v2.1

README.md

@@ -1,6 +1,6 @@
 <h1 align="center">Welcome to Mikrocata2SELKS 👋</h1>
 <p>
-  <img alt="Version" src="https://img.shields.io/badge/version-2.0.0-blue.svg?cacheSeconds=2592000" />
+  <img alt="Version" src="https://img.shields.io/badge/version-2.1.0-blue.svg?cacheSeconds=2592000" />
   <a href="https://github.com/angolo40/mikrocata2selks" target="_blank">
     <img alt="License: MIT" src="https://img.shields.io/github/license/angolo40/Mikrocata2SELKS" />
   </a>
@@ -66,22 +66,20 @@ Add Mikrotik User
 - Install TZSP interface
 - Notification over Telegram when ip is blocked
 
+## Changelog 2.1
+- now mikrotcata read alerts from default suricata eve.json instead of create a new one 
+- rewrited read_json function for better stability (thanks to bekhzad-khamidullaev)
+
 ## Troubleshooting
-- Check if packets are coming to VM from Mikrotik through dummy interface
+- Check if packets are coming to VM from mikrotik through dummy interface
 ```sh
 tcpdump -i tzsp0
 ```
-- Check if mikrocata service on tzsp0 is up and running
+- Check if mikrocata service and tzsp0 interface are up and running
 ```sh
+systemctl status mikrocataTZSP0.service
 systemctl status TZSPreplay37008@tzsp0.service
 ```
-- Common mikrocata errors:
-- - /root/SELKS/docker/containers-data/suricata/logs/alerts.json not found. Retrying in 10 seconds:
-  - check if suricata docker is running with command 'docker ps -a'
-  - check if last 2 lines of /root/SELKS/docker/containers-data/suricata/etc/suricata.yaml are:
-  - - include: selks6-addin.yaml
-  - - include: mikrocata2selks.yaml
-
 
 
 ## Author

easyinstall.sh

@@ -115,9 +115,7 @@ then
     cmd2=""
     while [ $num -le $HOW_MANY_MIKROTIK ]
     do
-        cp $PATH_GIT_MIKROCATA/mikrocata2selks.yaml $PATH_SELKS/docker/containers-data/suricata/etc/
         cp $PATH_GIT_MIKROCATA/suricata.yaml $PATH_SELKS/docker/containers-data/suricata/etc/
-        echo "include: mikrocata2selks.yaml" >> $PATH_SELKS/docker/containers-data/suricata/etc/suricata.yaml
         cmd2="$cmd2 -i tzsp$num"
         num=$(( $num + 1 ))
     done

mikrocata.py

@@ -8,6 +8,7 @@ from time import sleep
 from datetime import datetime as dt
 import pyinotify
 import ujson
+import json
 import librouteros
 from librouteros import connect
 from librouteros.query import Key
@@ -44,7 +45,7 @@ LISTEN_INTERFACE=("tzsp0")
 
 # Suricata log file
 SELKS_CONTAINER_DATA_SURICATA_LOG="/root/SELKS/docker/containers-data/suricata/logs/"
-FILEPATH = os.path.abspath(SELKS_CONTAINER_DATA_SURICATA_LOG + "alerts.json")
+FILEPATH = os.path.abspath(SELKS_CONTAINER_DATA_SURICATA_LOG + "eve.json")
 
 # Save Mikrotik address lists to a file and reload them on Mikrotik reboot.
 # You can add additional list(s), e.g. [BLOCK_LIST_NAME, "blocklist1", "list2"]
@@ -106,15 +107,23 @@ def seek_to_end(fpath):
 
 def read_json(fpath):
     global last_pos
-
     while True:
         try:
             with open(fpath, "r") as f:
                 f.seek(last_pos)
-                alerts = [ujson.loads(line) for line in f.readlines()]
+                alerts = []
+                for line in f.readlines():
+                    try:
+                        alert = json.loads(line)
+                        if alert.get('event_type') == 'alert':
+                            alerts.append(json.loads(line))
+                        else:
+                            last_pos = f.tell()
+                            continue
+                    except:
+                        continue
                 last_pos = f.tell()
                 return alerts
-
         except FileNotFoundError:
             print(f"[Mikrocata] File: {fpath} not found. Retrying in 10 seconds..")
             sleep(10)

mikrocata2selks.yaml

@@ -1,10 +0,0 @@
-%YAML 1.1
----
-
-outputs:
-  - eve-log:
-      enabled: yes
-      filetype: regular
-      filename: alerts.json
-      types:
-        - alert