deepblue/mikrocata2selks
1
0
Fork 0
mirror of https://github.com/angolo40/mikrocata2selks.git synced 2025-05-12 08:27:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update README.md

Browse Source 
Update README.md
This commit is contained in:
Giuseppe 2024-02-23 10:25:40 +01:00 committed by GitHub
parent ced37cd5dc
commit 26e5289a54
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 56 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
README.md
View File

@ -1,34 +1,46 @@
<h1 align="center">Welcome to Mikrocata2SELKS 👋</h1> <h1 align="center">Welcome to Mikrocata2SELKS 👋</h1>
<p> <p>
<img alt="Version" src="https://img.shields.io/badge/version-2.2.0-blue.svg?cacheSeconds=2592000" /> <img alt="Version" src="https://img.shields.io/badge/version-2.2.1-blue.svg?cacheSeconds=2592000" />
<a href="https://github.com/angolo40/mikrocata2selks" target="_blank"> <a href="https://github.com/angolo40/mikrocata2selks" target="_blank">
<img alt="License: MIT" src="https://img.shields.io/github/license/angolo40/Mikrocata2SELKS" /> <img alt="License: MIT" src="https://img.shields.io/github/license/angolo40/Mikrocata2SELKS" />
</a> </a>
</p> </p>
> Script for auto-install Selks and mikrocata on Debian 12 ## 📋 Introduction
## Introduction
This repo intend to semplify installation of IDS/IPS Suricata for packet analyzing coming from Mikrotik.
It uses latest docker repo from SELKS (Suricata, ELK Stack) and mikrocata.
Minimum working setup: This repository is designed to simplify the installation process for the IDS/IPS Suricata for packet analysis from Mikrotik devices.
- 4 cores **Minimum Requirements:**
- 4 CPU cores
- 10 GB of free RAM - 10 GB of free RAM
- minimum 10 GB of free disk space (actual disk occupation will mainly depend of the number of rules and the amount of traffic on the network). 200GB+ SSD grade is recommended. - Minimum 10 GB of free disk space (actual disk occupation will mainly depend of the number of rules and the amount of traffic on the network - 200GB+ SSD grade recommended).
## Install
## 🚀 Install
- Setup a fresh Debian 12 install on a dedicated machine (server or vm) - Setup a fresh Debian 12 install on a dedicated machine (server or vm)
- Login as root - Login as root
- Install git with 'apt install git' - Install git with 'apt install git'
- Download this git repo - Clone this git repo 'git clone https://github.com/angolo40/mikrocata2selks.git'
- Edit easyinstall.sh with path where to install SELKS and how many Mikrotik to handle - Edit easyinstall.sh with path where to install SELKS and how many Mikrotik to handle
- Run ./easyinstall.sh - Run ./easyinstall.sh
- Once finished edit /usr/local/bin/mikrocataTZSP0.py with your Mikrotik and Telegram parameters and then reload service with 'systemctl restart mikrocataTZSP0.service' - Once finished edit /usr/local/bin/mikrocataTZSP0.py with your Mikrotik and Telegram parameters and then reload service with 'systemctl restart mikrocataTZSP0.service'
- Configure Mikrotik - Configure Mikrotik
## Handle multiple Mikrotik
## 📡 Mikrotik Setup
- /tool sniffer set filter-stream=yes streaming-enabled=yes streaming-server=<DEBIANIP>:37008 (37008 is default port for Mikrotik0)
- /tool sniffer start
- /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_in_bad_traffic" src-address-list=Suricata
- /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_out_bad_traffic" dst-address-list=Suricata
Enabling Mikrotik API:
- /ip service set api-ssl address=<DEBIANIP> enabled=yes
Add Mikrocata user in Mikrotik:
- /user/add name=mikrocata2selks password=xxxxxxxxxxxxx group=full (change password)
## 🛠️ Handle Multiple Mikrotik Devices
- Setting more than 1 Mikrotik it will create for each device a dedicated dummy interface and dedicated mikrocata service. - Setting more than 1 Mikrotik it will create for each device a dedicated dummy interface and dedicated mikrocata service.
- Example: - Example:
@ -42,38 +54,31 @@ Minimum working setup:
- - /usr/local/bin/mikrocataTZSP2.py with specific Mikrotik2 value and enable sniffer on Mikrotik2 sending data to 37010 port. - - /usr/local/bin/mikrocataTZSP2.py with specific Mikrotik2 value and enable sniffer on Mikrotik2 sending data to 37010 port.
- - and so on... - - and so on...
## Mikrotik setup
- /tool sniffer set filter-stream=yes streaming-enabled=yes streaming-server=xxx.xxx.xxx.xxx:37008 (xxx.xxx.xxx.xxx is your Debian ip addr, 37008 is default port for Mikrotik0) ## 💡 Functions
- /tool sniffer start
- /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_in_bad_traffic" src-address-list=Suricata - Installs Docker and Docker Compose.
- /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_out_bad_traffic" dst-address-list=Suricata - Installs Python.
Enabling Mikrotik API
- /ip service set api-ssl address=xxx.xxx.xxx.xxx enabled=yes (xxx.xxx.xxx.xxx is your Debian ip addr)
Add Mikrotik User
- /user/add name=mikrocata2selks password=xxxxxxxxxxxxx group=full (change password)
## Functions
- Install Docker and Docker Compose
- Install Python
- Download and install SELKS repo (https://github.com/StamusNetworks/SELKS) - Download and install SELKS repo (https://github.com/StamusNetworks/SELKS)
- Download and install Mikrocata - Download and install Mikrocata
- Install TZSP interface - Installs TZSP interface.
- Notification over Telegram when ip is blocked - Enables notifications over Telegram when an IP is blocked.
## Changelog 2.2
- migrated compatibility to debian 12
## Changelog 2.1 ## 🔄 Changelog
- now mikrotcata read alerts from default suricata eve.json instead of create a new one
- rewrited read_json function for better stability (thanks to bekhzad-khamidullaev) ### 2.2.1
- Fixed bug causing microcata.py script crash during Suricata logrotate.
### 2.2
- Migrated compatibility to Debian 12.
### 2.1
- Improved stability of the read_json function.(thanks to bekhzad-khamidullaev)
## 🔧 Troubleshooting
## Troubleshooting
- Check if packets are coming to VM from mikrotik through dummy interface - Check if packets are coming to VM from mikrotik through dummy interface
```sh ```sh
tcpdump -i tzsp0 tcpdump -i tzsp0
@ -87,27 +92,29 @@ systemctl status TZSPreplay37008@tzsp0.service
```sh ```sh
docker logs -f suricata docker logs -f suricata
``` ```
## Notes
## 📝 Notes
- default account of SELKS: - default account of SELKS:
- - Username: selks-user - - Username: selks-user
- Password: selks-user - Password: selks-user
## Author ## 👤 Author
👤 **Giuseppe Trifilio** **Giuseppe Trifilio**
* Website: https://github.com/angolo40/mikrocata2selks - [Website](https://github.com/angolo40/mikrocata2selks)
* Github: [@angolo40](https://github.com/angolo40) - [Github](https://github.com/angolo40)
* Inspired by https://github.com/zzbe/mikrocata
Inspired by [zzbe/mikrocata](https://github.com/zzbe/mikrocata).
## 🤝 Contributing ## 🤝 Contributing
- Contributions, issues and feature requests are welcome!<br />Feel free to check [issues page](https://github.com/angolo40/mikrocata2selks). Contributions, issues, and feature requests are welcome. Check the [issues page](https://github.com/angolo40/mikrocata2selks).
## Show your support
- Give a ⭐️ if this project helped you! ## 🌟 Show Your Support
- BTC: bc1qga68pwf49sfhdd9nj96m8e2s65ypjegtx8lafj
- BNB: 0x720b2b3e4436ec7064d54598BAd113e5293fF691
***
_This README was generated with ❤️ by [readme-md-generator](https://github.com/kefranabg/readme-md-generator)_ Give a ⭐️ if this project helped you!
- **BTC**: `bc1qad42pe2ux24y6vek07stmr7dknrq7dzrcws4k7`
- **BNB**: `0x5fe7087ea857b0b5e509e81cbe120c3bd7524e1f`
- **XMR**: `87LLkcvwm7JUZAVjusKsnwNRPfhegxe73X7X3mWXDPMnTBCb6JDFnspbN8qdKZA6StHXqnJxMp3VgRK7DcS2sgnW3wH7Xhw`