diff --git a/README.md b/README.md index 1e6ad33..77dccd5 100644 --- a/README.md +++ b/README.md @@ -1,34 +1,46 @@

Welcome to Mikrocata2SELKS 👋

- Version + Version License: MIT

-> Script for auto-install Selks and mikrocata on Debian 12 -## Introduction -This repo intend to semplify installation of IDS/IPS Suricata for packet analyzing coming from Mikrotik. -It uses latest docker repo from SELKS (Suricata, ELK Stack) and mikrocata. +## 📋 Introduction -Minimum working setup: +This repository is designed to simplify the installation process for the IDS/IPS Suricata for packet analysis from Mikrotik devices. -- 4 cores +**Minimum Requirements:** +- 4 CPU cores - 10 GB of free RAM -- minimum 10 GB of free disk space (actual disk occupation will mainly depend of the number of rules and the amount of traffic on the network). 200GB+ SSD grade is recommended. +- Minimum 10 GB of free disk space (actual disk occupation will mainly depend of the number of rules and the amount of traffic on the network - 200GB+ SSD grade recommended). -## Install + +## 🚀 Install - Setup a fresh Debian 12 install on a dedicated machine (server or vm) - Login as root - Install git with 'apt install git' -- Download this git repo +- Clone this git repo 'git clone https://github.com/angolo40/mikrocata2selks.git' - Edit easyinstall.sh with path where to install SELKS and how many Mikrotik to handle - Run ./easyinstall.sh - Once finished edit /usr/local/bin/mikrocataTZSP0.py with your Mikrotik and Telegram parameters and then reload service with 'systemctl restart mikrocataTZSP0.service' - Configure Mikrotik -## Handle multiple Mikrotik + +## 📡 Mikrotik Setup + +- /tool sniffer set filter-stream=yes streaming-enabled=yes streaming-server=:37008 (37008 is default port for Mikrotik0) +- /tool sniffer start +- /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_in_bad_traffic" src-address-list=Suricata +- /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_out_bad_traffic" dst-address-list=Suricata +Enabling Mikrotik API: +- /ip service set api-ssl address= enabled=yes +Add Mikrocata user in Mikrotik: +- /user/add name=mikrocata2selks password=xxxxxxxxxxxxx group=full (change password) + + +## 🛠️ Handle Multiple Mikrotik Devices - Setting more than 1 Mikrotik it will create for each device a dedicated dummy interface and dedicated mikrocata service. - Example: @@ -42,38 +54,31 @@ Minimum working setup: - - /usr/local/bin/mikrocataTZSP2.py with specific Mikrotik2 value and enable sniffer on Mikrotik2 sending data to 37010 port. - - and so on... -## Mikrotik setup -- /tool sniffer set filter-stream=yes streaming-enabled=yes streaming-server=xxx.xxx.xxx.xxx:37008 (xxx.xxx.xxx.xxx is your Debian ip addr, 37008 is default port for Mikrotik0) -- /tool sniffer start +## 💡 Functions -- /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_in_bad_traffic" src-address-list=Suricata -- /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_out_bad_traffic" dst-address-list=Suricata - -Enabling Mikrotik API - -- /ip service set api-ssl address=xxx.xxx.xxx.xxx enabled=yes (xxx.xxx.xxx.xxx is your Debian ip addr) - -Add Mikrotik User - -- /user/add name=mikrocata2selks password=xxxxxxxxxxxxx group=full (change password) - -## Functions -- Install Docker and Docker Compose -- Install Python +- Installs Docker and Docker Compose. +- Installs Python. - Download and install SELKS repo (https://github.com/StamusNetworks/SELKS) - Download and install Mikrocata -- Install TZSP interface -- Notification over Telegram when ip is blocked +- Installs TZSP interface. +- Enables notifications over Telegram when an IP is blocked. -## Changelog 2.2 -- migrated compatibility to debian 12 -## Changelog 2.1 -- now mikrotcata read alerts from default suricata eve.json instead of create a new one -- rewrited read_json function for better stability (thanks to bekhzad-khamidullaev) +## 🔄 Changelog + +### 2.2.1 +- Fixed bug causing microcata.py script crash during Suricata logrotate. + +### 2.2 +- Migrated compatibility to Debian 12. + +### 2.1 +- Improved stability of the read_json function.(thanks to bekhzad-khamidullaev) + + +## 🔧 Troubleshooting -## Troubleshooting - Check if packets are coming to VM from mikrotik through dummy interface ```sh tcpdump -i tzsp0 @@ -87,27 +92,29 @@ systemctl status TZSPreplay37008@tzsp0.service ```sh docker logs -f suricata ``` -## Notes + +## 📝 Notes - default account of SELKS: - - Username: selks-user - Password: selks-user -## Author +## 👤 Author -👤 **Giuseppe Trifilio** +**Giuseppe Trifilio** -* Website: https://github.com/angolo40/mikrocata2selks -* Github: [@angolo40](https://github.com/angolo40) -* Inspired by https://github.com/zzbe/mikrocata +- [Website](https://github.com/angolo40/mikrocata2selks) +- [Github](https://github.com/angolo40) + +Inspired by [zzbe/mikrocata](https://github.com/zzbe/mikrocata). ## 🤝 Contributing -- Contributions, issues and feature requests are welcome!
Feel free to check [issues page](https://github.com/angolo40/mikrocata2selks). -## Show your support +Contributions, issues, and feature requests are welcome. Check the [issues page](https://github.com/angolo40/mikrocata2selks). -- Give a ⭐️ if this project helped you! -- BTC: bc1qga68pwf49sfhdd9nj96m8e2s65ypjegtx8lafj -- BNB: 0x720b2b3e4436ec7064d54598BAd113e5293fF691 -*** +## 🌟 Show Your Support -_This README was generated with ❤️ by [readme-md-generator](https://github.com/kefranabg/readme-md-generator)_ +Give a ⭐️ if this project helped you! + +- **BTC**: `bc1qad42pe2ux24y6vek07stmr7dknrq7dzrcws4k7` +- **BNB**: `0x5fe7087ea857b0b5e509e81cbe120c3bd7524e1f` +- **XMR**: `87LLkcvwm7JUZAVjusKsnwNRPfhegxe73X7X3mWXDPMnTBCb6JDFnspbN8qdKZA6StHXqnJxMp3VgRK7DcS2sgnW3wH7Xhw`