Rocky Linux8.4でサーバー構築 Tripwire,Chkrootkit,Snort インストール

Contents

1.サーバー構築の前準備　Tripwire インストール
2.サーバー構築の前準備　chkrootkit インストール
3.サーバー構築の前準備　SNORT インストール

1.サーバー構築の前準備　Tripwire インストール

1.1ダウンロード、インストール

# cd /usr/local/src
src]# wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm
src]# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

# cd /usr/local/src

src]# wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm

src]# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

依存性エラーが出た場合次を入れる

src]# wget https://repo.almalinux.org/almalinux/8/AppStream/x86_64/os/Packages/compat-openssl10-1.0.2o-3.el8.x86_64.rpm
src]# yum install compat-openssl10-1.0.2o-3.el8.x86_64.rpm

1 2	src]# wget https://repo.almalinux.org/almalinux/8/AppStream/x86_64/os/Packages/compat-openssl10-1.0.2o-3.el8.x86_64.rpm src]# yum install compat-openssl10-1.0.2o-3.el8.x86_64.rpm

再度

src]# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

1	src]# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

1-2.初期設定

cd /usr/local/src

1	cd /usr/local/src

src]# tripwire-setup-keyfiles

----------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: ←任意の「サイトパスフレーズ」を入力
Verify the site keyfile passphrase: ←再度任意の「サイトパスフレーズ」を入力
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: ←任意の「ローカルパスフレーズ」を入力
Verify the local keyfile passphrase: ←再度任意の「ローカルパスフレーズ」を入力
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Signing configuration file...
Please enter your site passphrase: ←「サイトパスフレーズ」を入力
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
----------------------------------------------
Signing policy file...
Please enter your site passphrase: ←「サイトパスフレーズ」を入力
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
～中略～
default values from the current configuration file are used

src]# tripwire-setup-keyfiles

----------------------------------------------

The Tripwire site and local passphrases are used to sign a variety of

files, such as the configuration, policy, and database files.

Passphrases should be at least 8 characters in length and contain both

letters and numbers.

See the Tripwire manual for more information.

----------------------------------------------

Creating key files...

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the site keyfile passphrase: ←任意の「サイトパスフレーズ」を入力

Verify the site keyfile passphrase: ←再度任意の「サイトパスフレーズ」を入力

Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the local keyfile passphrase: ←任意の「ローカルパスフレーズ」を入力

Verify the local keyfile passphrase: ←再度任意の「ローカルパスフレーズ」を入力

Generating key (this may take several minutes)...Key generation complete.

----------------------------------------------

Signing configuration file...

Please enter your site passphrase: ←「サイトパスフレーズ」を入力

Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file:

/etc/tripwire/twcfg.txt

has been preserved for your inspection. It is recommended that you

move this file to a secure location and/or encrypt it in place (using a

tool such as GPG, for example) after you have examined it.

----------------------------------------------

Signing policy file...

Please enter your site passphrase: ←「サイトパスフレーズ」を入力

Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file:

/etc/tripwire/twpol.txt

～中略～

default values from the current configuration file are used

1-3.Tripwire の設定

# vi /etc/tripwire/twcfg.txt

■9 行目あたり
行頭に「#」を追加し、その下の行に「LOOSEDIRECTORYCHECKING =true」を追加します。
■13 行目あたり
行頭に「#」を追加し、その下の行に「REPORTLEVEL =4」を追加します。
レベル4 にすることで「0 」～「4 」までの5 段階中、最も詳細なレポートが表示されます。
#REPORTLEVEL =3
REPORTLEVEL =4

# vi /etc/tripwire/twcfg.txt

■9 行目あたり

行頭に「#」を追加し、その下の行に「LOOSEDIRECTORYCHECKING =true」を追加します。

■13 行目あたり

行頭に「#」を追加し、その下の行に「REPORTLEVEL =4」を追加します。

レベル4 にすることで「0 」～「4 」までの5 段階中、最も詳細なレポートが表示されます。

#REPORTLEVEL =3

REPORTLEVEL =4

1-4.Tripwire 設定ファイル(暗号署名版)を作成

# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: ←設定したサイトパスフレーズを入力
Wrote configuration file: /etc/tripwire/tw.cfg

# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

Please enter your site passphrase: ←設定したサイトパスフレーズを入力

Wrote configuration file: /etc/tripwire/tw.cfg

1-5.ポリシーファイル設定

# cd /etc/tripwire/

1	# cd /etc/tripwire/

tripwire]# vi twpolmake.pl    ←ポリシーファイルを新規に下記の内容で作成

#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;

tripwire]# vi twpolmake.pl ←ポリシーファイルを新規に下記の内容で作成

#!/usr/bin/perl

# Tripwire Policy File customize tool

# ----------------------------------------------------------------

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

# ----------------------------------------------------------------

# Usage:

# perl twpolmake.pl {Pol file}

# ----------------------------------------------------------------

$POLFILE=$ARGV[0];open(POL,"$POLFILE") or die "open error: $POLFILE" ;

my($myhost,$thost) ;

my($sharp,$tpath,$cond) ;

my($INRULE) = 0 ;while (<POL>) {

chomp;

if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {

$myhost = `hostname` ; chomp($myhost) ;

if ($thost ne $myhost) {

$_="HOSTNAME=\"$myhost\";" ;

}

elsif ( /^{/ ) {

$INRULE=1 ;

}

elsif ( /^}/ ) {

$INRULE=0 ;

}

elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {

$ret = ($sharp =~ s/\#//g) ;

if ($tpath eq '/sbin/e2fsadm' ) {

$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;

}

if (! -s $tpath) {

$_ = "$sharp#$tpath$cond" if ($ret == 0) ;

}

else {

$_ = "$sharp$tpath$cond" ;

}

print "$_\n" ;

}

close(POL) ;

1-6.ポリシーファイル最適化

tripwire]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new

1	tripwire]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new

1-7.ポリシーファイル(暗号署名版)作成

tripwire]# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key
/etc/tripwire/twpol.txt.new
Please enter your site passphrase:     ←サイトパスフレーズを入力
Wrote policy file: /etc/tripwire/tw.pol

tripwire]# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key

/etc/tripwire/twpol.txt.new

Please enter your site passphrase: ←サイトパスフレーズを入力

Wrote policy file: /etc/tripwire/tw.pol

ポリシーファイル(テキスト版)削除

tripwire]# rm -f /etc/tripwire/twpol.txt*

1	tripwire]# rm -f /etc/tripwire/twpol.txt*

1-8.データベースを作成、動作確認

データベースを作成

tripwire]# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: ←ローカルパスフレーズを入力

1 2	tripwire]# tripwire -m i -s -c /etc/tripwire/tw.cfg Please enter your local passphrase: ←ローカルパスフレーズを入力

テスト用ファイルを作成

tripwire]# echo tripwire_ test > /root/tripwire_test.txt

1	tripwire]# echo tripwire_ test > /root/tripwire_test.txt

Tripwire の動作確認

tripwire]# tripwire -m c -s -c /etc/tripwire/tw.cfg

1	tripwire]# tripwire -m c -s -c /etc/tripwire/tw.cfg

テスト用ファイルを削除

tripwire]# rm -f /root/tripwire_test.txt

1	tripwire]# rm -f /root/tripwire_test.txt

1-9.Tripwire 定期実行スクリプト

①Tripwire 自動実行スクリプト(tripwire.sh)の作成

# cd /var/www/system

1	# cd /var/www/system

# vi tripwire.sh

#!/bin/bash
PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin
# パスフレーズ設定
LOCALPASS=xxxxxxxx # ローカルパスフレーズ
SITEPASS=xxxxxxxxx  # サイトパスフレーズ
cd /etc/tripwire# Tripwireチェック実行
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root
# ポリシーファイル最新化
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak
# データベース最新化
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS

# vi tripwire.sh

#!/bin/bash

PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin

# パスフレーズ設定

LOCALPASS=xxxxxxxx # ローカルパスフレーズ

SITEPASS=xxxxxxxxx # サイトパスフレーズ

cd /etc/tripwire# Tripwireチェック実行

tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root

# ポリシーファイル最新化

twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt

perl twpolmake.pl twpol.txt > twpol.txt.new

twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null

rm -f twpol.txt* *.bak

# データベース最新化

rm -f /usr/local/tripwire/lib/tripwire/*.twd*

tripwire -m i -s -c tw.cfg -P $LOCALPASS

# chmod 700 tripwire.sh

1	# chmod 700 tripwire.sh

➁Tripwire が定期的に実行されるようcron に追加する

# crontab -e

0 3 * * * /var/www/system/tripwire.sh

# crontab -e

0 3 * * * /var/www/system/tripwire.sh

実際に
# /var/www/system/tripwire.sh を実行するとmailコマンドがないと表示される場合

# yum install mailx
# systemctl start postfix

1 2	# yum install mailx # systemctl start postfix

を実行

2.サーバー構築の前準備　chkrootkit インストール

2.1chkrootkit をダウンロード、インストール

# cd /usr/local/src
src]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
src]# tar zxvf chkrootkit.tar.gz
src]# mv chkrootkit-0.50/chkrootkit /root/bin

# cd /usr/local/src

src]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

src]# tar zxvf chkrootkit.tar.gz

src]# mv chkrootkit-0.50/chkrootkit /root/bin

2.2 chkrootkit を確認

src]#  chkrootkit | grep INFECTED
Searching for Suckit rootkit... Warning: /sbin/init INFECTED

1 2	src]# chkrootkit \| grep INFECTED Searching for Suckit rootkit... Warning: /sbin/init INFECTED

「/sbin/init」は誤検知なので問題ありません

2.3 chkrootkit 定期実行スクリプトの作成と権限変更

(今回は/optの中に作成するが任意です)

opt]# vi chkrootkit.sh

#!/bin/bash
PATH=/usr/bin:/bin:/root/binTMPLOG=`mktemp`
# chkrootkit実行
chkrootkit > $TMPLOG
# ログ出力
cat $TMPLOG | logger -t chkrootkit
# SMTPSのbindshell誤検知対応
if [ ! -z "$(grep 465 $TMPLOG)" ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i '/465/d' $TMPLOG
fi
# upstartパッケージ更新時のSuckit誤検知対応
#if [ ! -z "$(grep Suckit $TMPLOG)" ] && \
# [ -z $(rpm -V `rpm -qf /sbin/init`) ]; then
# sed -i '/Suckit/d' $TMPLOG
#fi
# rootkit検知時のみroot宛メール送信
[ ! -z "$(grep INFECTED $TMPLOG)" ] && \
grep INFECTED $TMPLOG | mail -s "chkrootkit report in `hostname`" rootrm -f $TMPLOG

opt]# vi chkrootkit.sh

#!/bin/bash

PATH=/usr/bin:/bin:/root/binTMPLOG=`mktemp`

# chkrootkit実行

chkrootkit > $TMPLOG

# ログ出力

cat $TMPLOG | logger -t chkrootkit

# SMTPSのbindshell誤検知対応

if [ ! -z "$(grep 465 $TMPLOG)" ] && \

[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then

sed -i '/465/d' $TMPLOG

# upstartパッケージ更新時のSuckit誤検知対応

#if [ ! -z "$(grep Suckit $TMPLOG)" ] && \

# [ -z $(rpm -V `rpm -qf /sbin/init`) ]; then

# sed -i '/Suckit/d' $TMPLOG

#fi

# rootkit検知時のみroot宛メール送信

[ ! -z "$(grep INFECTED $TMPLOG)" ] && \

grep INFECTED $TMPLOG | mail -s "chkrootkit report in `hostname`" rootrm -f $TMPLOG

opt]# chmod 700 chkrootkit.sh

1	opt]# chmod 700 chkrootkit.sh

chkrootkit が定期実行されるようcron に設定

opt]# crontab -e
0 2 * * * /opt/chkrootkit.sh

1 2	opt]# crontab -e 0 2 * * * /opt/chkrootkit.sh

(起動時刻は任意に設定)

3.サーバー構築の前準備　SNORT インストール

Snortは、IPネットワーク上でリアルタイムのトラフィック分析とパケットロギングを実行できるオープンソースのネットワーク侵入検知システムです。

「プロトコル分析」「コンテンツ検索」「マッチング」を実行でき、「バッファオーバーフロー」「ステルスポートスキャン」「CGI攻撃」「SMBプローブ」「OSフィンガープリント試行」「セマンティックURL攻撃」「サーバメッセージブロック探査」など、さまざまな攻撃検出に使用できます。

3.1 必要なライブラリーをインストール

# dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel

1	# dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel

# mkdir /var/src

1	# mkdir /var/src

3.2 DAQをインストール

# cd /var/src
src]# wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz
src]# tar zxvf daq-2.0.7.tar.gz
src]# zxvf daq-2.0.7.tar.gz
src]# cd daq-2.0.7
daq-2.0.7]# autoreconf -f -i
daq-2.0.7]# ./configure
daq-2.0.7]# make
daq-2.0.7]# make install

# cd /var/src

src]# wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz

src]# tar zxvf daq-2.0.7.tar.gz

src]# zxvf daq-2.0.7.tar.gz

src]# cd daq-2.0.7

daq-2.0.7]# autoreconf -f -i

daq-2.0.7]# ./configure

daq-2.0.7]# make

daq-2.0.7]# make install

3.3 Snort OpenAppIDをインストール

# cd /var/src
src]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
src]# tar -zxvf LuaJIT-2.0.5.tar.gz
src]# cd LuaJIT-2.0.5
LuaJIT-2.0.5]# make
LuaJIT-2.0.5]# make install

# cd /var/src

src]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz

src]# tar -zxvf LuaJIT-2.0.5.tar.gz

src]# cd LuaJIT-2.0.5

LuaJIT-2.0.5]# make

LuaJIT-2.0.5]# make install

3.4 RPC libraryを使用するため仮release fileインストール

# /bin/cat << EOT >/etc/fedora-release
Fedora release 28 (Rawhide)
EOT

# /bin/cat << EOT >/etc/fedora-release

Fedora release 28 (Rawhide)

EOT

3.5 SNORTをダウンロード、インストール

# cd /var/src
src]# wget https://snort.org/downloads/snort/snort-2.9.18.1.tar.gz
src]# tar -zxvf snort-2.9.18.1.tar.gz
src]# cd snort-2.9.18.1
snort-2.9.18.1]# ./configure --enable-sourcefire
snort-2.9.18.1]# make
snort-2.9.18.1]# make install

# cd /var/src

src]# wget https://snort.org/downloads/snort/snort-2.9.18.1.tar.gz

src]# tar -zxvf snort-2.9.18.1.tar.gz

src]# cd snort-2.9.18.1

snort-2.9.18.1]# ./configure --enable-sourcefire

snort-2.9.18.1]# make

snort-2.9.18.1]# make install

3.6 3.3でインストールした仮release file を削除

# /bin/rm /etc/fedora-release

1	# /bin/rm /etc/fedora-release

3.7 SNORTユーザー、グループ作成

# groupadd snort
# useradd -g snort -s /sbin/nologin snort
# passwd -l snort

# groupadd snort

# useradd -g snort -s /sbin/nologin snort

# passwd -l snort

3.8 SNORTディレクトリー、ルールファイル作成

# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /etc/snort/rules/iplists
# mkdir /etc/snort/pulledpork
# mkdir /var/log/snort
# mkdir /var/log/snort/pcap
# chown -R snort /var/log/snort
# touch /etc/snort/rules/iplists/default.whitelist
# touch /etc/snort/rules/iplists/default.blacklist
# cp /var/src/snort*/etc/* /etc/snort
# ln -s /usr/local/bin/snort /sbin/snort

# mkdir /etc/snort

# mkdir /etc/snort/rules

# mkdir /etc/snort/rules/iplists

# mkdir /etc/snort/pulledpork

# mkdir /var/log/snort

# mkdir /var/log/snort/pcap

# chown -R snort /var/log/snort

# touch /etc/snort/rules/iplists/default.whitelist

# touch /etc/snort/rules/iplists/default.blacklist

# cp /var/src/snort*/etc/* /etc/snort

# ln -s /usr/local/bin/snort /sbin/snort

3.9 PulledPork ルール管理ポリシー

# yum -y install perl-libwww-perl.noarch perl-Sys-Syslog.x86_64 perl-Archive-Tar.noarch perl-LWP-Protocol-https.noarch
# wget https://raw.githubusercontent.com/shirkdog/pulledpork/master/pulledpork.pl -O /usr/local/bin/pulledpork.pl
# chmod 755 /usr/local/bin/pulledpork.pl

# yum -y install perl-libwww-perl.noarch perl-Sys-Syslog.x86_64 perl-Archive-Tar.noarch perl-LWP-Protocol-https.noarch

# wget https://raw.githubusercontent.com/shirkdog/pulledpork/master/pulledpork.pl -O /usr/local/bin/pulledpork.pl

# chmod 755 /usr/local/bin/pulledpork.pl

3.10 PulledPork 構成ファイルをビルド

# /bin/cat << EOT >/etc/snort/pulledpork/pulledpork.conf
rule_url=https://www.snort.org/rules/|snortrules-snapshot-29180.tar.gz|<OINKCODE>
rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLOCKLIST|open
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
#
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/sid_changes.log
sorule_path=/etc/snort/snort_dynamicrules/
snort_path=/sbin/snort
config_path=/etc/snort/snort.conf
distro=RHEL-8-0
black_list=/etc/snort/rules/iplists/default.blacklist
IPRVersion=/etc/snort/rules/iplists
snort_control=/usr/bin/snort_control
snort_version=2.9.14.1
disablesid=/etc/snort/pulledpork/disablesid.conf
enablesid=/etc/snort/pulledpork/enablesid.conf
version=0.8.0
EOT

# /bin/cat << EOT >/etc/snort/pulledpork/pulledpork.conf

rule_url=https://www.snort.org/rules/|snortrules-snapshot-29180.tar.gz|<OINKCODE>

rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLOCKLIST|open

rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open

ignore=deleted.rules,experimental.rules,local.rules

temp_path=/tmp

rule_path=/etc/snort/rules/snort.rules

local_rules=/etc/snort/rules/local.rules

sid_msg=/etc/snort/sid-msg.map

sid_msg_version=1

sid_changelog=/var/log/sid_changes.log

sorule_path=/etc/snort/snort_dynamicrules/

snort_path=/sbin/snort

config_path=/etc/snort/snort.conf

distro=RHEL-8-0

black_list=/etc/snort/rules/iplists/default.blacklist

IPRVersion=/etc/snort/rules/iplists

snort_control=/usr/bin/snort_control

snort_version=2.9.14.1

disablesid=/etc/snort/pulledpork/disablesid.conf

enablesid=/etc/snort/pulledpork/enablesid.conf

version=0.8.0

EOT

3.11 PulledPork 無効ルールファイルを作成

# /bin/cat << EOT >/etc/snort/pulledpork/disablesid.conf
EOT

1 2	# /bin/cat << EOT >/etc/snort/pulledpork/disablesid.conf EOT

3.12 PulledPork スクリプトを実行

# /usr/local/bin/pulledpork.pl -W -P -c /etc/snort/pulledpork/pulledpork.conf

1	# /usr/local/bin/pulledpork.pl -W -P -c /etc/snort/pulledpork/pulledpork.conf

3.13 Snort しきい値ファイルをビルド

# /bin/cat << EOT >>/etc/snort/threshold.conf
#suppress gen_id 119, sig_id 14
EOT

# /bin/cat << EOT >>/etc/snort/threshold.conf

#suppress gen_id 119, sig_id 14

EOT

3.14 ローカルルールファイルをビルド

# /bin/cat << EOT >/etc/snort/rules/local.rules
# ------------
# LOCAL RULES
# ------------
#
EOT

# /bin/cat << EOT >/etc/snort/rules/local.rules

# ------------

# LOCAL RULES

# ------------

EOT

3.15 キャプチャフィルタファイルをビルド

# /bin/cat << EOT >/etc/snort/filter.bpf
( net 192.168.0.0/24 or net fdaa:0:0:0::/60 )
EOT

# /bin/cat << EOT >/etc/snort/filter.bpf

( net 192.168.0.0/24 or net fdaa:0:0:0::/60 )

EOT

3.16 ipvar インクルードファイルをビルド

# /bin/cat << EOT >/etc/snort/ipvar.conf
ipvar NETWORK [192.168.0.0/24,fdaa:0:0:0::/60]
#
ipvar REAL_NET [192.168.1.10/32,fdaa:0:0:0::a/128]
#
ipvar HOME_NET [\$REAL_NET]
#
ipvar DARK_NET [!\$HOME_NET]
#
ipvar EXTERNAL_NET [!\$HOME_NET]
#
ipvar DNS_SERVERS \$HOME_NET
ipvar SMTP_SERVERS \$HOME_NET
ipvar HTTP_SERVERS \$HOME_NET
ipvar SQL_SERVERS \$HOME_NET
ipvar TELNET_SERVERS \$HOME_NET
ipvar SSH_SERVERS \$HOME_NET
ipvar FTP_SERVERS \$HOME_NET
ipvar SIP_SERVERS \$HOME_NET
#
ipvar DRK_IGNORE_SRC [10.1.1.1/32]
ipvar DRK_IGNORE_DST [192.168.0.1/32]
#
ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,
205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
EOT

# /bin/cat << EOT >/etc/snort/ipvar.conf

ipvar NETWORK [192.168.0.0/24,fdaa:0:0:0::/60]

ipvar REAL_NET [192.168.1.10/32,fdaa:0:0:0::a/128]

ipvar HOME_NET [\$REAL_NET]

ipvar DARK_NET [!\$HOME_NET]

ipvar EXTERNAL_NET [!\$HOME_NET]

ipvar DNS_SERVERS \$HOME_NET

ipvar SMTP_SERVERS \$HOME_NET

ipvar HTTP_SERVERS \$HOME_NET

ipvar SQL_SERVERS \$HOME_NET

ipvar TELNET_SERVERS \$HOME_NET

ipvar SSH_SERVERS \$HOME_NET

ipvar FTP_SERVERS \$HOME_NET

ipvar SIP_SERVERS \$HOME_NET

ipvar DRK_IGNORE_SRC [10.1.1.1/32]

ipvar DRK_IGNORE_DST [192.168.0.1/32]

ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,

205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

EOT

3.17 Snort 構成ファイル編集

# /bin/sed -i "s/^ipvar/#ipvar/" /etc/snort/snort.conf
/bin/sed -i '/protecting/i include ipvar.conf' /etc/snort/snort.conf
/bin/sed -i "s/RULE_PATH ..\/rules/RULE_PATH \/etc\/snort\/rules/" /etc/snort/snort.conf
/bin/sed -i "s/SO_RULE_PATH ..\/so_rules/SO_RULE_PATH \/etc\/snort\/so_rules/" /etc/snort/snort.conf
/bin/sed -i "s/PREPROC_RULE_PATH ..\/preproc_rules/PREPROC_RULE_PATH \/etc\/snort\/preproc_rules/" /etc/snort/snort.conf
/bin/sed -i "s/WHITE_LIST_PATH ..\/rules/WHITE_LIST_PATH \/etc\/snort\/rules\/iplists/" /etc/snort/snort.conf
/bin/sed -i "s/BLACK_LIST_PATH ..\/rules/BLACK_LIST_PATH \/etc\/snort\/rules\/iplists/" /etc/snort/snort.conf
/bin/sed -i "s/white_list.rules/default.whitelist/" /etc/snort/snort.conf
/bin/sed -i "s/black_list.rules/default.blacklist/" /etc/snort/snort.conf
/bin/sed -i "s/^dynamicdetection/#dynamicdetection/" /etc/snort/snort.conf
/bin/sed -i "s/^preprocessor normalize/#preprocessor normalize/" /etc/snort/snort.conf
/bin/sed -i "s/^# preprocessor sfportscan/preprocessor sfportscan/" /etc/snort/snort.conf
/bin/sed -i "s/memcap { 10000000/memcap { 20000000/" /etc/snort/snort.conf
/bin/sed -i "s/server_ports { 22/server_ports { 22 5224/" /etc/snort/snort.conf
/bin/sed -i "s/sensitive_data: alert_threshold 25/sensitive_data: alert_threshold 50/" /etc/snort/snort.conf
/bin/sed -i '/^# syslog/a output alert_fast: \/var\/log\/snort\/alert' /etc/snort/snort.conf
/bin/sed -i '/^# pcap/a output log_tcpdump: \/var\/log\/snort\/pcap\/snort.pcap' /etc/snort/snort.conf
/bin/sed -i "s/^include \$RULE_PATH/#include \$RULE_PATH/" /etc/snort/snort.conf
/bin/sed -i '/site specific rules/a include $RULE_PATH\/snort.rules' /etc/snort/snort.conf

# /bin/sed -i "s/^ipvar/#ipvar/" /etc/snort/snort.conf

/bin/sed -i '/protecting/i include ipvar.conf' /etc/snort/snort.conf

/bin/sed -i "s/RULE_PATH ..\/rules/RULE_PATH \/etc\/snort\/rules/" /etc/snort/snort.conf

/bin/sed -i "s/SO_RULE_PATH ..\/so_rules/SO_RULE_PATH \/etc\/snort\/so_rules/" /etc/snort/snort.conf

/bin/sed -i "s/PREPROC_RULE_PATH ..\/preproc_rules/PREPROC_RULE_PATH \/etc\/snort\/preproc_rules/" /etc/snort/snort.conf

/bin/sed -i "s/WHITE_LIST_PATH ..\/rules/WHITE_LIST_PATH \/etc\/snort\/rules\/iplists/" /etc/snort/snort.conf

/bin/sed -i "s/BLACK_LIST_PATH ..\/rules/BLACK_LIST_PATH \/etc\/snort\/rules\/iplists/" /etc/snort/snort.conf

/bin/sed -i "s/white_list.rules/default.whitelist/" /etc/snort/snort.conf

/bin/sed -i "s/black_list.rules/default.blacklist/" /etc/snort/snort.conf

/bin/sed -i "s/^dynamicdetection/#dynamicdetection/" /etc/snort/snort.conf

/bin/sed -i "s/^preprocessor normalize/#preprocessor normalize/" /etc/snort/snort.conf

/bin/sed -i "s/^# preprocessor sfportscan/preprocessor sfportscan/" /etc/snort/snort.conf

/bin/sed -i "s/memcap { 10000000/memcap { 20000000/" /etc/snort/snort.conf

/bin/sed -i "s/server_ports { 22/server_ports { 22 5224/" /etc/snort/snort.conf

/bin/sed -i "s/sensitive_data: alert_threshold 25/sensitive_data: alert_threshold 50/" /etc/snort/snort.conf

/bin/sed -i '/^# syslog/a output alert_fast: \/var\/log\/snort\/alert' /etc/snort/snort.conf

/bin/sed -i '/^# pcap/a output log_tcpdump: \/var\/log\/snort\/pcap\/snort.pcap' /etc/snort/snort.conf

/bin/sed -i "s/^include \$RULE_PATH/#include \$RULE_PATH/" /etc/snort/snort.conf

/bin/sed -i '/site specific rules/a include $RULE_PATH\/snort.rules' /etc/snort/snort.conf

3.18 Snortサービスの作成

# /bin/cat << EOT >/usr/lib/systemd/system/snort.service
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/sbin/snort -i eth0 -c /etc/snort/snort.conf -F /etc/snort/filter.bpf -u snort -g snort --pid-path /var/log/snort --no-interface-pidfile --nolock-pidfile
ExecStop=/bin/kill -9 $MAINPID
PrivateTmp=true
PidFile=/var/log/snort/snort.pid

[Install]
WantedBy=multi-user.target
EOT

# /bin/cat << EOT >/usr/lib/systemd/system/snort.service

[Unit]

Description=Snort NIDS Daemon

After=syslog.target network.target

[Service]

Type=simple

ExecStart=/usr/sbin/snort -i eth0 -c /etc/snort/snort.conf -F /etc/snort/filter.bpf -u snort -g snort --pid-path /var/log/snort --no-interface-pidfile --nolock-pidfile

ExecStop=/bin/kill -9 $MAINPID

PrivateTmp=true

PidFile=/var/log/snort/snort.pid

[Install]

WantedBy=multi-user.target

EOT

# systemctl enable --now snort

1	# systemctl enable --now snort

3.19 Snort ログローテーション構成ファイルを作成

# /bin/cat << EOT >/etc/logrotate.d/snort
/var/log/snort/alert
{
weekly
rotate 13
missingok
compress
sharedscripts
postrotate
/bin/systemctl restart snort 1>/dev/null || true
endscript
}
EOT

# /bin/cat << EOT >/etc/logrotate.d/snort

/var/log/snort/alert

{

weekly

rotate 13

missingok

compress

sharedscripts

postrotate

/bin/systemctl restart snort 1>/dev/null || true

endscript

}

EOT

3.20 Snort ルール更新スクリプトを作成

# mkdir /script

1	# mkdir /script

# /bin/cat <<\EOT >/script/snort_update.sh
#!/bin/bash
#
# snort_update.sh
# Snort signature update script
#
# Command Variables
CONF=/etc/snort/pulledpork/pulledpork.conf
LOGDIR=/var/log/snort
PULL=/usr/local/bin/pulledpork.pl
SYSTEMCTL=/bin/systemctl
#
$PULL -W -P -c /etc/snort/pulledpork/pulledpork.conf
$SYSTEMCTL restart snort
#
# Cleanup
cd $LOGDIR
/bin/ls -t $LOGDIR | /bin/grep "alert\." | /bin/tail -n +14 | /bin/xargs -d '\n' rm -- >/dev/null 2>&1
cd $LOGDIR/pcap
/bin/ls -t $LOGDIR/pcap | /bin/grep "snort\.pcap\." | /bin/tail -n +14 | /bin/xargs -d '\n' rm -- >/dev/null 2>&1
#
exit
EOT

# /bin/cat <<\EOT >/script/snort_update.sh

#!/bin/bash

# snort_update.sh

# Snort signature update script

# Command Variables

CONF=/etc/snort/pulledpork/pulledpork.conf

LOGDIR=/var/log/snort

PULL=/usr/local/bin/pulledpork.pl

SYSTEMCTL=/bin/systemctl

$PULL -W -P -c /etc/snort/pulledpork/pulledpork.conf

$SYSTEMCTL restart snort

# Cleanup

cd $LOGDIR

/bin/ls -t $LOGDIR | /bin/grep "alert\." | /bin/tail -n +14 | /bin/xargs -d '\n' rm -- >/dev/null 2>&1

cd $LOGDIR/pcap

/bin/ls -t $LOGDIR/pcap | /bin/grep "snort\.pcap\." | /bin/tail -n +14 | /bin/xargs -d '\n' rm -- >/dev/null 2>&1

exit

EOT

# chmod 700 /script/snort_update.sh

1	# chmod 700 /script/snort_update.sh

3.21 Snort ルール更新スクリプト定期実行

# crontab -l | { cat; echo "0 0 * * 1-5 /script/snort_update.sh >/dev/null 2>&1"; } | crontab -

1	# crontab -l \| { cat; echo "0 0 * * 1-5 /script/snort_update.sh >/dev/null 2>&1"; } \| crontab -

ページのトップへ

1.サーバー構築の前準備 Tripwire インストール

1.1ダウンロード、インストール

1-2.初期設定

1-3.Tripwire の設定

1-4.Tripwire 設定ファイル(暗号署名版)を作成

1-5.ポリシーファイル設定

1-6.ポリシーファイル最適化

1-7.ポリシーファイル(暗号署名版)作成

1-8.データベースを作成、動作確認

1-9.Tripwire 定期実行スクリプト

2.サーバー構築の前準備 chkrootkit インストール

2.1chkrootkit をダウンロード、インストール

2.2 chkrootkit を確認

2.3 chkrootkit 定期実行スクリプトの作成と権限変更

3.サーバー構築の前準備 SNORT インストール

3.1 必要なライブラリーをインストール

3.2 DAQをインストール

3.3 Snort OpenAppIDをインストール

3.4 RPC libraryを使用するため仮release fileインストール

3.5 SNORTをダウンロード、インストール

3.6 3.3でインストールした仮release file を削除

3.7 SNORTユーザー、グループ作成

3.8 SNORTディレクトリー、ルールファイル作成

3.9 PulledPork ルール管理ポリシー

3.10 PulledPork 構成ファイルをビルド

3.11 PulledPork 無効ルールファイルを作成

3.12 PulledPork スクリプトを実行

3.13 Snort しきい値ファイルをビルド

3.14 ローカルルールファイルをビルド

3.15 キャプチャフィルタファイルをビルド

3.16 ipvar インクルード ファイルをビルド

3.17 Snort 構成ファイル編集

3.18 Snortサービスの作成

3.19 Snort ログローテーション構成ファイルを作成

3.20 Snort ルール更新スクリプトを作成

3.21 Snort ルール更新スクリプト定期実行

1.サーバー構築の前準備　Tripwire インストール

2.サーバー構築の前準備　chkrootkit インストール

3.サーバー構築の前準備　SNORT インストール

3.16 ipvar インクルードファイルをビルド