Elisha decapsulates TZSP streams from certified SoftSol MikroTik routers, inspects traffic with Suricata and Emerging Threats rules, and whispers alerts to Baruch in real time. Cloud Core and other higher-end RouterOS platforms are supported. This node runs telemetry only — all web content is served from Baruch.
Named for the prophet who saw the chariots of fire — Elisha is the eyewitness layer. Routers mirror edge traffic via TZSP; Suricata evaluates every frame and writes structured alerts to eve.json.
MikroTik mangle rules stream TZSP to UDP 37008. tzsp2pcap replays frames onto dummy0 for Suricata af-packet capture.
Emerging Threats open ruleset refreshed on container start. Alerts, DNS, TLS, and flow metadata logged to eve.json.
Agent tails eve.json and streams JSON alerts to Baruch manager — the whisper pipeline.
Router → TZSP → Elisha Suricata → eve.json → Wazuh agent → Baruch archive. No inbound management exposure on the overseer beyond telemetry ports.
Certified edge router · sniff-tzsp → 172.17.12.35:37008
/var/log/suricata/eve.json
172.17.12.34:1514/tcp
Example MikroTik mangle rules for certified SoftSol routers on the WireGuard VPN. Cloud Core and other higher-end platforms use the same profile.
/ip firewall mangle add chain=prerouting action=sniff-tzsp sniff-target=172.17.12.35 sniff-target-port=37008 /ip firewall mangle add chain=postrouting action=sniff-tzsp sniff-target=172.17.12.35 sniff-target-port=37008
