Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

CentOS Stream9 ; Suricata , Tripwire , Chkrootkit

Suricata Install

SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.

1.Advance preparation

Activate the EPEL Repository

System updates

2.Suricata Installation and Configuration

Check Version

②Determine interface and IP address where Suricata will inspect network packets

③Edit configuration file

Suricata rules update

⑤Activate Suricata

Confirm Suricata startup

Check Log

Check the stats.log file for statistics (updated every 8 seconds by default)

A more advanced output, EVE JSON, can be generated with the following command

3.Suricata Testing

Run ping test with curl utility

Check the alert log to see if it has been logged

4.Setting Suricata Rules

Display of rule sets packaged in Suricata

Index list of sources providing rule sets

Enable source (if et/open is enabled)

Perform update

Restart Suricata service

5.Creating Suricata Custom Rules

Create files containing customer rules

Edit configuration file (define new rule paths)

 ③Testing the configuration file

Restart Suricat service

Testing the application of Custom Rules
Ping another device on the same local network to see if it was logged

To get logs in JSON format, install jq on your system

Execute the following command to ping another device on the same local network

Tripwire Install

1.Download and installation

2.Passphrase setting

Set site passphrase and local passphrase

3.Tripwire Configuration

①Configuration File Edit

②Create a Tripwire configuration file (cryptographically signed version)

Delete Tripwire configuration file (text version)

Policy File Settings

Contents of twpolmake.pl

Policy File Optimizations

Create policy file (cryptographically signed version) based on optimized policy file

Create database and check operation

⑧Create test files and check operation

Delete test files

Tripwire Scheduled Scripts

Contents of tripwire.sh

Tripwire Autorun Script Execution Settings

Reference: Script for reporting results by e-mail

Confirmation that the results of the tripwire execution are notified to the specified e-mail address

Chkrootkit Install

Download and install chkrootkit

➁Create /root/bin directory and move chkrootkit command to that directory

Check chkrootkit.

Checking `chsh'… INFECTED
If the above display appears, it is probably a false positive.

Create chkrootkit periodic execution script and change permissions
Create chkrootkit execution script in a directory where it is automatically executed daily

Scheduled Script Contents

Add execution permission to chkrootkit execution script

⑤Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command

⑥Run chkrootkit on the copied command

⑦Compresses backed up commands

⑧Download and save chkrootkit_cmd.tar.gz file to Windows

Copied title and URL