diff --git a/README.md b/README.md index fd164d9..8fb7e44 100644 --- a/README.md +++ b/README.md @@ -8,116 +8,117 @@ ## 📋 Introduction -This repository is designed to simplify the installation process for the IDS/IPS Suricata for packet analysis from Mikrotik devices. +This repository is designed to simplify the installation process for the IDS/IPS Suricata for packet analysis from Mikrotik devices. The script is compatible with latest SELKS 10. **Minimum Requirements:** - 4 CPU cores - 10 GB of free RAM -- Minimum 10 GB of free disk space (actual disk occupation will mainly depend of the number of rules and the amount of traffic on the network - 200GB+ SSD grade recommended). +- Minimum 10 GB of free disk space (actual disk usage will mainly depend on the number of rules and the amount of traffic on the network - 200GB+ SSD grade recommended). +## 🚀 Installation -## 🚀 Install - -- Setup a fresh Debian 12 install on a dedicated machine (server or vm) -- Login as root -- Install git with 'apt install git' -- Clone this git repo 'git clone https://github.com/angolo40/mikrocata2selks.git' -- Edit easyinstall.sh with path where to install SELKS and how many Mikrotik to handle -- Run './easyinstall.sh' -- Once finished edit /usr/local/bin/mikrocataTZSP0.py with your Mikrotik and Telegram parameters and then reload service with 'systemctl restart mikrocataTZSP0.service' -- Configure Mikrotik - +1. Set up a fresh Debian 12 installation on a dedicated machine (server or VM). +2. Log in as root. +3. Install Git: `apt install git`. +4. Clone this repository: `git clone https://github.com/angolo40/mikrocata2selks.git`. +5. Edit `easyinstall.sh` with the path where to install SELKS and the number of Mikrotik devices to handle. +6. Run `./easyinstall.sh`. +7. Wait.... +8. Once finished, edit `/usr/local/bin/mikrocataTZSP0.py` with your Mikrotik and Telegram parameters, then reload the service with `systemctl restart mikrocataTZSP0.service`. +9. Configure your Mikrotik devices. ## 📡 Mikrotik Setup -- /tool/sniffer/set filter-stream=yes streaming-enabled=yes streaming-server=[DEBIANIP]:37008 -- /tool/sniffer/start -- /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_in_bad_traffic" src-address-list=Suricata -- /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_out_bad_traffic" dst-address-list=Suricata - -Enabling Mikrotik API: -- /ip/service/set api-ssl address=[DEBIANIP] enabled=yes - -Add Mikrocata user in Mikrotik: -- /user/add name=mikrocata2selks password=xxxxxxxxxxxxx group=full (change password) +1. Enable sniffer: + ```sh + /tool/sniffer/set filter-stream=yes streaming-enabled=yes streaming-server=[YOURDEBIANIP]:37008 + /tool/sniffer/start + ``` +2. Add firewall rules: + ```sh + /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_in_bad_traffic" src-address-list=Suricata + /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_out_bad_traffic" dst-address-list=Suricata + ``` +3. Enable Mikrotik API: + ```sh + /ip/service/set api-ssl address=[DEBIANIP] enabled=yes + ``` +4. Add Mikrocata user in Mikrotik: + ```sh + /user/add name=mikrocata2selks password=xxxxxxxxxxxxx group=full (change password) + ``` +## 🛠️ Handling Multiple Mikrotik Devices -## 🛠️ Handle Multiple Mikrotik Devices +For each additional Mikrotik device, a dedicated dummy interface and mikrocata service will be created. -- Setting more than 1 Mikrotik it will create for each device a dedicated dummy interface and dedicated mikrocata service. -- Example: -- - for Mikrotik0 will create tzsp0 interface listening at 37008 port and /usr/local/bin/mikrocataTZSP0.py -- - for Mikrotik1 will create tzsp1 interface listening at 37009 port and /usr/local/bin/mikrocataTZSP1.py -- - for Mikrotik2 will create tzsp2 interface listening at 37010 port and /usr/local/bin/mikrocataTZSP2.py -- - and so on... -- - So you have to edit: -- - /usr/local/bin/mikrocataTZSP0.py with specific Mikrotik0 value and enable sniffer on Mikrotik0 sending data to 37008 port. -- - /usr/local/bin/mikrocataTZSP1.py with specific Mikrotik1 value and enable sniffer on Mikrotik1 sending data to 37009 port -- - /usr/local/bin/mikrocataTZSP2.py with specific Mikrotik2 value and enable sniffer on Mikrotik2 sending data to 37010 port. -- - and so on... +- Example configuration: + - For Mikrotik0: `tzsp0` interface on port `37008` and `/usr/local/bin/mikrocataTZSP0.py`. + - For Mikrotik1: `tzsp1` interface on port `37009` and `/usr/local/bin/mikrocataTZSP1.py`. + - For Mikrotik2: `tzsp2` interface on port `37010` and `/usr/local/bin/mikrocataTZSP2.py`. + +Edit each script with the specific Mikrotik values and enable the sniffer on each Mikrotik device to send data to the respective port. - -## 💡 Functions +## 💡 Features - Installs Docker and Docker Compose. - Installs Python. -- Download and install SELKS repo (https://github.com/StamusNetworks/SELKS) -- Download and install Mikrocata +- Downloads and installs SELKS repository (https://github.com/StamusNetworks/SELKS). +- Downloads and installs Mikrocata. - Installs TZSP interface. - Enables notifications over Telegram when an IP is blocked. - ## 🔄 Changelog ### 2.2.2 -- Fixed telegram notification +- Fixed telegram notification issue. ### 2.2.1 -- Fixed bug causing microcata.py script crash during Suricata logrotate. +- Fixed bug causing `mikrocata.py` script crash during Suricata logrotate. ### 2.2 -- Migrated compatibility to Debian 12. +- Added compatibility with Debian 12. ### 2.1 -- Improved stability of the read_json function.(thanks to bekhzad-khamidullaev) - +- Improved stability of the `read_json` function (thanks to bekhzad-khamidullaev). ## 🔧 Troubleshooting -- Check if packets are coming to VM from mikrotik through dummy interface -```sh -tcpdump -i tzsp0 -``` -- Check if mikrocata service and tzsp0 interface are up and running -```sh -systemctl status mikrocataTZSP0.service -systemctl status TZSPreplay37008@tzsp0.service -``` -- Check if suricata docker is up and running -```sh -docker logs -f suricata -``` +- Check if packets are arriving at the VM from Mikrotik through the dummy interface: + ```sh + tcpdump -i tzsp0 + ``` +- Check if mikrocata service and tzsp0 interface are up and running: + ```sh + systemctl status mikrocataTZSP0.service + systemctl status TZSPreplay37008@tzsp0.service + ``` +- Check if Suricata Docker container is up and running: + ```sh + docker logs -f suricata + ``` ## 📝 Notes -- default account of SELKS: -- - https://[DEBIANIP] -- - Username: selks-user - - Password: selks-user +- Default account for SELKS: + - URL: `https://[YOURDEBIANIP]` + - Username: `selks-user` + - Password: `selks-user` ## 👤 Author **Giuseppe Trifilio** - [Website](https://github.com/angolo40/mikrocata2selks) -- [Github](https://github.com/angolo40) +- [GitHub](https://github.com/angolo40) Inspired by [zzbe/mikrocata](https://github.com/zzbe/mikrocata). ## 🤝 Contributing -Contributions, issues, and feature requests are welcome. Check the [issues page](https://github.com/angolo40/mikrocata2selks). +Contributions, issues, and feature requests are welcome! Check the [issues page](https://github.com/angolo40/mikrocata2selks). ## 🌟 Show Your Support Give a ⭐️ if this project helped you! + - **XMR**: `87LLkcvwm7JUZAVjusKsnwNRPfhegxe73X7X3mWXDPMnTBCb6JDFnspbN8qdKZA6StHXqnJxMp3VgRK7DcS2sgnW3wH7Xhw`