Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

OracleLinux9.1 : Suricata , SNORT Install

 Suricata

SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.

1.advance preparation

①Activate the EPEL Repository

②System updates

2.Suricata Installation and Configuration

①Suricata install

②Determine interface and IP address where Suricata will inspect network packets

③Edit configuration file

④Suricata rules update

<Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
You will get a warning like the one above, but it is supposed to be negligible, so proceed as you are.

⑤Activate Suricata

⑥Confirm Suricata startup

Check Log

Check the stats.log file for statistics (updated every 8 seconds by default)

A more advanced output, EVE JSON, can be generated with the following command

3.Suricata Testing

①Run ping test with curl utility

②Check the alert log to see if it has been logged

4.Setting Suricata Rules

①Display of rule sets packaged in Suricata

②Index list of sources providing rule sets

③Enable source (if et/open is enabled)

Perform update

Restart Suricata service

5.Creating Suricata Custom Rules

①Create files containing customer rules

②Edit configuration file (define new rule paths)

 ③Testing the configuration file

Restart Suricat service

④Testing the application of Custom Rules
Ping another device on the same local network to see if it was logged

To get logs in JSON format, install jq on your system

Execute the following command to ping another device on the same local network

SNORT

Snort is an open source network intrusion detection system that can perform real-time traffic analysis and packet logging on IP networks.

It can perform "protocol analysis," "content search," and "matching" and can be used to detect a variety of attacks such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, semantic URL attacks, and server message block probes. detection.

1.advance preparation

①Install the necessary software

②DAQ install
③Lua install
④Create fake release files

2. Snort Download, Compile, Install

Remove fake release files

3.Create groups and users, necessary directories and files

Setup configuration files... Copy all files to the configuration directory.

4.Use of Community Rules

①Get Community Rules

②Extract rules and copy to configuration folder
There are various rule files that are not included in the community rules.
Use the "sed" command to comment out unnecessary lines.

5. Retrieving Registered User Rules

Once registered on the Snort website, you can use your Oink code to download registered user rules; the Oink code is located in your Snort user account details.
Replace oinkcode with your personal code in the following command
Once download is complete, extract rules to the configuration directory

6. Network and Rule Configuration

7. Verification of settings

Use parameter -T to test configuration and enable test mode
Copy the relevant files to /etc/snort/rules in case of errors
In our case, the error occurred in the following file

8. Configuration Testing

①To test if Snort is logging alerts, add a custom detection rule alert for incoming ICMP connections to the local.rules file.
②Start Snort at the console and output an alert to stdout. The correct network interface (e.g. ens160) must be selected
Snort logs alerts to a log under /var/log/snort/snort.log.<timestamp>.
The log can be read with the command below.
The log displays warnings for each ICMP call, including the source and destination IPs, the time and date, and some additional information, as shown in the following example.

9. Running Snort in the background

①Create a startup script for Snort
②After defining the service, reload and run the systemctl daemon
Copied title and URL