Page 1 of 1
IPS/IDS with SELK
Posted: Wed Feb 08, 2023 4:07 pm
by An5teifo
Dear forum,
as I recently migrated from OPNsense fully to Mikrotik I had some concerns as there is no IDS/IPS native available on Mikrotik - but luckily the internet has some solutions which I implemented and where I would like to share some tips and tricks with you:
I found a GitHub project called mikrocata2selks (
https://github.com/angolo40/mikrocata2selks) which uses Mikrotiks Packet Sniffer + Surricata + a nice looking Kibana GUI.
Clone the git repo onto your device (dedicated PC, VM, server, etc.) - you should have at least 10 GB RAM and 4 cores as it has to check each received package.
My personal recommendation is not to simply run the easyinstall script but to manually execute the mentioned steps.
In general it does:
1) Creating a dedicated dummy interface where Suricata will listen on.
2) Installing a "converter" for Mikrotiks traffic stream into a Suricata readable format.
3) Installing SELKS (
https://github.com/StamusNetworks/SELKS)
4) Using Mikrotiks API to add any bad IPs to a dedicated list which needs to be added on the firewall menu
On Mikrotik router I set a filter to the Packet Sniffer to only forward tcp & udp packages - otherwise it would forward any other packages which Surricata wouldn't understand.
If you have any questions or a better approach feel free to comment it below.
Re: IPS/IDS with SELK
Posted: Thu Feb 09, 2023 3:44 pm
by zhans
I did what you wrote on your github page.
But
from suri_reloader.log
2023-02-09 13:43:33,159 suri_reloader INFO Ruleset reload triggered
2023-02-09 13:43:33,159 suri_reloader ERROR Unable to connect to socket /var/run/suricata/suricata-command.socket: [Errno 2] No such file or directory
2023-02-09 13:43:34,161 suri_reloader INFO Ruleset reload triggered
2023-02-09 13:43:34,162 suri_reloader ERROR Unable to connect to socket /var/run/suricata/suricata-command.socket: [Errno 2] No such file or directory
2023-02-09 13:43:35,164 suri_reloader INFO Ruleset reload triggered
2023-02-09 13:43:35,165 suri_reloader ERROR Unable to connect to socket /var/run/suricata/suricata-command.socket: [Errno 2] No such file or directory
2023-02-09 13:43:36,166 suri_reloader INFO Ruleset reload triggered
from elasticsearch.log:
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/.local/lib/python3.9/site-packages/elasticsearch/connection/http_urllib3.py", line 232, in perform_request
response = self.pool.urlopen(
File "/root/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 785, in urlopen
retries = retries.increment(
File "/root/.local/lib/python3.9/site-packages/urllib3/util/retry.py", line 525, in increment
raise six.reraise(type(error), error, _stacktrace)
File "/root/.local/lib/python3.9/site-packages/urllib3/packages/six.py", line 770, in reraise
raise value
File "/root/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 703, in urlopen
httplib_response = self._make_request(
File "/root/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 398, in _make_request
conn.request(method, url, **httplib_request_kw)
File "/root/.local/lib/python3.9/site-packages/urllib3/connection.py", line 239, in request
super(HTTPConnection, self).request(method, url, body=body, headers=headers)
File "/usr/local/lib/python3.9/http/client.py", line 1253, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/local/lib/python3.9/http/client.py", line 1299, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/local/lib/python3.9/http/client.py", line 1248, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/local/lib/python3.9/http/client.py", line 1008, in _send_output
self.send(msg)
File "/usr/local/lib/python3.9/http/client.py", line 948, in send
self.connect()
File "/root/.local/lib/python3.9/site-packages/urllib3/connection.py", line 205, in connect
conn = self._new_conn()
File "/root/.local/lib/python3.9/site-packages/urllib3/connection.py", line 186, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7fd057643af0>: Failed to establish a new connection: [Errno 111] Connection refused
2023-02-09 13:36:51,038 Traceback (most recent call last):
File "/root/.local/lib/python3.9/site-packages/urllib3/connection.py", line 174, in _new_conn
conn = connection.create_connection(
File "/root/.local/lib/python3.9/site-packages/urllib3/util/connection.py", line 95, in create_connection
raise err
File "/root/.local/lib/python3.9/site-packages/urllib3/util/connection.py", line 85, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
Re: IPS/IDS with SELK
Posted: Sun Feb 19, 2023 11:22 am
by An5teifo
Have you verified that all containers are up and running?
It seems that Suricata is not running.
If you enter
it should display something like:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d40a1db11567 jasonish/suricata:master-amd64 "/etc/suricata/new_e…" 10 days ago Up 5 days suricata
2a14c989bcbb ghcr.io/stamusnetworks/scirius:selks "/opt/scirius/bin/st…" 10 days ago Up 5 days (healthy) 8000/tcp scirius
056780d2ea0c elastic/logstash:7.16.1 "/usr/local/bin/dock…" 10 days ago Up 5 days (healthy) 5044/tcp, 9600/tcp logstash
f225f0973b36 jasonish/evebox:master "/docker-entrypoint.…" 10 days ago Up 5 days evebox
a4eb8ff92519 docker:latest "dockerd-entrypoint.…" 10 days ago Up 5 days 2375-2376/tcp cron
37701294a853 elastic/kibana:7.16.1 "/bin/tini -- /usr/l…" 10 days ago Up 5 days (healthy) 5601/tcp kibana
b3eca47aa1f8 elastic/elasticsearch:7.16.1 "/bin/tini -- /usr/l…" 10 days ago Up 5 days (healthy) 9200/tcp, 9300/tcp elasticsearch
6df3d952f1b8 nginx "/docker-entrypoint.…" 10 days ago Up 5 days 80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp nginx
ccbad4c732fb ghcr.io/stamusnetworks/arkimeviewer:master "/start-arkimeviewer…" 10 days ago Up 5 days 8005/tcp arkime
Re: IPS/IDS with SELK
Posted: Sun Feb 19, 2023 10:22 pm
by zhans
Yes,
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c488a0b82546 elastic/logstash:7.16.1 "/usr/local/bin/dock…" 10 days ago Up 3 days (healthy) 5044/tcp, 9600/tcp logstash
51336227b8d2 jasonish/suricata:master-amd64 "/etc/suricata/new_e…" 10 days ago Up 3 days suricata
21ee1229b210 ghcr.io/stamusnetworks/scirius:selks "/opt/scirius/bin/st…" 10 days ago Up 3 days (healthy) 8000/tcp scirius
0a27cf122be4 nginx "/docker-entrypoint.…" 10 days ago Up 3 days 80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp nginx
67b2d9d710b5 jasonish/evebox:master "/docker-entrypoint.…" 10 days ago Up 3 days evebox
707e838ad2bf docker:latest "dockerd-entrypoint.…" 10 days ago Up 3 days 2375-2376/tcp cron
bb9266ea3093 elastic/elasticsearch:7.16.1 "/bin/tini -- /usr/l…" 10 days ago Up 3 days (healthy) 9200/tcp, 9300/tcp elasticsearch
d51f8edd9de0 elastic/kibana:7.16.1 "/bin/tini -- /usr/l…" 10 days ago Up 3 days (healthy) 5601/tcp kibana
0001ba194ced portainer/portainer-ce "/portainer --logo h…" 10 days ago Up 3 days 8000/tcp, 9000/tcp, 0.0.0.0:9443->9443/tcp, :::9443->9443/tcp portainer
c
Re: IPS/IDS with SELK
Posted: Sun Feb 19, 2023 10:29 pm
by An5teifo
Which OS are you using?
Re: IPS/IDS with SELK
Posted: Sun Feb 19, 2023 10:53 pm
by zhans
Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)
Re: IPS/IDS with SELK
Posted: Sun Feb 19, 2023 10:58 pm
by An5teifo
I run mine on Debian 11 - how did you install it?
Just run the easyinstall.sh script?
Re: IPS/IDS with SELK
Posted: Mon Feb 20, 2023 10:48 am
by zhans
Yes, run as easyinstall.sh.
I did everything what you wrote on your github page.
Re: IPS/IDS with SELK
Posted: Mon Feb 20, 2023 10:54 am
by An5teifo
Please note it's not my GitHub repository - I just mentioned it as I used it as a guidline for installing.
From my point of view it looks like that you are using wrong paths and therefore the application cannot find them.
Re: IPS/IDS with SELK
Posted: Sun Feb 26, 2023 8:03 pm
by fewdenis
Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)
It's tested only on Debian 11 but should also work on Ubuntu.
Try a fresh install of Debian.
Re: IPS/IDS with SELK
Posted: Mon Feb 27, 2023 9:35 am
by BrateloSlava
And what are the differences from the already finished "set" -
T-Pot
Re: IPS/IDS with SELK
Posted: Mon Feb 27, 2023 10:35 am
by An5teifo
SELKS is an IDS/IPS while T-Pot is a Honeypot
Re: IPS/IDS with SELK
Posted: Mon Feb 27, 2023 1:34 pm
by BrateloSlava
SELKS is an IDS/IPS while T-Pot is a Honeypot
I still don't understand why this is necessary. How to block "extra" traffic with built-in tools is well done here -
How to ***really*** block invalid ICMP, TCP, UDP packets and others +
this. And no additional resources are needed for Debian and Python projects running on it. Unless you want to watch beautiful and useless graphics. As I wrote above, if you need to show the management beautiful diagrams of how all sorts of bad people are trying to "hack" you - install TEMPORARY T-Pot. Show pictures and delete it. Other than that, it's a waste of resources.
Re: IPS/IDS with SELK
Posted: Mon Feb 27, 2023 1:37 pm
by rextended
(and also under DDoS the nice graphs are the DDoS itself...)
Re: IPS/IDS with SELK
Posted: Mon Feb 27, 2023 1:38 pm
by An5teifo
It not blocks traffic based on invalid TCP, UDP, whatever - it blocks traffic from e.g. known bad hosts automatically.
Also it does deep inspection and stops any malicous traffic which you in general would allow on a firewall level - e.g. TCP/443 for you webserver.
If a bad bot would like to try some SQL injections it will recognise it and blocks the host.
Re: IPS/IDS with SELK
Posted: Mon Feb 27, 2023 1:46 pm
by BrateloSlava
It not blocks traffic based on invalid TCP, UDP, whatever - it blocks traffic from e.g. known bad hosts automatically.
Also it does deep inspection and stops any malicous traffic which you in general would allow on a firewall level - e.g. TCP/443 for you webserver.
If a bad bot would like to try some SQL injections it will recognise it and blocks the host.
Read this -
Help! Create script for possible future security Ddos
Re: IPS/IDS with SELK
Posted: Mon Feb 27, 2023 1:46 pm
by rextended
If a bad bot would like to try some SQL injections it will recognise it and blocks the host.
Bad bot???
BAD ADMIN!!!
How can the idiot who leaves the SQL port open to the outside be called "admin"???
Re: IPS/IDS with SELK
Posted: Mon Feb 27, 2023 1:47 pm
by An5teifo
Do you guys understand the usecase of an IDS/IPS or are you just bashing on this topic because you have some free time?
Re: IPS/IDS with SELK
Posted: Mon Feb 27, 2023 1:50 pm
by rextended
Do you guys understand the usecase of an IDS/IPS or are you just bashing on this topic because you have some free time?
And what about the example of a stupid administrator who leaves the doors open at random???
But what management is it???
It doesn't matter what peripherals you put in, or how they're configured, if the network is then managed that way...
Re: IPS/IDS with SELK
Posted: Mon Feb 27, 2023 1:54 pm
by An5teifo
Yeah I know that but leaving an SQL port open vs SQL injection via HTTP are two different pairs of topic.
If someone leaves something open without any usecase it is not good.
But if you have a regular webserver you would need port 80 & 443 open to the web - and there are also the bad guys how try to use any weakness of your webserver.
An IDS/IPS system tries to mitigate such problems as it already knows common attack method to a webserver and blocks it.
That's the big difference between a regular simple firewall where I allow ports, protocol and so on and an IDS/IPS which does deep package inspection and blocks traffic with the data from within a network package.
Re: IPS/IDS with SELK
Posted: Mon Feb 27, 2023 1:59 pm
by rextended
I agree on some points, but the firewall can't save programmers from foot-written code that can easily be used to do SQL-injection...
Re: IPS/IDS with SELK
Posted: Mon Feb 27, 2023 2:02 pm
by An5teifo
I also agree on that and it's important to only open ports to the internet which are needed and to keep any software up-to-date.
Nevertheless it's also a good option to have another layer of security (if you have the ressources) to run it.
I just thought that I mention it a the useful articles - I didn't want to upset anyone.
Re: IPS/IDS with SELK
Posted: Mon Feb 27, 2023 2:08 pm
by rextended
I didn't want to upset anyone.
??? why ???
This is a forum, better listen to more opinions, it doesn't matter if one agrees or not.
Re: IPS/IDS with SELK
Posted: Wed Nov 22, 2023 1:33 pm
by barcos
hello good, I installed everything and everything seems to be working but I have a problem the suricata is not generating the log of the alerts in alerts.json so the ips are not sent to the mikrotick to block them.
to install it I used ./easyinstall.sh and it did not give any error in the process.
https://prnt.sc/uPjWzIzfQJxF
https://prnt.sc/doug3Dh8BEGv
https://prnt.sc/OJMHpDLH7A16
https://prnt.sc/5M0Ue8sy8TPO
https://prnt.sc/1J2tDoBhF4H3