Suricata and mikrotik

Help
1

Hey there i need recelenty install suricata on ubuntu, its working fine things happeing inside the network are getting inside suricata perfect.
the thing is i have a mikrotik and i configure sniffer to send traffic to suricata.

i used this awesome guide

but i cannot resolve the issue about this.

if i made a tcpdump im seeing all the traffic coming from mikrotik but when i try to start suricata with the mode that supposed to read all that traffic.

root@suricata:/etc/suricata# trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
11/5/2021 – 20:21:19 - - [ERRCODE: SC_ERR_INITIALIZATION(45)] - ERROR: Pcap file does not exist

inside suricata.yaml i put yes in the part about pcap.log but still same error.

Thanks anyone in advanced

2

Hi,

Try this way:

trafr -s | sudo suricata -c /etc/suricata/suricata.yaml -r /dev/stdin

Usage example:

sudo tcpdump -ni ethxxx -w - tcp|sudo suricata -r /dev/stdin -c /etc/suricata/suricata.yaml -knone -vvv -l ./ --runmode autofp

Captura de pantalla de 2021-05-13 09-00-30
Captura de pantalla de 2021-05-13 09-00-301066×614 194 KB

Greetings,

3

Thanks for you quick answer.

so i stop suricata systemctl stop suricata and try your command

trafr -s | sudo suricata -c /etc/suricata/suricata.yaml -r /dev/stdin

when i did this it hangs with this and no response.
firt image.

suri1
suri11000×129 20.2 KB

then i try your second command

tcpdump -ni ethxxx -w - tcp|sudo suricata -r /dev/stdin -c /etc/suricata/suricata.yaml -knone -vvv -l ./ --runmode autofp

suri2
suri21359×711 274 KB

suri3
suri31340×698 224 KB

and this is what i have, any rufther help will be much apreciated

Thanks

4

Why don’t you run Suricata directly on the ehternet interface? I would guess that mode with pipes isn’t stable

5

Hi,

tcpdump -ni ethxxx NO

tcpdump -ni eth0 or eth1 etc …

Best Regards,

6

ok sorry for that mistake about not realizing of ethxxx, ive tried so many things that im kinda of lost right now.

so i have suricata up and running with rules updated, if i made a curl http://tesymyds.ca from same server alert is trigger, but since i have a mikrotik when i did same trick about testmyids from other computer from the network nothing happens on suricata

so i open packet sniffer from mikrotik it is running
I also install trafr in suricata computer
If i run trafr -s | tcpdump -r - -n

trafr
trafr1211×533 241 KB

so traffic is coming from mikrotik to suricata

as i mention before i was following rober penz guide

after your help, i was trying again

trafr -s | sudo suricata -c /etc/suricata/suricata.yaml -r /dev/stdin

and it hags there last 2 come in after i press control c

trafr2
trafr2978×218 62.7 KB

finally i put your command

tcpdump -ni eth01 -w - tcp|sudo suricata -r /dev/stdin -c /etc/suricata/suricata.yaml -knone -vvv -l ./ --runmode autofp

then

trafr3
trafr31296×497 220 KB

i also went to suricata.yaml and put yes to this table

trafr4

what i am missing

Thanks

7

Hi,

sudo:

sudo tcpdump -ni enp0s25 -w - tcp | sudo suricata -r /dev/stdin -c /etc/suricata/suricata.yaml -knone -v -l ./ --runmode autofp

  1. In this case it is not necessary to have the pcap-log activated.

  2. In my case, I have “–runmode autofp” activated by my yaml configuration. In your case you may not need it.

Saludos,

8

Hi,

I have problem for the issue of Mikrotik to Suricata, i can see a packet for this command:

trafr -s | tcpdump -r - -n

But if i run:

/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml3 -v -i enp4s3

Theres nothing shown on fast.log at all, please help, i willing to pay to make this work, please skype me ‘halimzhz’

Thank you

9

Hi,

Try this way to see if it works.
fast.log will have content if it detects something.

-r /dev/stdin

/usr/local/bin/trafr -s | /usr/sbin/suricata -c /etc/suricata/suricata.yaml3 -v -r /dev/stdin