Welcome to Mikrocata2SELKS 👋
📋 Introduction
This repository is designed to simplify the installation process for the IDS/IPS Suricata for packet analysis from Mikrotik devices. The script is compatible with latest SELKS 10.
Minimum Requirements:
- 4 CPU cores
- 10 GB of free RAM
- Minimum 10 GB of free disk space (actual disk usage will mainly depend on the number of rules and the amount of traffic on the network - 200GB+ SSD grade recommended).
🚀 Installation
- Set up a fresh Debian 12 installation on a dedicated machine (server or VM).
- Log in as root.
- Install Git:
apt install git. - Clone this repository:
git clone https://github.com/angolo40/mikrocata2selks.git. - Edit
easyinstall.shwith the path where to install SELKS and the number of Mikrotik devices to handle. - Run
./easyinstall.sh. - Wait....
- Once finished, edit
/usr/local/bin/mikrocataTZSP0.pywith your Mikrotik and Telegram parameters, then reload the service withsystemctl restart mikrocataTZSP0.service. - Configure your Mikrotik devices.
📡 Mikrotik Setup
- Enable sniffer:
/tool/sniffer/set filter-stream=yes streaming-enabled=yes streaming-server=[YOURDEBIANIP]:37008 /tool/sniffer/start - Add firewall rules:
/ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_in_bad_traffic" src-address-list=Suricata /ip/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_out_bad_traffic" dst-address-list=Suricata /ipv6/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_in_bad_traffic" src-address-list=Suricata /ipv6/firewall/raw/add action=drop chain=prerouting comment="IPS-drop_out_bad_traffic" dst-address-list=Suricata - Enable Mikrotik API:
/ip/service/set api-ssl address=[DEBIANIP] enabled=yes - Add Mikrocata user in Mikrotik:
/user/add name=mikrocata2selks password=xxxxxxxxxxxxx group=full (change password)
🛠️ Handling Multiple Mikrotik Devices
By configuring the easyinstall.sh file to manage more than one Mikrotik device, the setup script will automatically create dedicated dummy interfaces and corresponding Mikrocata services for each device on the Debian machine.
- Example configuration:
- For Mikrotik0: Creates the
tzsp0interface on port37008and the script/usr/local/bin/mikrocataTZSP0.py. - For Mikrotik1: Creates the
tzsp1interface on port37009and the script/usr/local/bin/mikrocataTZSP1.py. - For Mikrotik2: Creates the
tzsp2interface on port37010and the script/usr/local/bin/mikrocataTZSP2.py.
- For Mikrotik0: Creates the
You will need to edit each script with the specific Mikrotik values and enable the sniffer on each Mikrotik device to send data to the corresponding port.
💡 Features
- Installs Docker and Docker Compose.
- Installs Python.
- Downloads and installs SELKS repository (https://github.com/StamusNetworks/SELKS).
- Downloads and installs Mikrocata.
- Installs TZSP interface.
- Enables notifications over Telegram when an IP is blocked.
🔄 Changelog
2.2.3
- Added IPV6Support (thanks floridan95)
2.2.2
- Fixed telegram notification issue.
2.2.1
- Fixed bug causing
mikrocata.pyscript crash during Suricata logrotate.
2.2
- Added compatibility with Debian 12.
2.1
- Improved stability of the
read_jsonfunction (thanks to bekhzad-khamidullaev).
🔧 Troubleshooting
- Check if packets are arriving at the VM from Mikrotik through the dummy interface:
tcpdump -i tzsp0 - Check if mikrocata service and tzsp0 interface are up and running:
systemctl status mikrocataTZSP0.service systemctl status TZSPreplay37008@tzsp0.service - Check if Suricata Docker container is up and running:
docker logs -f suricata
📝 Notes
- Default account for SELKS:
- URL:
https://[YOURDEBIANIP] - Username:
selks-user - Password:
selks-user
- URL:
👤 Author
Giuseppe Trifilio
Inspired by zzbe/mikrocata.
🤝 Contributing
Contributions, issues, and feature requests are welcome! Check the issues page.
🌟 Show Your Support
Give a ⭐️ if this project helped you!
- XMR:
87LLkcvwm7JUZAVjusKsnwNRPfhegxe73X7X3mWXDPMnTBCb6JDFnspbN8qdKZA6StHXqnJxMp3VgRK7DcS2sgnW3wH7Xhw