https://github.com/isMTv/bash_cata

A simple script that processes the generated Suricata eve-log in real time.
https://github.com/isMTv/bash_cata

Last synced: about 2 months ago
JSON representation

A simple script that processes the generated Suricata eve-log in real time.

• Host: GitHub
• URL: https://github.com/isMTv/bash_cata
• Owner: isMTv
• License: mit
• Created: 2021-08-12T06:47:56.000Z (about 3 years ago)
• Default Branch: main
• Last Pushed: 2024-03-14T17:59:30.000Z (6 months ago)
• Last Synced: 2024-04-15T20:44:21.374Z (5 months ago)
• Language: Shell
• Homepage:
• Size: 78.1 KB
• Stars: 9
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-suricata - bash_cata - A simple script that processes the generated Suricata eve-log in real time and, based on alerts, adds an ip-address to the MikroTik Address Lists for a specified time for subsequent blocking. (Misc)

README

        
## Overview:

A simple script that processes the generated Suricata eve-log in real time and, based on alerts, adds an ip-address to the MikroTik Address Lists for a specified time for subsequent blocking;

* Connects to MikroTik using ssh-key.

* Cli commands are sent directly to the mikrotik terminal in the established session which does not close;

* Works as a daemon with attachment to the Suricata process;

* There is a whitelist to which "networks" and "signature_id" can be added;

* Marks blocked ip-addresses in the "mark_ip" file and automatically clears the file as the timestamp expires;

* Possebility restore address list after router reboot;

* In case of errors when connecting to MikroTik, add them to "bash_cata.log".

## For work you need:

* ./jq (https://stedolan.github.io/jq/)

* grepcidr (http://www.pc-tools.net/unix/grepcidr/)

* tmux (https://github.com/tmux/tmux/wiki)

* tzsp2pcap (https://github.com/thefloweringash/tzsp2pcap)

* tcpreplay (https://github.com/appneta/tcpreplay)

## How-to:

### IMPORTANT: In suricata.yaml add another eve-log:

```

- eve-log:

      enabled: yes

      filetype: regular

      filename: alerts.json

      types:

        - alert

```

### Configuring ssh key authorization:

```

Create key pair idps_rsa:

# cd ~/.ssh/

# ssh-keygen -t rsa -b 2048 -f idps_rsa

- /root/.ssh/idps_rsa.*

idps_rsa - secret key (for the host from which we are connecting)

idps_rsa.pub - public key (for the host to which we are connecting)

```

### We specify a lot of hosts through a space:

```

# nano ~/.ssh/config

Host 172.16.5.3

IdentityFile ~/.ssh/mik_rsa

#ConnectTimeout 3

#ServerAliveInterval 900

# chmod 600 ~/.ssh/config

# service sshd restart

```

### Copy script directory to:

```

# "/home/shells/"

# cd /home/shells/bash_cata/ ; chmod +x bash_cata.sh

```

### Setting up the daemon:

```

# cp bashcata.service /etc/systemd/system/

# systemctl daemon-reload

# systemctl enable bashcata.service

# systemctl start bashcata.service

# systemctl status bashcata.service

```

### Logrotate: option required "copytruncate"

cp suricata /etc/logrotate.d/

```

# Sample /etc/logrotate.d/suricata configuration file.

/var/log/suricata/*.log /var/log/suricata/*.json {

    daily

    missingok

    rotate 3

    compress

    delaycompress

    copytruncate

    sharedscripts

    postrotate

        /bin/kill -HUP `cat /run/suricata.pid 2> /dev/null` 2> /dev/null || true

    endscript

}

```

### snif TZSP:

cp tzsp.netdev /etc/systemd/network/

```

[NetDev]

Name=tzsp0

Kind=dummy

```

cp tzsp.network /etc/systemd/network/

```

[Match]

Name=tzsp*

[Link]

MTUBytes=2000

[Network]

Address=172.16.255.249/29

DHCP=no

```

Enable interface:

```

# systemctl enable systemd-networkd

# systemctl restart systemd-networkd

```

Combine tzsp2pcap and tcpreplay into [email protected]:

cp [email protected] /etc/systemd/system/

```

[Unit]

Description=TZSP Replay on dev %i

After=network.target network-online.target

Requires=network-online.target

[Service]

Type=simple

ExecStart=/bin/sh -c "/usr/bin/tzsp2pcap -f | /usr/bin/tcpreplay-edit --topspeed --mtu=$(cat /sys/class/net/%I/mtu) --mtu-trunc -i %I -"

Restart=always

RestartSec=3

ProtectSystem=full

ProtectHome=true

[Install]

WantedBy=multi-user.target

```

Start it on your dummy interface (I'm using name tzsp0, you can have dummy0 or whatever):

```

# systemctl enable --now [email protected]

```

/etc/suricata/suricata.yaml:

```

af-packet:

  - interface: tzsp0

```

### ROS:

In the "prerouting" chain we direct traffic to Suricata's ip-address. We can specify any interface and chain, as well as create the required number of rules with the action sniff TZSP.

```

 - Create Address List:

/ip/firewall/address-list/

add list=idps_fwd address=ip-to-monitoring

 - Adding rules TSZP Sniff:

/ip/firewall/mangle/

add chain=forward in-interface-list=ISP dst-address-list=idps_fwd action=sniff-tzsp sniff-target=ip-address-suricata sniff-target-port=37008 comment="TZSP sniffing -> IDPS"

add chain=forward out-interface-list=ISP src-address-list=idps_fwd action=sniff-tzsp sniff-target=ip-address-suricata sniff-target-port=37008

 - Or using marking connection/packet:

add chain=prerouting in-interface-list=ISP protocol=tcp dst-port=443,25,143,587,5222,5281 connection-state=new action=mark-connection new-connection-mark=idps_conn comment="TZSP sniffing -> IDPS"

add chain=prerouting in-interface-list=ISP protocol=udp dst-port=3478 connection-state=new action=mark-connection new-connection-mark=idps_conn

add chain=forward connection-mark=idps_conn action=mark-packet new-packet-mark=idps_pack

add chain=forward packet-mark=idps_pack action=sniff-tzsp sniff-target=ip-address-suricata sniff-target-port=37008

 - Block ip-address's from idps_alert table:

/ip/firewall/raw/

add chain=prerouting src-address-list=idps_alert action=drop comment="Drop IDPS"

```

### Secure SSH:

```

/ip/ssh/set strong-crypto=yes

/ip/ssh/set always-allow-password-login=no

```

### Restore Adress List:

SSH-exec configuration required. https://wiki.mikrotik.com/wiki/Manual:System/SSH_client#SSH-exec

* /.../.../bash_cata/mik.on - replace with the path where the bash_cata script is located;

* delay 25 - the time that the router will spend to turn it on completely;

* local ip - ip address host on which the script is running;

```

/system/script/add name="bash_cata" policy="ftp,read,write,test"

---

:delay 25;

:local ip "ip_bash_cata_script";

:if ([/ping address=$ip count=3] = 0) do={

    /log warning message="bash_cata: host $ip - unavalable";

    /system/scheduler/set bash_cata interval="00:04:35";

} else={

    /log/warning message="bash_cata: host $ip - available";

    /system/scheduler/set bash_cata interval="00:00:00";

    /system/ssh-exec address="$ip" port=22 user=root command="touch /.../.../bash_cata/mik.on ; systemctl restart bashcata.service";

}

---

/system/scheduler/add name="bash_cata" start-time=startup interval="00:00:00" policy="ftp,read,write,test" on-event="bash_cata"

/system/scheduler/add name="ram_disk" start-time=startup interval="00:00:00" policy="ftp,read,write,test" on-event="/disk/add type=tmpfs tmpfs-max-size=3M slot=ram-disk"

---

### Сreating a key pair in linux host:

# mkdir mik_exec && cd mik_exec && ssh-keygen -t rsa -b 2048 -m pem -f mik_exec_rsa

```

### Thanks for the Idea:

* zzbe - https://github.com/zzbe/mikrocata