deepblue/mikrocata2selks
1
0
Fork 0
mirror of https://github.com/angolo40/mikrocata2selks.git synced 2025-05-11 16:07:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

v2.1

Browse Source
This commit is contained in:
giuseppe 2024-01-11 08:21:14 +01:00
parent c7b3ac32a7
commit 12c942893f
4 changed files with 21 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
README.md
View File

@ -1,6 +1,6 @@
<h1 align="center">Welcome to Mikrocata2SELKS 👋</h1>
<p>
<img alt="Version" src="https://img.shields.io/badge/version-2.0.0-blue.svg?cacheSeconds=2592000" />
<img alt="Version" src="https://img.shields.io/badge/version-2.1.0-blue.svg?cacheSeconds=2592000" />
<a href="https://github.com/angolo40/mikrocata2selks" target="_blank">
<img alt="License: MIT" src="https://img.shields.io/github/license/angolo40/Mikrocata2SELKS" />
</a>
@ -66,22 +66,20 @@ Add Mikrotik User
- Install TZSP interface
- Notification over Telegram when ip is blocked
## Changelog 2.1
- now mikrotcata read alerts from default suricata eve.json instead of create a new one
- rewrited read_json function for better stability (thanks to bekhzad-khamidullaev)
## Troubleshooting
- Check if packets are coming to VM from Mikrotik through dummy interface
- Check if packets are coming to VM from mikrotik through dummy interface
```sh
tcpdump -i tzsp0
```
- Check if mikrocata service on tzsp0 is up and running
- Check if mikrocata service and tzsp0 interface are up and running
```sh
systemctl status mikrocataTZSP0.service
systemctl status TZSPreplay37008@tzsp0.service
```
- Common mikrocata errors:
- - /root/SELKS/docker/containers-data/suricata/logs/alerts.json not found. Retrying in 10 seconds:
- check if suricata docker is running with command 'docker ps -a'
- check if last 2 lines of /root/SELKS/docker/containers-data/suricata/etc/suricata.yaml are:
- - include: selks6-addin.yaml
- - include: mikrocata2selks.yaml
## Author

2
easyinstall.sh
View File

@ -115,9 +115,7 @@ then
cmd2=""
while [ $num -le $HOW_MANY_MIKROTIK ]
do
cp $PATH_GIT_MIKROCATA/mikrocata2selks.yaml $PATH_SELKS/docker/containers-data/suricata/etc/
cp $PATH_GIT_MIKROCATA/suricata.yaml $PATH_SELKS/docker/containers-data/suricata/etc/
echo "include: mikrocata2selks.yaml" >> $PATH_SELKS/docker/containers-data/suricata/etc/suricata.yaml
cmd2="$cmd2 -i tzsp$num"
num=$(( $num + 1 ))
done

17
mikrocata.py
View File

@ -8,6 +8,7 @@ from time import sleep
from datetime import datetime as dt
import pyinotify
import ujson
import json
import librouteros
from librouteros import connect
from librouteros.query import Key
@ -44,7 +45,7 @@ LISTEN_INTERFACE=("tzsp0")
# Suricata log file
SELKS_CONTAINER_DATA_SURICATA_LOG="/root/SELKS/docker/containers-data/suricata/logs/"
FILEPATH = os.path.abspath(SELKS_CONTAINER_DATA_SURICATA_LOG + "alerts.json")
FILEPATH = os.path.abspath(SELKS_CONTAINER_DATA_SURICATA_LOG + "eve.json")
# Save Mikrotik address lists to a file and reload them on Mikrotik reboot.
# You can add additional list(s), e.g. [BLOCK_LIST_NAME, "blocklist1", "list2"]
@ -106,15 +107,23 @@ def seek_to_end(fpath):
def read_json(fpath):
global last_pos
while True:
try:
with open(fpath, "r") as f:
f.seek(last_pos)
alerts = [ujson.loads(line) for line in f.readlines()]
alerts = []
for line in f.readlines():
try:
alert = json.loads(line)
if alert.get('event_type') == 'alert':
alerts.append(json.loads(line))
else:
last_pos = f.tell()
continue
except:
continue
last_pos = f.tell()
return alerts
except FileNotFoundError:
print(f"[Mikrocata] File: {fpath} not found. Retrying in 10 seconds..")
sleep(10)

10
mikrocata2selks.yaml
View File

@ -1,10 +0,0 @@
%YAML 1.1
---
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: alerts.json
types:
- alert