Suricata Snorby on Raspberry Pi

This document describes how to install suricata and all the required programs to work with a mikrotik routerboard as an ips-ipds

Note

These instructions assume that the reader is familiar with opening, editing and saving files at the command line. Please consult your OS documentation if you need assistance with these tasks.

Start by installing an OS on your flash drive. For this demonstration, I used noobs to install rasbian-lite.

Start by logging into the pi with:

user:pi password:raspberry

Then add a new user with:

sudo useradd admin
sudo passwd admin

It will ask you to enter the new unix password twice. After that add the user to the sudoers with:

sudo visudo

Then go to the allow members area and add the new user like this:

# User privilege specification
root ALL=(ALL:ALL) ALL
admin ALL=(ALL:ALL) ALL

We now need to turn ssh on to enable remote access. Simple way is to use the built-in menu:

sudo raspi-config

Then go to advanced options>A4 SSH and hit enter then yes, and then finish. It will then ask you to reboot. To check if ssh is running:

service ssh status

Now you can remote into the system. You can use "putty" for windows users, or in linux "ssh newuser@your_server_ip_address".

Now we want to update apt and upgrade the files:

sudo apt-get update && apt-get -y upgrade

Installing Suricata

In order to install Suricata, we need to install some pre-install packages. We will run the next section as root with:

sudo bash

Then we install the pre-install packages:

apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config

Now suricata is default as a ids if you want to run in ids/ipds you need to do:

apt-get install -y libnetfilter-queue-dev

Now we need to make a new directory for the files we need to download:

mkdir ~/suricata_src
cd ~/suricata_src

Now downlaod and build Suricata with the following:

wget https://www.openinfosecfoundation.org/download/suricata-3.2.1.tar.gz
tar -xvzf suricata-3.2.1.tar.gz
cd suricata-3.2.1

Now we need to compile and build the program. There are 2 ways to do this.

For IDS only:

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var

For IDS/IPS:

./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

Then continue with make:

make

Then we will do the install with the "full" option. This will install all the directories and even get the signature database set up for us.

make install-full

To make sure the existing list with libraries will be updated with the new library, enter:

ldconfig

Now we need to install ethtool and turn a few things off, for Suricata to capture packets:

apt-get install -y ethtool
ethtool -K eth0 gro off gso off

Now we can test Suricata with:

suricata -c /etc/suricata/suricata.yaml -i eth0 --init-errors-fatal

Wait a few minutes for this to start. This can take a few minutes, to completly load. Than use "ctrl c" to stop.

At this point you should have a working Suricata system, but now we need to add some more features to it.

Installing Oinkmaster

Oinkmaster is the program I am using to automatically update the ever-changing signature database. We will build a cron job, and have it update the signatures on a daily basis. To start we just use apt to get Oinkmaster:

apt-get install -y oinkmaster

Now we need to edit the oinkmaster config and add the url to the signature database.

nano /etc/oinkmaster.conf

Paste the following line somwhere near the top:

  • url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz

Now we can test it with:

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

If that is successful, we can go ahead and create a cron job to do this task on a daily basis.

nano /etc/cron.daily/suricataUpdateRules

Then paste in the following:

#!/bin/bash
/usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules |& grep -i "error" > /dev/null
/bin/kill -USR2 `pidof suricata`

Then make it executable by:

chmod 755 /etc/cron.daily/suricataUpdateRules

This should start the process to run daily and you will see a notification in Suricata if you were to look in the logs.

Installing tzsp2pcap

Because MikroTiks trafr is only for x86 and Raspberry Pi uses ARM, I had to find another program to take the traffic from the Mikrotik Routerboard, and convert it to PCAP, to be readable by Suricata. I fortunately found tzsp2pcap on this aritcle.

We need to install "git" in order to download tzsp2pcap:

apt-get install -y git

Now go to the "suricata_src" directory

cd ~/suricata_src

Download tzsp2pcap and edit the make file

git clone https://github.com/thefloweringash/tzsp2pcap.git
cd tzsp2pcap
nano Makefile

Now edit Makefile by changing the "std=" from:

cc -std=c99 -o $@ $(CFLAGS) $(LDFLAGS) -lpcap $<

To:

cc -std=gnu99 -o $@ $(CFLAGS) $(LDFLAGS) -lpcap $<

Then compile the code, and you can ignore the 2 warnings that is shows.

make

There should now be a binary file name tzsp2pcap, we want to move this to /usr/local/bin or similar.

cp tzsp2pcap /usr/local/bin

This next part is optional, we can use it to test to make sure we are recieving packets

apt-get install -y tcpdump

Now point the mikrotik sniffer at the address of the device so we can start sending packets to our device. In the mikrotk terminal type: (use the address of the mikrotik default-gateway for the "set filter-ip-address!" and then use the IP address of the raspberry pi for the "streaming-server=". The next commands will be run in the Mikrotik terminal:

/tool sniffer
set filter-ip-address=!10.0.0.1 filter-stream=yes streaming-enabled=yes streaming-server=10.0.0.30

Now with this enabled, we can go back to the raspberry pi and see if we are recieving the packets.

tzsp2pcap -f | tcpdump -n -q -c 10 -r -

Note: tzsp2pcap seems to need IPv6 support. If you see the error message:

socket():Address family not supprted by protocol
Could not set up trap listener

Then you will need to modprobe IPv6 or enable IPv6 on the Mikrotik. To enable it on the Mikrotik, open a terminal in the Mikrotik and run the following. Note: The Mikrotik will mist likely need to be rebooted in order for the settings to take place.

system package enable ipv6

system reboot

Installing Barnyard2

Barnyard2 is the program we use to take the information from Suricata, and place it into our mysql database. We need to install some prerequisites in order for Barnyard2 to work.

cd ~/suricata_src
apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev

Then we will get DAQ from snorts website. It is necessary to run Barnyard2.

wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz
./configure
make
make install

Now we will download Barnyard2.

cd ~/suricata_src
wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-Master.tar.gz
tar zxvf barnyard2-Master.tar.gz
cd barnyard2-master
apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool

This will also install mysql, and ask you to make a root password for mysql. Make sure you remember this, we will need it later.After that is completed continue to the next steps.

autoreconf -fvi -I ./m4

Now Barnyard needs access to dumbnet.h library so we need to make a link to it.

ln -s /usr/include/dumbnet.h /usr/include/dnet.h
ldconfig
./configure --with-mysql --with-mysql-libraries=/usr/lib/arm-linux-gnueabihf
make
make install

Now we need to copy the config file, and make the files and directories that Barnyard2 needs.

cp ~/suricata_src/barnyard2-master/etc/barnyard2.conf /etc/suricata
mkdir /var/log/barnyard2
touch /var/log/suricata/barnyard2.waldo

Now we need to edit the suricata config, to make the output readable by Barnyard2

nano /etc/suricata/suricata.yaml

Here we need to edit a few things. On line 15, we want to make sure our HOME_NET addresses are correct. The more accurate we can be the better the performance. Then comment or uncomment the emerging rules you want or do not want to check. On line 107 and 108 you want to change the classification and reference files to: /etc/suricata/rules/ Then on line 238 we want to edit from:

# alert output for use with Barnyard2
- unified2-alert:
enabled: no
filename: unified2.alert


# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
#limit: 32mb

To:

# alert output for use with Barnyard2
- unified2-alert:
enabled: yes
filename: suricata.u2


# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
limit: 128mb

Now we need to edit the Barnyard2 configuration file.

nano /etc/suricata/barnyard2.conf

Then starting on line 27 we need to change the paths to the reference files.

config reference_file: /etc/suricata/rules/reference.config
config classification_file: /etc/suricata/rules/classification.config
config gen_file: /etc/suricata/rules/gen-msg.map
config sid_file: /etc/suricata/rules/sid-msg.map

And then at the bottom we need to add the following line:

output database: log, mysql, user=snorby password=suriCata1 dbname=snorby host=localhost sensor_name=sensor1

Now we need to make a start-up script so Barnyard2 will automatically start on reboots etc.

nano /lib/systemd/system/barnyard2.service

Now input the following: (the exec content line should be one line)

[Unit]
Description=Barnyard2 Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f suricata.u2 -q -w /var/log/suricata/barnyard2.waldo -D -a /var/log/suricata/archived_logs

[Install]
WantedBy=multi-user.target

Now tell systemD that the service is there and should run at startup

systemctl enable barnyard2 

We can start and stop Barnyard2 with systemctl commands, although it will most likely error out, because we have not set up our sql database yet. We will do that in the next section. To make sure Barnyard2 is enabled by systemctl we can run:

systemctl barnyard2 status

Note: There is a section I need to add to test Barnyard2, as soon as I get a chance I will add it to the document.

Installing Snorby

Snorby is the webpage that we use to view the alerts etc. Because Snorby is not activley supported anymore we need to install some older versions of ruby and gems. I have found the right versions to work, and as long as they stay available this works. On Rasbian, ruby 1.9 is not available in the repositories, so we need to download and install from source.

We need some pre-requisites for Ruby 1.9:

sudo apt-get install -y libgdbm-dev libncurses5-dev git-core curl zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties libffi-dev

Next, let’s install the Ruby Gem pre-requisites:

sudo apt-get install -y imagemagick apache2 libyaml-dev libxml2-dev libxslt-dev git libssl-dev

Snorby installs a number of Ruby gems. To speed up their installation, run the following two commands to prevent the install of documentation when gems are installed:

echo "gem: --no-rdoc --no-ri" > ~/.gemrc
sudo sh -c "echo gem: --no-rdoc --no-ri > /etc/gemrc"

Download the ruby 1.9.3 source and install:

cd ~/suricata_src/
wget https://cache.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p551.tar.gz
tar -xvzf ruby-1.9.3-p551.tar.gz
cd ruby-1.9.3-p551
./configure
make
make install

Install the gems required for management and installation. Note: # These gems will also install other required gems

sudo gem install wkhtmltopdf
sudo gem install bundler
sudo gem install rails -v 3.1.12

Note: Rails can take a few minutes to install

sudo gem install rake --version=0.9.2

Download the 2.6.2 version of Snorby and move it to your web root directory:

cd ~/suricata_src/
wget https://github.com/Snorby/snorby/archive/v2.6.2.tar.gz -O snorby-2.6.2.tar.gz
tar xzvf snorby-2.6.2.tar.gz
cp -r ./snorby-2.6.2/ /var/www/html/snorby/

Install all of the Snorby pre-requisites. Ignore warnings about running bundle as root. If you get connection errors when trying to download gems, just re-run the command until it succeeds.

cd /var/www/html/snorby
sudo bundle install

Snorby uses database.yml to tell it how to connect to the MySQL server. We will copy the example file to the correct location and edit it with our MySQL root credentials (Snorby will need to create a database):

sudo cp /var/www/html/snorby/config/database.yml.example /var/www/html/snorby/config/database.yml
nano /var/www/html/snorby/config/database.yml

You need to change the password field in this database.yml file to reflect the MySQL root password you set when installing MySQL (MySqlROOTpassword if you are following this guide exactly). Note that we will change this later after Snorby has setup the database it needs to use a lower-priviledged MySQL account. The beginning of the file should look like this after editing:

# Snorby Database Configuration
#
# Please set your database password/user below
# NOTE: Indentation is important.
#

snorby: &snorby
adapter: mysql
username: root
password: "MySqlROOTpassword" # Example: password: "s3cr3tsauce"
host: localhost

... and so on

Now we need to create the Snorby configuration file (copied from it’s example file).

sudo sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g /var/www/html/snorby/config/snorby_config.yml

Now we want to install Snorby. The below command will download the necessary gems and will create a new database called Snorby for use. This can take some time to complete. You can ignore errors about ”Jammit Warning: Asset compression disabled – Java unavailable.”.

sudo bundle exec rake snorby:setup

Now we will edit the MySQL Snorby database to grant access to a lower privilidged user (we don’t want the Snorby application using the root password to interface with the database). Run the following commands to create a new MySQL user named snorby with password suriCata1. You will be prompted for your MySQL root password (MySqlROOTpassword) after the first command:

mysql -u root -p

Then do the following in mysql.

mysql> create user 'snorby'@'localhost' IDENTIFIED BY 'yourpassword';

mysql> grant all privileges on snorby.* to 'snorby'@'localhost' with grant option;

mysql> flush privileges;

mysql> exit

Now that we’ve created a new MySQL snorby user and password, edit Snorby’s database.yml to tell Snorby to use the new account rather than the root MySQL account:

sudo nano /var/www/html/snorby/config/database.yml

The file should now look like this (note the changes to lines 8 and 9):

# Snorby Database Configuration
#
# Please set your database password/user below
# NOTE: Indentation is important.
#

snorby: &snorby
adapter: mysql
username: snorby
password: "yourpassword" # Example: password: "s3cr3tsauce"
host: localhost

... and so on

Now we are ready to test Snorby. Run Snorby with:

sudo bundle exec rails server -e production

This will start Snorby listening on port 3000. Navigate to http://ip_of_snorby_server:3000 and you should see the logon screen. Don’t log in at this time as we are only testing that the software runs. Use ctrl-c at the command prompt to stop the Snorby server.

Next we need to install Phusion Passenger an application server module for Apache to launch Snorby. First install pre-requisites:

sudo apt-get install -y libcurl4-openssl-dev apache2-threaded-dev libaprutil1-dev libapr1-dev

Next, install the Passenger gem and the Apache module (we don’t install the Ubuntu repository version of Phusion Passenger because it doesn’t work well).

sudo gem install passenger
sudo passenger-install-apache2-module

The Phusion Passenger install wizard will start. Un-check the Python language support (we only need Ruby support) using the arrows and space bar, then use enter to continue through the menu options. After compiling software, the wizard will finally tell you to copy some text to your Apache configuration file.(note: this process can take some time) We don’t want to copy the entire output to the Apache configuration file, because Apache now uses separate files for modules (one for the path to the .so file for the module, and one for configuration for the module). We do want the information that is printed, we will just use it slightly differently. Copy the five lines of text that are shown on the screen, as you’ll need them. Hit enter twice to exit the wizard.

My install showed the following 5 lines of text that are needed (yours may be different):

LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-5.1.2/buildout/apache2/mod_passenger.so
 IfModule mod_passenger.c
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-5.1.2
PassengerDefaultRuby /usr/local/bin/ruby
 IfModule

The first line tells Apache the path to the shared object library to load the Phusion passenger module. We want to create a new file for this line. Create this file:

sudo nano /etc/apache2/mods-available/passenger.load

And paste the two content lines in. You do not need the tags In my case, I pasted:

PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-5.1.2
PassengerDefaultRuby /usr/local/bin/ruby

Note: yes, the lines above say ruby1.9.1, and we did install ruby 1.9.3. Ubuntu 12 does some file system redirection that makes this happen, but it doesn’t cause any issues.

Next, enable the Passenger module:

sudo a2enmod passenger
sudo service apache2 restart

And then verify that it loaded by running the following command (look for Passenger in the output):

apache2ctl -t -D DUMP_MODULE

Now we need to create an Apache website for Snorby:

sudo nano /etc/apache2/sites-available/snorby.conf

Then add the following:

<virtualhost *:80>
    ServerAdmin webmaster@localhost
    ServerName snorby.yourdomain.com
    DocumentRoot /var/www/html/snorby/public
    <directory "/var/www/html/snorby/public">
         AllowOverride all
         Order deny,allow
         Allow from all
         Options -MultiViews
         </directory>
</virtualhost>

Now enable the new site, disable the default site, and reload Apache to see the new configurations:

cd /etc/apache2/sites-available/
sudo a2ensite snorby.conf
sudo service apache2 reload

Then we change directories and disable the default apache2 webpage.

cd /etc/apache2/sites-enabled
sudo a2dissite 000-default
sudo service apache2 reload

Snorby needs one service running for database maintenance (a Snorby worker daemon). We will create an systemD daemon for this task. First we need to create the daemon service file:

sudo nano /lib/systemd/system/snorby_worker.service

Add the following:

[Unit]
Description=Snorby Worker Daemon
Requires=apache2.service
After=syslog.target network.target apache2.service


[Service]
Type=forking
WorkingDirectory=/var/www/html/snorby
ExecStart=/usr/local/bin/ruby script/delayed_job start

[Install]
WantedBy=multi-user.target

Now tell systemD that the script exists, and then verify that it installed correctly:

sudo systemctl enable snorby_worker
systemctl status snorby_worker.service

Note that this daemon will often list as stop/waiting, and that is ok, because of how it works. You can check the worker job status use the web interface (look under Administration –> Worker and Job Queue). You may need to restart the server once at this stage because a differernt version of the worker service may be running from earlier testing. Verify that the worker process is running from the web interface after a reboot.

To log into the web interface: open a web browser and navigate to http://ip_of_snorby_server. You don’t need to enter the port number, as it is listening on port 80 now. The default login information is:

E-mail: snorby@snorby.org Password: snorby

Suricata Block

This is the section where we put some information in mysql for things we want to block. We will add some tables to mysql and put the php script that sends the information to the mikrotik. I did a few modifications from the article I found on the mikrotik forums. I need to give credit to Tom Fisk. You can find his article here.

First we need to install a few php items to run our script:

sudo apt-get install -y php5-mysqlnd php5-cli

We need to setup the tables in mysql to indicate alerts that we want to block.

mysql -u root -p

The next few items will be done in the mysql command line

mysql> use snorby

Now we want to setup the tables in mysql to indicate alerts that we want to block. We can paste in the following:

--
-- Table structure for table `sigs_to_block`
--
CREATE TABLE `sigs_to_block` (
`sig_name` text COLLATE utf8_unicode_ci NOT NULL,
`src_or_dst` char(3) COLLATE utf8_unicode_ci NOT NULL DEFAULT 'src',
`timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL DEFAULT '01:00:00'
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
--
-- Indexes for table `sigs_to_block`
--
ALTER TABLE `sigs_to_block`
ADD UNIQUE KEY `sig_name_unique_index` (`sig_name`(64));

Then we want to add the signatures that we want to block. I have a few here, including our test signature. You can edit these, or jsut paste the signatures I have below:

INSERT INTO `sigs_to_block` (`sig_name`, `src_or_dst`, `timeout`) VALUES
('ET COMPROMISED Known Compromised or Hostile Host Traffic', 'src', '01:00:00'),
('ET POLICY Suspicious inbound to', 'src', '01:00:00'),
('ET DROP Dshield Block Listed Source', 'src', '01:00:00'),
('ET SCAN', 'src', '01:00:00'),
('ET DROP Spamhaus DROP Listed Traffic Inbound', 'src', '01:00:00'),
('ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted', 'dst', '23:59:59'),
('ET CINS Active Threat Intelligence Poor Reputation IP', 'src', '01:00:00'),
('GPL SNMP', 'src', '01:00:00'),
('ET TOR Known Tor', 'src', '01:00:00'),
('GPL DNS named version attempt', 'src', '01:00:00'),
('ET VOIP Modified Sipvicious Asterisk PBX User-Agent', 'src', '01:00:00'),
('GPL RPC xdmcp info query', 'src', '01:00:00'),
('GPL RPC portmap listing', 'src', '01:00:00'),
('SURICATA SMTP no server welcome message', 'dst', '23:59:59'),
('GPL SMTP', 'dst', '23:59:59'),
('ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check', 'dst', '01:00:00'),
('Snort Alert [1:2403326:2951]', 'src', '01:00:00'),
('Snort Alert [1:2500082:4086]', 'src', '01:00:00'),
('GPL POLICY PCAnywhere', 'src', '01:00:00'),
('ET POLICY External IP Lookup', 'dst', '23:59:59'),
('GPL WEB_SERVER', 'src', '23:59:59'),
('ET SHELLCODE', 'src', '23:59:59'),
('ET P2P Edonkey IP Query End', 'src', '01:00:00'),
('ET MALWARE Suspicious', 'dst', '01:00:00'),
('ET CURRENT_EVENTS', 'src', '01:00:00'),
('Unencrypted Request Method', 'src', '01:00:00'),
('SURICATA SMTP data command rejected', 'dst', '01:00:00'),
('ET WEB_SERVER', 'src', '01:00:00'),
('ET DOS', 'src', '01:00:00'),
(' ET POLICY User', 'dst', '01:00:00'),
('ET TROJAN Possible Win32/', 'dst', '01:00:00'),
('.tk domain', 'dst', '23:59:59'),
('ET POLICY archive.org', 'dst', '01:00:00'),
('ET CNC', 'dst', '23:59:59'),
('ET SNMP', 'src', '01:00:00'),
('ET POLICY Python', 'dst', '01:00:00'),
('ET POLICY curl User-Agent Outbound', 'dst', '01:00:00'),
('ET POLICY Windows 98 User-Agent Detected', 'dst', '01:00:00'),
('ET POLICY Internal Host Retrieving External IP', 'dst', '01:00:00'),
('ET POLICY Unsupported/Fake FireFox Version', 'dst', '01:00:00'),
('ET MOBILE_MALWARE', 'dst', '23:59:59'),
('ET POLICY Possible IP Check', 'src', '01:00:00'),
('ET P2P', 'dst', '01:00:00'),
('GPL SHELLCODE', 'src', '23:59:59'),
('GPL P2P', 'src', '01:00:00'),
('.pw domain', 'dst', '23:59:59'),
('Request to .su TLD', 'dst', '01:00:00'),
('Abnormal User-Agent', 'dst', '01:00:00'),
('SSLv3 outbound', 'src', '01:00:00'),
('Hex Obfuscation', 'src', '01:00:00'),
('ET USER_AGENTS Suspicious User Agent (BlackSun)', 'src', '00:01:00'),
('SSH banner detected on TCP 443 likely proxy evasion', 'src', '01:00:00');

Then we need the Table structure for our block queue. We will paste this into mysql:

--
-- Table structure for table `block_queue`
--
CREATE TABLE `block_queue` (
`que_id` int(11) NOT NULL,
`que_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'When the block was added',
`que_ip_adr` varchar(64) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The IP address to block',
`que_timeout` varchar(12) COLLATE utf8_unicode_ci NOT NULL COMMENT 'How long to block for',
`que_sig_name` varchar(256) COLLATE utf8_unicode_ci NOT NULL COMMENT 'The name of the signature that caused the block',
`que_sig_gid` int(10) NOT NULL COMMENT 'The signature group ID',
`que_sig_sid` int(10) NOT NULL COMMENT 'The signature ID',
`que_event_timestamp` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'When the event was triggered',
`que_processed` int(11) NOT NULL DEFAULT '0' COMMENT 'If this item has been processed (0=no, <>0=yes)'
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Queue of ip addresses to block on firewall';

Now we add the indexes

--
-- Indexes for table `block_queue`
--
ALTER TABLE `block_queue`
ADD PRIMARY KEY (`que_id`),
ADD KEY `que_added` (`que_added`);
--
-- AUTO_INCREMENT for table `block_queue`
--
ALTER TABLE `block_queue`
MODIFY `que_id` int(11) NOT NULL AUTO_INCREMENT;

Last we need to add our trigger to mysql. This can be done by pasting the following in mysql:

DELIMITER $$

CREATE TRIGGER `after_iphdr_insert` AFTER INSERT ON `iphdr`
FOR EACH ROW BEGIN
DECLARE this_event INT(11) default 0;
DECLARE this_event_signature INT(10) default 0;
DECLARE this_event_timestamp TIMESTAMP;
DECLARE this_sig INT(10) default 0;
DECLARE this_sig_name VARCHAR(256) default "";
DECLARE this_sig_gid INT(10) default 0;
DECLARE timeout VARCHAR(12) default "";
DECLARE interested INT default 0;
DECLARE direction VARCHAR(3) default "";
DECLARE ip_src VARCHAR(64) default "";
DECLARE ip_dst VARCHAR(64) default "";
SELECT event.id, event.signature, event.timestamp
INTO this_event, this_event_signature, this_event_timestamp
FROM event
WHERE event.sid = NEW.sid and event.cid = NEW.cid; 
SELECT signature.sig_sid, signature.sig_gid, signature.sig_name 
INTO this_sig, this_sig_gid, this_sig_name
FROM signature
WHERE signature.sig_id = this_event_signature;
SELECT count(*), sigs_to_block.src_or_dst, sigs_to_block.timeout
INTO interested, direction, timeout
FROM sigs_to_block
WHERE this_sig_name LIKE CONCAT(sigs_to_block.sig_name, '%');
IF (interested > 0) THEN
IF (direction = "src") THEN
INSERT INTO block_queue
SET que_ip_adr = inet_ntoa(NEW.ip_src),
que_timeout = timeout,
que_sig_name = this_sig_name,
que_sig_gid = this_sig_gid,
que_sig_sid = this_sig,
que_event_timestamp = this_event_timestamp;

ELSE

INSERT INTO block_queue

SET que_ip_adr = inet_ntoa(NEW.ip_dst),
que_timeout = timeout,
que_sig_name = this_sig_name,
que_sig_gid = this_sig_gid,
que_sig_sid = this_sig,
que_event_timestamp = this_event_timestamp;
END IF;

END IF;

END $$

Then we can end our mysql session.

mysql> exit

Now we need to download the .php script and the mikrotikapi.php I have put the .php files here.

cd ~/suricata_src
wget http://shanerwright.com/suricata_files.tar.gz

Then untar the files.

tar -xvzf suricata_files.tar.gz

Change your directory to suricata_files.

cd suricata_files

Edit the files to your network settings

nano ~/suricata_src/suricata_files/suricata_block.php

The mikrotik_sniffer_start.php file, is to turn the sniffer program on in the mikrotik. This is useful, because if the mikrotik is rebooted the default state is off. You will want to edit it to your network settings.

nano ~/suricata_src/suricata_files/mikrotik_sniffer_start.php

Then we will move the files to /usr/local/bin or something similar, and then make it executeable:

cp ~/suricata_src/suricata_files/suricata_block.php /usr/local/bin/
chmod +x /usr/local/bin/suricata_block.php

Then make sure you have the necessary routeros_class.api.php file in the same location, and make it executeable.

cp ~/suricata_src/suricata_files/routeros_api.class.php /usr/local/bin/
chmod +x /usr/local/bin/routeros_api.class.php

And if you want the "sniffer" start-up script, move it and make it executable as well.

cp ~/suricata_src/suricata_files/
chmod +x /usr/local/bin/mikrotik_sniffer_start.php

Now we want to make a .sh script so we can make our start-up script

sudo nano /etc/suricata/suricata_block.sh

Copy or paste the following:

#!/bin/bash
php -f/usr/local/bin/suricata_block.php

To make the script executable

sudo chmod +x /etc/suricata/suricata_block.sh

Then we can make our start-up script so the suricata_block.php will start on reboots etc.

sudo nano /lib/systemd/system/suricata_block.service

Then copy or paste the following:

[Unit]
Description=Suricata_block NIDS Daemon
After=syslog.target network.target


[Service]
Type=simple
ExecStart=/etc/suricata/suricata_block.sh


[Install]
WantedBy=multi-user.target

Now we want to enable our start-up script with:

systemctl enable suricata_block

Now for the optional mikrotik_sniffer_start, we will create a crontab, and have it run every 10 minutes or so. You can adjust this to your needs, if 10 minutes seems to often.

crontab -e

It defaults with nano as the editor. This is as easy as anything. Then we want to paste the line below, at the bottom of the file.

*/10 * * * * php -f/usr/local/bin/mikrotik_sniffer_start.php

Laslty, because of the pipe "|" we have to run to have tzsp2pcap and suricata at the same time, The way I found for now, is to create another ".sh" script and then make a system service for it.

nano /etc/suricata/suricata.sh

Then we can copy or paste in:

#!/bin/bash
tzsp2pcap -f | suricata -c /etc/suricata/suricata.yaml -r -

To make it executable:

chmod +x /etc/suricata/suricata.sh

And then we make a start-up script for suricata:

sudo nano /lib/systemd/system/suricata.service

Then paste in:

[Unit]
[Unit]
Description=Suricata NIDS Daemon
After=syslog.target network.target


[Service]
Type=simple
ExecStart=/etc/suricata/suricata.sh


[Install]
WantedBy=multi-user.target

Enable the script in systemctl:

sudo systemctl enable suricata

Now reboot the system and test. Note: it does take a few minutes for the initial startup to start catching everything. There are several parts to this and they all need to load. Note: I have seen this take several minutes, before the api finally writes to the mikrotik.

cd suricata-3.2.1

Testing

This last secion is short, but it describes a way to test and make sure It all works. We have several parts that all have to work, in order for the api to send the information to the Mikrotik, to block the signatures we have set up earlier. The best way I have found is to use a computer running linux and use Curl. If you dont have Curl, it is as simple as:

apt-get install -y curl

Once you have curl installed, and if you have pasted in the signatures I listed in the suricata block section, you can run Curl and see it post to the mikrotik api.

curl -A "BlackSun" www.google.com