Suricata and mikrotik

Hey there i need recelenty install suricata on ubuntu, its working fine things happeing inside the network are getting inside suricata perfect.
the thing is i have a mikrotik and i configure sniffer to send traffic to suricata.

i used this awesome guide

but i cannot resolve the issue about this.

if i made a tcpdump im seeing all the traffic coming from mikrotik but when i try to start suricata with the mode that supposed to read all that traffic.

root@suricata:/etc/suricata# trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
11/5/2021 – 20:21:19 - - [ERRCODE: SC_ERR_INITIALIZATION(45)] - ERROR: Pcap file does not exist

inside suricata.yaml i put yes in the part about pcap.log but still same error.

Thanks anyone in advanced

Hi,

Try this way:

trafr -s | sudo suricata -c /etc/suricata/suricata.yaml -r /dev/stdin

Usage example:

sudo tcpdump -ni ethxxx -w - tcp|sudo suricata -r /dev/stdin -c /etc/suricata/suricata.yaml -knone -vvv -l ./ --runmode autofp

Greetings,

Thanks for you quick answer.

so i stop suricata systemctl stop suricata and try your command

trafr -s | sudo suricata -c /etc/suricata/suricata.yaml -r /dev/stdin

when i did this it hangs with this and no response.
firt image.


then i try your second command

tcpdump -ni ethxxx -w - tcp|sudo suricata -r /dev/stdin -c /etc/suricata/suricata.yaml -knone -vvv -l ./ --runmode autofp


and this is what i have, any rufther help will be much apreciated

Thanks

Why don’t you run Suricata directly on the ehternet interface? I would guess that mode with pipes isn’t stable

Hi,

tcpdump -ni ethxxx NO

tcpdump -ni eth0 or eth1 etc …

Best Regards,

ok sorry for that mistake about not realizing of ethxxx, ive tried so many things that im kinda of lost right now.

so i have suricata up and running with rules updated, if i made a curl http://tesymyds.ca from same server alert is trigger, but since i have a mikrotik when i did same trick about testmyids from other computer from the network nothing happens on suricata

so i open packet sniffer from mikrotik it is running
I also install trafr in suricata computer
If i run trafr -s | tcpdump -r - -n

so traffic is coming from mikrotik to suricata

as i mention before i was following rober penz guide

after your help, i was trying again

trafr -s | sudo suricata -c /etc/suricata/suricata.yaml -r /dev/stdin

and it hags there last 2 come in after i press control c

finally i put your command

tcpdump -ni eth01 -w - tcp|sudo suricata -r /dev/stdin -c /etc/suricata/suricata.yaml -knone -vvv -l ./ --runmode autofp

then

i also went to suricata.yaml and put yes to this table

trafr4

what i am missing

Thanks

Hi,

sudo:

sudo tcpdump -ni enp0s25 -w - tcp | sudo suricata -r /dev/stdin -c /etc/suricata/suricata.yaml -knone -v -l ./ --runmode autofp

  1. In this case it is not necessary to have the pcap-log activated.

  2. In my case, I have “–runmode autofp” activated by my yaml configuration. In your case you may not need it.

Saludos,

Hi,

I have problem for the issue of Mikrotik to Suricata, i can see a packet for this command:

trafr -s | tcpdump -r - -n

But if i run:

/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml3 -v -i enp4s3

Theres nothing shown on fast.log at all, please help, i willing to pay to make this work, please skype me ‘halimzhz’

Thank you

Hi,

Try this way to see if it works.
fast.log will have content if it detects something.

-r /dev/stdin

/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml3 -v -r /dev/stdin