Skip to content

Commit

Permalink
add new schema with trigger, remove mikrotik-ips-daemon_db.php
Browse files Browse the repository at this point in the history
  • Loading branch information
@elmaxid
elmaxid committed Mar 3, 2017
1 parent f3c80a2 commit c6ed1f5
Show file tree
Hide file tree
Showing 8 changed files with 200 additions and 111 deletions.
19 changes: 15 additions & 4 deletions README.EN
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,17 @@
IPS-MikroTik-Suricata is module which connect to Suricata's DB (MySql) using Barnyard2 and Snorby. This module search for custom alerts and when found it, take an IPS action and connect to MikroTik RouterOS via API to add the Attack's Source IP address and block it (add IP to address list).
IPS-MikroTik-Suricata is module which connect to Suricata's DB (MySql) using Barnyard2. This module search for custom alerts and when found it, take an IPS action and connect to MikroTik RouterOS via API to add the Attack's Source IP address and block it (add IP to address list).

Inspired on post from Tom Fisk: http://forum.mikrotik.com/viewtopic.php?t=111727

Changelog:

3 March 17: v1.3

* The new schema.sql now support trigger to add the alert. So now is depreceated the daemon mikrotik-ips-daemon_db.php
* Update the instalation file.

Requeriment:

* Suricata,Baynyard2 and Snorby running
* Suricata,Baynyard2 running
* IP and login for router MikroTik RouterOS
* GIT

Expand All @@ -28,7 +35,7 @@ File with the config of DB and Router's Login

mikrotik-ips-daemon_db.php:

Daemon which connect to MySql DB and detect the pattern of alerts and save to DB for block it
Daemon which connect to MySql DB and detect the pattern of alerts and save to DB for block it (DEPRECEATED)

mikrotik-ips-cron.php:

Expand Down Expand Up @@ -57,7 +64,11 @@ cd ips-mikrotik-suricata.git

* Edit the file config.php with DB and API Logins

Create the DB schema
* Create the DB schema

mysql -u username -p snorby < schema.sql

* To check the DB Connection and API Login:

php -f mikrotik-ips-install.php

Expand Down
14 changes: 12 additions & 2 deletions README.ES
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,20 @@
IPS-MikroTik-Suricata es una implementación de un módulo que se conecta a la base de datos MySQL del Suricata / Snorby(utilizando Unified2 y Barnyard2) y busca por alertas predefinidas, en caso de encontrarla toma acción IPS conectándose al MikroTik RouterOS via API para bloquear el IP atacante.
IPS-MikroTik-Suricata es una implementación de un módulo que se conecta a la base de datos MySQL del Suricata (utilizando Unified2 y Barnyard2) y busca por alertas predefinidas, en caso de encontrarla toma acción IPS conectándose al MikroTik RouterOS via API para bloquear el IP atacante.

Inspirado en un post de Tom Fisk del foro de MikroTik: http://forum.mikrotik.com/viewtopic.php?t=111727

Mirar la wiki para ver documentación: https://github.com/elmaxid/ips-mikrotik-suricata/wiki/Instalaci%C3%B3n-y-Uso

Lista de Cambios:

3 Marzo 17: v1.3

* Se hizo el schema de la DB con trigger, ahora no es necesario el Demonio mikrotik-ips-daemon_db.php
* Se actualizo la instalación

Requerimientos:

* Suricata funcionando
* Baynyard2 para guardar las alertas en MySql
* Snorby
* IP y datos de acceso de un MikroTik RouterOS
* GIT

Expand Down Expand Up @@ -62,6 +68,10 @@ cd ips-mikrotik-suricata.git

Luego instalar schema DB Mysql

mysql -u username -p snorby < schema.sql

* Para chequear la configuración o Conexión con API ejecutar:

php -f mikrotik-ips-install.php

* Para ejecutar, setear los permisos y ejecutar
Expand Down
1 change: 0 additions & 1 deletion ips_start.sh
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
php -f /opt/ips-mikrotik-suricata.git/mikrotik-ips-daemon_db.php &
php -f /opt/ips-mikrotik-suricata.git/mikrotik-ips-cron.php &
php -f /opt/ips-mikrotik-suricata.git/mikrotik-ips-clean.php &
1 change: 1 addition & 0 deletions mikrotik-ips-clean.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
*
* LICENSE: GPLv2 GNU GENERAL PUBLIC LICENSE
*
* v1.2 - 3 March 17 - This script mikrotik-ips-daemon_db.php is depreceated because now we use trigger on DB
* v1.1 - 10 Feb 17 - add support telegram, multiple whitelist,
* v1.0 - 2 Feb 17 - initial version
******************************/
Expand Down
1 change: 1 addition & 0 deletions mikrotik-ips-cron.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
*
* LICENSE: GPLv2 GNU GENERAL PUBLIC LICENSE
*
* v1.2 - 3 March 17 - This script mikrotik-ips-daemon_db.php is depreceated because now we use trigger on DB
* v1.1 - 10 Feb 17 - add support telegram, multiple whitelist,
* v1.0 - 2 Feb 17 - initial version
******************************/
Expand Down
103 changes: 0 additions & 103 deletions mikrotik-ips-daemon_db.php
View file

This file was deleted.

67 changes: 66 additions & 1 deletion mikrotik-ips-install.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@
*
* LICENSE: GPLv2 GNU GENERAL PUBLIC LICENSE
*
* v1.2 - 3 March 17 - This script mikrotik-ips-daemon_db.php is depreceated because now we use trigger on DB
* v1.1 - 10 Feb 17 - add support telegram, multiple whitelist,
* v1.0 - 2 Feb 17 - initial version
******************************/



$DEBUG = false;
// $DEBUG=true;
if ( !$DEBUG )
Expand All @@ -45,6 +45,8 @@
}
echo "Connect OK - API MikroTik RouterOS\n";
} //isset( $router[ 'ip' ] )

/*
$SQL_DB = " DROP TABLE IF EXISTS `block_queue`;";
if ( !$result = $db_->query( $SQL_DB ) ) {
die( 'There was an error running the query [' . $db_->error . ']' );
Expand Down Expand Up @@ -102,10 +104,73 @@
('ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)', 'src', '00:10:00'),
('ET DOS Possible NTP DDoS Inbound Frequent', 'src', '00:10:00'),
('ET SCAN SipCLI VOIP Scan', 'src', '01:00:00'); ";
if ( !$result = $db_->query( $SQL_DB ) ) {
die( 'There was an error running the query [' . $db_->error . ']' );
} //!$result = $db_->query( $SQL_DB )
echo "Create Schema MySQL OK \n";
$SQL_DB = '
DROP TRIGGER `after_iphdr_insert`;
DELIMITER ;;
CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr` FOR EACH ROW
BEGIN
DECLARE this_event INT(11) default 0;
DECLARE this_event_signature INT(10) default 0;
DECLARE this_event_timestamp TIMESTAMP;
DECLARE this_sig INT(10) default 0;
DECLARE this_sig_name VARCHAR(256) default "";
DECLARE this_sig_gid INT(10) default 0;
DECLARE timeout VARCHAR(12) default "";
DECLARE interested INT default 0;
DECLARE direction VARCHAR(3) default "";
DECLARE ip_src VARCHAR(64) default "";
DECLARE ip_dst VARCHAR(64) default "";
SELECT event.id, event.signature, event.timestamp
INTO this_event, this_event_signature, this_event_timestamp
FROM event
WHERE event.sid = NEW.sid and event.cid = NEW.cid;
SELECT signature.sig_sid, signature.sig_gid, signature.sig_name
INTO this_sig, this_sig_gid, this_sig_name
FROM signature
WHERE signature.sig_id = this_event_signature;
SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
INTO interested, direction, timeout
FROM sigs_to_block
WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
IF (interested > 0) THEN
IF (direction = "src") THEN
INSERT INTO block_queue
SET que_ip_adr =NEW.ip_src,
que_timeout = timeout,
que_sig_name = this_sig_name,
que_sig_gid = this_sig_gid,
que_sig_sid = this_sig,
que_event_timestamp = this_event_timestamp;
ELSE
INSERT INTO block_queue
SET que_ip_adr =NEW.ip_dst,
que_timeout = timeout,
que_sig_name = this_sig_name,
que_sig_gid = this_sig_gid,
que_sig_sid = this_sig,
que_event_timestamp = this_event_timestamp;
END IF;
END IF;
END;;
DELIMITER ;';
if ( !$result = $db_->query( $SQL_DB ) ) {
die( 'There was an error running the query [' . $db_->error . ']' );
} //!$result = $db_->query( $SQL_DB )
echo "Create Trigget Schema MySQL OK \n";
*/

$db_->close();
$API->disconnect();
?>
Loading

0 comments on commit c6ed1f5

Please sign in to comment.