IPS Suricata2MikroTik -CE- is a module for Suricata to read eve.json file and search specifics alert to block the source. This connect to MikroTik via API to add the IP to block.
Clone or download
Latest commit 8fd0936 Nov 9, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin add comments Nov 3, 2018
share add comments Nov 3, 2018
www first version Nov 3, 2018
LICENSE Create LICENSE Nov 9, 2018
README.md add comments Nov 3, 2018
config.php add comments Nov 3, 2018
index.php add comments Nov 3, 2018
schema.sql first version Nov 3, 2018

README.md

Suricata2MikroTik CE -Community Edition-

Module for Suricata to read eve.json file and looking for specified alerts. If found it, then connect to router MikroTik via API and block the Attack with Firewall.

This is similar like ips-mikrotik-suricata but works with eve.json and not with barnyard2. https://github.com/elmaxid/ips-mikrotik-suricata

# Changelog:

31 Octubre 18: Community Edition v1.0

  • Init version

Requeriment:

  • Suricata
  • IP and login for router MikroTik RouterOS
  • GIT

Features

  • Detect an Alert from Suricata and connect to RouterOS to block de Attack source IP Address

Notification:

    * Email
    * Telegram (API Bot)

Instalation

Once we have Suricata working and running on our network, the next step is the instalation of Suricata2MikroTik:

To install, Clone the repository and copy to /var/www/html/suricata2mikrotik

cd /var/www/html/

git clone https://github.com/elmaxid/Suricata2MikroTik

cd suricata2mikrotik

-- to Config

  • Edit the file config.php with DB and API Logins

  • Create the DB schema

mysql -u username -p < schema.sql

  • Copy start_ips and start_suricata to /usr/local/bin

  • Give permisions chmod +x /usr/local/bin/start*


How works it

For run Suricata, you need to redirect the traffic from MikroTik RouterOS to Suricata server, to do it just use Packet Sniffer or Mangle Send To TZSP Action.