search

Lukas0025 / maltrail-mikrotik-docker

Maltrail IDS with support for mikrotik packet sniffer stream in docker
Apache License 2.0
6 stars 1 forks source link

Nothing is displayed on the web side #1

Closed Young-3 closed 1 year ago

Young-3 commented 1 year ago

The docker container has been deployed successfully, Mikrotik has been configured for sniffing, but nothing is displayed on the web side

Lukas0025 commented 1 year ago

First

I make mistake in readme where i not write /udp for port 37008 in docker run command. Try setup container again please by new readme.

If not help

Please provide some logs from docker container.

# for list containers
docker ps                                                                
# get the logs  
docker logs -f {name/id of maltrail container}

more info for docker logs: https://docs.docker.com/engine/reference/commandline/logs/

It shut by useful to determinate if Mikrotik sending sniffer stream to docker. For this exec to container and stop running service and start 

# for list containers
docker ps 
# exec in container
docker exec -it {name/id of maltrail container} sh 
# in container
# for find pid of tzsp2pcap ctrl+c for close of top
top 
kill {pid of tzsp2pcap}
# for make sure tzsp2pcap is kiled
top
# read mikrotik sniffer stream in terminal
tzsp2pcap/tzsp2pcap  -f 

# if you want see packets heders in readeble fromat
apt update
apt install tcpdump
tzsp2pcap/tzsp2pcap  -f | tcpdump -r -

more info for docker exec: https://docs.docker.com/engine/reference/commandline/exec/

Now you must see all sniffed packets in terminal if not please make sure if mikrotik packet stream if running, if yes check firewall rules for port 37008/udp. if firewall allowed this port please check tzsp2pcap on your main host outside of container.

Note

it take some time to display threat in webinterface, please wait some time after you create test threat. Make sure if you not filter out threat with mikrotik filter.

Young-3 commented 1 year ago

First

image

Logs from docker container

image

restart tzsp2pcap

image

tzsp2pcap/tzsp2pcap -f | tcpdump -r -No output

image

mirkotik ### setting image

But still ### nothing image

The host system is debian 11, running as a virtual machine on vmware.The firewall of the ufw is disabled

image

Young-3 commented 1 year ago

On the host, run tzsp2pcap/tzsp2pcap -f | tcpdump -r -,The information is displayed normally. Output exception in docker container

image

Lukas0025 commented 1 year ago

Mikrotik stream is not going to container ok. First check port forwarding in vmware port 37008/udp must be forwarded to your debian host. Second try tzsp2pcap (https://github.com/thefloweringash/tzsp2pcap) on debian if is working. (Ok you do this)

finaly we know is no going to docker container check output of docker ps if port 37008/udp corectly bind on 0.0.0.0 or another IP of host. docker ps on my host returns 

maltrail:latest                      "/bin/sh -c 'bash -c…"   38 minutes ago   Up 38 minutes          8337/udp, 0.0.0.0:8337-8338->8337-8338/tcp, :::8337-8338->8337-8338/tcp, 0.0.0.0:37008->37008/udp, :::37008->37008/udp   Maltrail

whats its not same as yours in screenshot may be docker run is with incorects ports protocols?

Young-3 commented 1 year ago

Follow readme to recreate the docker container,It's normal now.Sorry, I don't see that the create docker container command in readme has been updated

root@ids2mikrotik:~/maltrail# docker ps
CONTAINER ID   IMAGE      COMMAND                   CREATED          STATUS          PORTS                                                                                                                    NAMES
aab8850b1f40   maltrail   "/bin/sh -c 'bash -c…"   36 seconds ago   Up 35 seconds   8337/udp, 0.0.0.0:8337-8338->8337-8338/tcp, :::8337-8338->8337-8338/tcp, 0.0.0.0:37008->37008/udp, :::37008->37008/udp   pensive_goldstine
Lukas0025 commented 1 year ago

Ok its working now i closing issue.