MikroTik

Community discussions
https://forum.mikrotik.com/

How to configure Packet Sniffer for IDS: Mirroring ether1 to ether6 for Suricata monitoring in WebFig

https://forum.mikrotik.com/viewtopic.php?t=212742

Page 1 of 1

How to configure Packet Sniffer for IDS: Mirroring ether1 to ether6 for Suricata monitoring in WebFig

Posted: Fri Nov 22, 2024 11:33 am
by Somthin
I'm trying to set up packet capture for Suricata IDS/IPS monitoring. I want to capture all incoming WAN traffic from ether1 and mirror it to ether6, which connects to my Suricata VM.
Current setup:

RouterOS: 7.11.2
Device: L009UiGS-2HaxD
WAN port: ether1
Suricata VM connection: ether6

I've configured the basic packet sniffer settings:

Memory Limit: 100MB
Streaming Enabled: Yes
Port: 37008
Filter Stream: Enabled
MAC Protocol: ip

Issue:
I need help setting up the actual capture rule to mirror traffic from ether1 to ether6. I'm using WebFig interface and cannot locate where to add the specific capture rule that would be equivalent to this CLI command
/tool packet-sniffer
add interface=ether1 interface-matched=ether6 memory-limit=100 direction=in

Re: How to configure Packet Sniffer for IDS: Mirroring ether1 to ether6 for Suricata monitoring in WebFig

Posted: Fri Nov 22, 2024 4:01 pm
by wiseroute
hello,

you can use winbox, go to switch menu, and mirror your monitored port to suricata port.

https://help.mikrotik.com/docs/spaces/R ... p+Features

Re: How to configure Packet Sniffer for IDS: Mirroring ether1 to ether6 for Suricata monitoring in WebFig

Posted: Mon Nov 25, 2024 11:50 am
by Somthin
hello,

you can use winbox, go to switch menu, and mirror your monitored port to suricata port.

https://help.mikrotik.com/docs/spaces/R ... p+Features
i already tried this and its not enough because switch only mirrors arp , and i need tcp or udp ( ip )
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/