deepblue/mikrocata2selks
1
0
Fork 0
mirror of https://github.com/angolo40/mikrocata2selks.git synced 2025-05-11 16:07:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update README.md

Browse Source 
update Readme
This commit is contained in:
Giuseppe 2024-06-19 09:40:38 +02:00 committed by GitHub
parent c5baafe1db
commit f90aecb0bb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 65 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
README.md
View File

@ -8,116 +8,117 @@
## 📋 Introduction
This repository is designed to simplify the installation process for the IDS/IPS Suricata for packet analysis from Mikrotik devices.
This repository is designed to simplify the installation process for the IDS/IPS Suricata for packet analysis from Mikrotik devices. The script is compatible with latest SELKS 10.
**Minimum Requirements:**
- 4 CPU cores
- 10 GB of free RAM
- Minimum 10 GB of free disk space (actual disk occupation will mainly depend of the number of rules and the amount of traffic on the network - 200GB+ SSD grade recommended).
- Minimum 10 GB of free disk space (actual disk usage will mainly depend on the number of rules and the amount of traffic on the network - 200GB+ SSD grade recommended).
## 🚀 Installation
## 🚀 Install
- Setup a fresh Debian 12 install on a dedicated machine (server or vm)
- Login as root
- Install git with 'apt install git'
- Clone this git repo 'git clone https://github.com/angolo40/mikrocata2selks.git'
- Edit easyinstall.sh with path where to install SELKS and how many Mikrotik to handle
- Run './easyinstall.sh'
- Once finished edit /usr/local/bin/mikrocataTZSP0.py with your Mikrotik and Telegram parameters and then reload service with 'systemctl restart mikrocataTZSP0.service'
- Configure Mikrotik
1. Set up a fresh Debian 12 installation on a dedicated machine (server or VM).
2. Log in as root.
3. Install Git: `apt install git`.
4. Clone this repository: `git clone https://github.com/angolo40/mikrocata2selks.git`.
5. Edit `easyinstall.sh` with the path where to install SELKS and the number of Mikrotik devices to handle.
6. Run `./easyinstall.sh`.
7. Wait....
8. Once finished, edit `/usr/local/bin/mikrocataTZSP0.py` with your Mikrotik and Telegram parameters, then reload the service with `systemctl restart mikrocataTZSP0.service`.
9. Configure your Mikrotik devices.
## 📡 Mikrotik Setup
- /tool/sniffer/set filter-stream=yes streaming-enabled=yes streaming-server=[DEBIANIP]:37008
- /tool/sniffer/start
- /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_in_bad_traffic" src-address-list=Suricata
- /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_out_bad_traffic" dst-address-list=Suricata
Enabling Mikrotik API:
- /ip/service/set api-ssl address=[DEBIANIP] enabled=yes
Add Mikrocata user in Mikrotik:
- /user/add name=mikrocata2selks password=xxxxxxxxxxxxx group=full (change password)
1. Enable sniffer:
```sh
/tool/sniffer/set filter-stream=yes streaming-enabled=yes streaming-server=[YOURDEBIANIP]:37008
/tool/sniffer/start
```
2. Add firewall rules:
```sh
/ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_in_bad_traffic" src-address-list=Suricata
/ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_out_bad_traffic" dst-address-list=Suricata
```
3. Enable Mikrotik API:
```sh
/ip/service/set api-ssl address=[DEBIANIP] enabled=yes
```
4. Add Mikrocata user in Mikrotik:
```sh
/user/add name=mikrocata2selks password=xxxxxxxxxxxxx group=full (change password)
```
## 🛠️ Handling Multiple Mikrotik Devices
## 🛠️ Handle Multiple Mikrotik Devices
For each additional Mikrotik device, a dedicated dummy interface and mikrocata service will be created.
- Setting more than 1 Mikrotik it will create for each device a dedicated dummy interface and dedicated mikrocata service.
- Example:
- - for Mikrotik0 will create tzsp0 interface listening at 37008 port and /usr/local/bin/mikrocataTZSP0.py
- - for Mikrotik1 will create tzsp1 interface listening at 37009 port and /usr/local/bin/mikrocataTZSP1.py
- - for Mikrotik2 will create tzsp2 interface listening at 37010 port and /usr/local/bin/mikrocataTZSP2.py
- - and so on...
- - So you have to edit:
- - /usr/local/bin/mikrocataTZSP0.py with specific Mikrotik0 value and enable sniffer on Mikrotik0 sending data to 37008 port.
- - /usr/local/bin/mikrocataTZSP1.py with specific Mikrotik1 value and enable sniffer on Mikrotik1 sending data to 37009 port
- - /usr/local/bin/mikrocataTZSP2.py with specific Mikrotik2 value and enable sniffer on Mikrotik2 sending data to 37010 port.
- - and so on...
- Example configuration:
- For Mikrotik0: `tzsp0` interface on port `37008` and `/usr/local/bin/mikrocataTZSP0.py`.
- For Mikrotik1: `tzsp1` interface on port `37009` and `/usr/local/bin/mikrocataTZSP1.py`.
- For Mikrotik2: `tzsp2` interface on port `37010` and `/usr/local/bin/mikrocataTZSP2.py`.
Edit each script with the specific Mikrotik values and enable the sniffer on each Mikrotik device to send data to the respective port.
## 💡 Functions
## 💡 Features
- Installs Docker and Docker Compose.
- Installs Python.
- Download and install SELKS repo (https://github.com/StamusNetworks/SELKS)
- Download and install Mikrocata
- Downloads and installs SELKS repository (https://github.com/StamusNetworks/SELKS).
- Downloads and installs Mikrocata.
- Installs TZSP interface.
- Enables notifications over Telegram when an IP is blocked.
## 🔄 Changelog
### 2.2.2
- Fixed telegram notification
- Fixed telegram notification issue.
### 2.2.1
- Fixed bug causing microcata.py script crash during Suricata logrotate.
- Fixed bug causing `mikrocata.py` script crash during Suricata logrotate.
### 2.2
- Migrated compatibility to Debian 12.
- Added compatibility with Debian 12.
### 2.1
- Improved stability of the read_json function.(thanks to bekhzad-khamidullaev)
- Improved stability of the `read_json` function (thanks to bekhzad-khamidullaev).
## 🔧 Troubleshooting
- Check if packets are coming to VM from mikrotik through dummy interface
```sh
tcpdump -i tzsp0
```
- Check if mikrocata service and tzsp0 interface are up and running
```sh
systemctl status mikrocataTZSP0.service
systemctl status TZSPreplay37008@tzsp0.service
```
- Check if suricata docker is up and running
```sh
docker logs -f suricata
```
- Check if packets are arriving at the VM from Mikrotik through the dummy interface:
```sh
tcpdump -i tzsp0
```
- Check if mikrocata service and tzsp0 interface are up and running:
```sh
systemctl status mikrocataTZSP0.service
systemctl status TZSPreplay37008@tzsp0.service
```
- Check if Suricata Docker container is up and running:
```sh
docker logs -f suricata
```
## 📝 Notes
- default account of SELKS:
- - https://[DEBIANIP]
- - Username: selks-user
- Password: selks-user
- Default account for SELKS:
- URL: `https://[YOURDEBIANIP]`
- Username: `selks-user`
- Password: `selks-user`
## 👤 Author
**Giuseppe Trifilio**
- [Website](https://github.com/angolo40/mikrocata2selks)
- [Github](https://github.com/angolo40)
- [GitHub](https://github.com/angolo40)
Inspired by [zzbe/mikrocata](https://github.com/zzbe/mikrocata).
## 🤝 Contributing
Contributions, issues, and feature requests are welcome. Check the [issues page](https://github.com/angolo40/mikrocata2selks).
Contributions, issues, and feature requests are welcome! Check the [issues page](https://github.com/angolo40/mikrocata2selks).
## 🌟 Show Your Support
Give a ⭐️ if this project helped you!
- **XMR**: `87LLkcvwm7JUZAVjusKsnwNRPfhegxe73X7X3mWXDPMnTBCb6JDFnspbN8qdKZA6StHXqnJxMp3VgRK7DcS2sgnW3wH7Xhw`