853   elastic/kibana:7.16.1                        "/bin/tini -- /usr/l…"   10 days ago   Up 5 days (healthy)   5601/tcp                                        kibana
b3eca47aa1f8   elastic/elasticsearch:7.16.1                 "/bin/tini -- /usr/l…"   10 days ago   Up 5 days (healthy)   9200/tcp, 9300/tcp                              elasticsearch
6df3d952f1b8   nginx                                        "/docker-entrypoint.…"   10 days ago   Up 5 days             80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   nginx
ccbad4c732fb   ghcr.io/stamusnetworks/arkimeviewer:master   "/start-arkimeviewer…"   10 days ago   Up 5 days             8005/tcp                                        arkime

zhans · Sun Feb 19, 2023 10:22 pm

Yes,

CONTAINER ID   IMAGE                                  COMMAND                  CREATED       STATUS                PORTS                                                           NAMES
c488a0b82546   elastic/logstash:7.16.1                "/usr/local/bin/dock…"   10 days ago   Up 3 days (healthy)   5044/tcp, 9600/tcp                                              logstash
51336227b8d2   jasonish/suricata:master-amd64         "/etc/suricata/new_e…"   10 days ago   Up 3 days                                                                             suricata
21ee1229b210   ghcr.io/stamusnetworks/scirius:selks   "/opt/scirius/bin/st…"   10 days ago   Up 3 days (healthy)   8000/tcp                                                        scirius
0a27cf122be4   nginx                                  "/docker-entrypoint.…"   10 days ago   Up 3 days             80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp                   nginx
67b2d9d710b5   jasonish/evebox:master                 "/docker-entrypoint.…"   10 days ago   Up 3 days                                                                             evebox
707e838ad2bf   docker:latest                          "dockerd-entrypoint.…"   10 days ago   Up 3 days             2375-2376/tcp                                                   cron
bb9266ea3093   elastic/elasticsearch:7.16.1           "/bin/tini -- /usr/l…"   10 days ago   Up 3 days (healthy)   9200/tcp, 9300/tcp                                              elasticsearch
d51f8edd9de0   elastic/kibana:7.16.1                  "/bin/tini -- /usr/l…"   10 days ago   Up 3 days (healthy)   5601/tcp                                                        kibana
0001ba194ced   portainer/portainer-ce                 "/portainer --logo h…"   10 days ago   Up 3 days             8000/tcp, 9000/tcp, 0.0.0.0:9443->9443/tcp, :::9443->9443/tcp   portainer
c

An5teifo · Sun Feb 19, 2023 10:29 pm

Which OS are you using?

zhans · Sun Feb 19, 2023 10:53 pm

Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)

An5teifo · Sun Feb 19, 2023 10:58 pm

I run mine on Debian 11 - how did you install it?
Just run the easyinstall.sh script?

zhans · Mon Feb 20, 2023 10:48 am

Yes, run as easyinstall.sh.
I did everything what you wrote on your github page.

An5teifo · Mon Feb 20, 2023 10:54 am

Please note it's not my GitHub repository - I just mentioned it as I used it as a guidline for installing.
From my point of view it looks like that you are using wrong paths and therefore the application cannot find them.

fewdenis · Sun Feb 26, 2023 8:03 pm

Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)

It's tested only on Debian 11 but should also work on Ubuntu.
Try a fresh install of Debian.

BrateloSlava · Mon Feb 27, 2023 9:35 am

And what are the differences from the already finished "set" - T-Pot

An5teifo · Mon Feb 27, 2023 10:35 am

SELKS is an IDS/IPS while T-Pot is a Honeypot

BrateloSlava · Mon Feb 27, 2023 1:34 pm

SELKS is an IDS/IPS while T-Pot is a Honeypot

I still don't understand why this is necessary. How to block "extra" traffic with built-in tools is well done here - How to ***really*** block invalid ICMP, TCP, UDP packets and others + this. And no additional resources are needed for Debian and Python projects running on it. Unless you want to watch beautiful and useless graphics. As I wrote above, if you need to show the management beautiful diagrams of how all sorts of bad people are trying to "hack" you - install TEMPORARY T-Pot. Show pictures and delete it. Other than that, it's a waste of resources.

rextended · Mon Feb 27, 2023 1:37 pm

(and also under DDoS the nice graphs are the DDoS itself...)

An5teifo · Mon Feb 27, 2023 1:38 pm

It not blocks traffic based on invalid TCP, UDP, whatever - it blocks traffic from e.g. known bad hosts automatically.
Also it does deep inspection and stops any malicous traffic which you in general would allow on a firewall level - e.g. TCP/443 for you webserver.
If a bad bot would like to try some SQL injections it will recognise it and blocks the host.

BrateloSlava · Mon Feb 27, 2023 1:46 pm

It not blocks traffic based on invalid TCP, UDP, whatever - it blocks traffic from e.g. known bad hosts automatically.
Also it does deep inspection and stops any malicous traffic which you in general would allow on a firewall level - e.g. TCP/443 for you webserver.
If a bad bot would like to try some SQL injections it will recognise it and blocks the host.

Read this - Help! Create script for possible future security Ddos

rextended · Mon Feb 27, 2023 1:46 pm

If a bad bot would like to try some SQL injections it will recognise it and blocks the host.

Bad bot???
BAD ADMIN!!!
How can the idiot who leaves the SQL port open to the outside be called "admin"???

An5teifo · Mon Feb 27, 2023 1:47 pm

Do you guys understand the usecase of an IDS/IPS or are you just bashing on this topic because you have some free time?

rextended · Mon Feb 27, 2023 1:50 pm

Do you guys understand the usecase of an IDS/IPS or are you just bashing on this topic because you have some free time?

And what about the example of a stupid administrator who leaves the doors open at random???
But what management is it???
It doesn't matter what peripherals you put in, or how they're configured, if the network is then managed that way...

An5teifo · Mon Feb 27, 2023 1:54 pm

Yeah I know that but leaving an SQL port open vs SQL injection via HTTP are two different pairs of topic.
If someone leaves something open without any usecase it is not good.

But if you have a regular webserver you would need port 80 & 443 open to the web - and there are also the bad guys how try to use any weakness of your webserver.
An IDS/IPS system tries to mitigate such problems as it already knows common attack method to a webserver and blocks it.

That's the big difference between a regular simple firewall where I allow ports, protocol and so on and an IDS/IPS which does deep package inspection and blocks traffic with the data from within a network package.

rextended · Mon Feb 27, 2023 1:59 pm

I agree on some points, but the firewall can't save programmers from foot-written code that can easily be used to do SQL-injection...

An5teifo · Mon Feb 27, 2023 2:02 pm

I also agree on that and it's important to only open ports to the internet which are needed and to keep any software up-to-date.
Nevertheless it's also a good option to have another layer of security (if you have the ressources) to run it.

I just thought that I mention it a the useful articles - I didn't want to upset anyone.

rextended · Mon Feb 27, 2023 2:08 pm

I didn't want to upset anyone.

??? why ???

This is a forum, better listen to more opinions, it doesn't matter if one agrees or not.

barcos · Wed Nov 22, 2023 1:33 pm

hello good, I installed everything and everything seems to be working but I have a problem the suricata is not generating the log of the alerts in alerts.json so the ips are not sent to the mikrotick to block them.

to install it I used ./easyinstall.sh and it did not give any error in the process.

https://prnt.sc/uPjWzIzfQJxF
https://prnt.sc/doug3Dh8BEGv
https://prnt.sc/OJMHpDLH7A16
https://prnt.sc/5M0Ue8sy8TPO
https://prnt.sc/1J2tDoBhF4H3

IPS/IDS with SELK

IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Re: IPS/IDS with SELK

Who is online