Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/isMTv/bash_cata

A simple script that processes the generated Suricata eve-log in real time.
https://github.com/isMTv/bash_cata

Last synced: about 1 month ago
JSON representation

A simple script that processes the generated Suricata eve-log in real time.

Awesome Lists containing this project

README

        

## Overview:
A simple script that processes the generated Suricata eve-log in real time and, based on alerts, adds an ip-address to the MikroTik Address Lists for a specified time for subsequent blocking;
* Connects to MikroTik using ssh-key.
* Cli commands are sent directly to the mikrotik terminal in the established session which does not close;
* Works as a daemon with attachment to the Suricata process;
* There is a whitelist to which "networks" and "signature_id" can be added;
* Marks blocked ip-addresses in the "mark_ip" file and automatically clears the file as the timestamp expires;
* Possebility restore address list after router reboot;
* In case of errors when connecting to MikroTik, add them to "bash_cata.log".

## For work you need:
* ./jq (https://stedolan.github.io/jq/)
* grepcidr (http://www.pc-tools.net/unix/grepcidr/)
* tmux (https://github.com/tmux/tmux/wiki)
* tzsp2pcap (https://github.com/thefloweringash/tzsp2pcap)
* tcpreplay (https://github.com/appneta/tcpreplay)

## How-to:
### IMPORTANT: In suricata.yaml add another eve-log:
```
- eve-log:
enabled: yes
filetype: regular
filename: alerts.json
types:
- alert
```

### Configuring ssh key authorization:
```
Create key pair idps_rsa:
# cd ~/.ssh/
# ssh-keygen -t rsa -b 2048 -f idps_rsa
- /root/.ssh/idps_rsa.*
idps_rsa - secret key (for the host from which we are connecting)
idps_rsa.pub - public key (for the host to which we are connecting)
```

### We specify a lot of hosts through a space:
```
# nano ~/.ssh/config
Host 172.16.5.3
IdentityFile ~/.ssh/mik_rsa
#ConnectTimeout 3
#ServerAliveInterval 900

# chmod 600 ~/.ssh/config
# service sshd restart
```

### Copy script directory to:
```
# "/home/shells/"
# cd /home/shells/bash_cata/ ; chmod +x bash_cata.sh
```

### Setting up the daemon:
```
# cp bashcata.service /etc/systemd/system/
# systemctl daemon-reload
# systemctl enable bashcata.service
# systemctl start bashcata.service
# systemctl status bashcata.service
```

### Logrotate: option required "copytruncate"
cp suricata /etc/logrotate.d/
```
# Sample /etc/logrotate.d/suricata configuration file.
/var/log/suricata/*.log /var/log/suricata/*.json {
daily
missingok
rotate 3
compress
delaycompress
copytruncate
sharedscripts
postrotate
/bin/kill -HUP `cat /run/suricata.pid 2> /dev/null` 2> /dev/null || true
endscript
}
```

### snif TZSP:
cp tzsp.netdev /etc/systemd/network/
```
[NetDev]
Name=tzsp0
Kind=dummy
```

cp tzsp.network /etc/systemd/network/
```
[Match]
Name=tzsp*

[Link]
MTUBytes=2000

[Network]
Address=172.16.255.249/29
DHCP=no
```

Enable interface:
```
# systemctl enable systemd-networkd
# systemctl restart systemd-networkd
```

Combine tzsp2pcap and tcpreplay into [email protected]:

cp [email protected] /etc/systemd/system/
```
[Unit]
Description=TZSP Replay on dev %i
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=simple
ExecStart=/bin/sh -c "/usr/bin/tzsp2pcap -f | /usr/bin/tcpreplay-edit --topspeed --mtu=$(cat /sys/class/net/%I/mtu) --mtu-trunc -i %I -"
Restart=always
RestartSec=3
ProtectSystem=full
ProtectHome=true

[Install]
WantedBy=multi-user.target
```

Start it on your dummy interface (I'm using name tzsp0, you can have dummy0 or whatever):
```
# systemctl enable --now [email protected]
```

/etc/suricata/suricata.yaml:
```
af-packet:
- interface: tzsp0
```

### ROS:
In the "prerouting" chain we direct traffic to Suricata's ip-address. We can specify any interface and chain, as well as create the required number of rules with the action sniff TZSP.
```
- Create Address List:
/ip/firewall/address-list/
add list=idps_fwd address=ip-to-monitoring
- Adding rules TSZP Sniff:
/ip/firewall/mangle/
add chain=forward in-interface-list=ISP dst-address-list=idps_fwd action=sniff-tzsp sniff-target=ip-address-suricata sniff-target-port=37008 comment="TZSP sniffing -> IDPS"
add chain=forward out-interface-list=ISP src-address-list=idps_fwd action=sniff-tzsp sniff-target=ip-address-suricata sniff-target-port=37008
- Or using marking connection/packet:
add chain=prerouting in-interface-list=ISP protocol=tcp dst-port=443,25,143,587,5222,5281 connection-state=new action=mark-connection new-connection-mark=idps_conn comment="TZSP sniffing -> IDPS"
add chain=prerouting in-interface-list=ISP protocol=udp dst-port=3478 connection-state=new action=mark-connection new-connection-mark=idps_conn
add chain=forward connection-mark=idps_conn action=mark-packet new-packet-mark=idps_pack
add chain=forward packet-mark=idps_pack action=sniff-tzsp sniff-target=ip-address-suricata sniff-target-port=37008
- Block ip-address's from idps_alert table:
/ip/firewall/raw/
add chain=prerouting src-address-list=idps_alert action=drop comment="Drop IDPS"
```

### Secure SSH:
```
/ip/ssh/set strong-crypto=yes
/ip/ssh/set always-allow-password-login=no
```

### Restore Adress List:
SSH-exec configuration required. https://wiki.mikrotik.com/wiki/Manual:System/SSH_client#SSH-exec
* /.../.../bash_cata/mik.on - replace with the path where the bash_cata script is located;
* delay 25 - the time that the router will spend to turn it on completely;
* local ip - ip address host on which the script is running;
```
/system/script/add name="bash_cata" policy="ftp,read,write,test"
---
:delay 25;
:local ip "ip_bash_cata_script";
:if ([/ping address=$ip count=3] = 0) do={
/log warning message="bash_cata: host $ip - unavalable";
/system/scheduler/set bash_cata interval="00:04:35";
} else={
/log/warning message="bash_cata: host $ip - available";
/system/scheduler/set bash_cata interval="00:00:00";
/system/ssh-exec address="$ip" port=22 user=root command="touch /.../.../bash_cata/mik.on ; systemctl restart bashcata.service";
}
---
/system/scheduler/add name="bash_cata" start-time=startup interval="00:00:00" policy="ftp,read,write,test" on-event="bash_cata"
/system/scheduler/add name="ram_disk" start-time=startup interval="00:00:00" policy="ftp,read,write,test" on-event="/disk/add type=tmpfs tmpfs-max-size=3M slot=ram-disk"
---
### Сreating a key pair in linux host:
# mkdir mik_exec && cd mik_exec && ssh-keygen -t rsa -b 2048 -m pem -f mik_exec_rsa
```

### Thanks for the Idea:
* zzbe - https://github.com/zzbe/mikrocata