Mikrotik IPS IDS

From MikroTik Wiki
Revision as of 19:01, 15 February 2014 by Paxy (talk | contribs) (Created page with "Regarding a Forum post by "slech", ([http://forum.mikrotik.com/viewtopic.php?f=2&t=58965]) you can enable Mikrotik Router to work with Snort ([http://www.snort.org/]) IDS system....")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Regarding a Forum post by "slech", ([1]) you can enable Mikrotik Router to work with Snort ([2]) IDS system.

Snort already has developed Subscribed and Free service for attack signature update and mechanism for attack detection and alerting.

As Tap of main Internet line is not ideal solution for some cases, like with redundant routers connected with VRRP, it is great to have solution based only on Mikrotik Sniffing Stream.

IDS Solution

To install IDS Snort solution, you need computer running Linux OS. Download and install Snort following OS Specific manual, or compile it from source if there is no binary for your OS. Snort Installation Procedures ([3]) After full installation, follow configuration parameters to setup Snort. Subscribe to Snort site, to get latest Regular User rules with attack signatures and set them like in manual.

To setup Mikrotik, you need to install Calea package and opet Sniffing Tool. Set Sniffer to listed all Interfaces, and uncheck Only Headers box. Open Streaming tab, and enter IP address of Linux server, check Streaming Enabled, and uncheck Filter Stream. Start your sniffing. File:Example.jpg