Suricata and Mikrotik help

Hello everyone,

A week ago, I installed Suricata 6.0.10, which was supposed to send me alerts if it detected anything malicious in the traffic passing through MikroTik.

I configured MikroTik to route all traffic through mangle rules (TZSP) to the appropriate address where Surica is running (eth1: After a few days, I noticed there were no results, so I created some simple rules just to detect if traffic appeared on certain ports, like port 25. I generated such traffic through the router using Telnet, and I used tcpdump to capture that traffic into a pcap file. Occasionally, a line for a port appears in the alert file, but there should be many more.

I tried manually running Suricata with commands like:

  • trafr -s | suricata -c /etc/suricata/suricata.yaml -v -i eth1

However, nothing was generated in the alert file. When I opened the file with Wireshark, it was correct, and I could see exactly where Suricata should have triggered an alert.

When I checked eve.json I only have things that are related to 10.4.4.x network. But like I said with Wireshark in that pcap there are other networks, and it seems that Suricata is no analyzing it.

Also command: trafr -s | tcpdump -r - -n
Give me all correct output.

In Suricata yaml file i configure HOME_NET: “[]”, but still nothing. What I need to do to force Suricata to analize all networks that comes from streaming.

Thank you!

Please provide your suricata.yaml and ideally the suricata.log and stats.log so we can check if the forwarding and capture actually works and afterwards we could check why the alerts don’t trigger.