Contents
- Install SNORT
- 1.Preliminary preparations
- 2. Download, compile, and install Snort.
- 3.Create grooves and users, and create necessary directories and files.
- 4.Use of community rules
- 5. Get registered user rules
- 6. Configure networks and rules
- 7. Verify the configuration
- 8. Test the configuration
- 9. Run Snort in the background.
- Install Tripwire
- Install chkrootkit
Install SNORT
1.Preliminary preparations
①Add the CodeReady Red Hat repository and install the required software
|
1 2 |
# dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel # mkdir /var/src |
②Install DAQ
|
1 2 3 4 5 6 7 8 |
# cd /var/src # wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz # tar zxvf daq-2.0.7.tar.gz # cd daq-2.0.7 # autoreconf -f -i # ./configure # make # make install |
③Install Lua
|
1 2 3 4 5 6 |
# cd /var/src # wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz # tar -zxvf LuaJIT-2.0.5.tar.gz # cd LuaJIT-2.0.5 # make # make install |
④Create a fake release file
|
1 2 3 |
# /bin/cat << EOT >/etc/fedora-release Fedora release 28 (Rawhide) EOT |
2. Download, compile, and install Snort.
|
1 2 3 4 5 6 7 8 9 |
# cd /var/src # wget https://snort.org/downloads/archive/snort/snort-2.9.18.1.tar.gz # tar -zxvf snort-2.9.18.1.tar.gz # cd snort-2.9.18.1 # ./configure --enable-sourcefire # make # make install # ldconfig # ln -s /usr/local/bin/snort /usr/sbin/snort |
Remove the fake release file
|
1 |
# rm /etc/fedora-release |
3.Create grooves and users, and create necessary directories and files.
|
1 2 |
# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# mkdir /etc/snort # mkdir -p /etc/snort/rules # mkdir /var/log/snort # mkdir /usr/local/lib/snort_dynamicrules # mkdir /etc/snort/preproc_rules # chmod -R 5775 /etc/snort # chmod -R 5775 /var/log/snort # chmod -R 5775 /usr/local/lib/snort_dynamicrules # chown -R snort:snort /etc/snort # chown -R snort:snort /var/log/snort # chown -R snort:snort /usr/local/lib/snort_dynamicrules Create the following file # touch /etc/snort/rules/white_list.rules # touch /etc/snort/rules/black_list.rules # touch /etc/snort/rules/local.rules |
Set up the configuration files... Copy all files to the configuration directory.
|
1 2 |
# cp /var/src/snort-2.9.18.1/etc/*.conf* /etc/snort # cp /var/src/snort-2.9.18.1/etc/*.map* /etc/snort |
4.Use of community rules
①Get community rules
|
1 |
# wget https://www.snort.org/rules/community -O ~/community.tar.gz |
②Extract the rules and copy them to the configuration folder
|
1 2 |
# tar -xvf ~/community.tar.gz -C ~/ # cp ~/community-rules/* /etc/snort/rules |
There are various rule files that are not included in the community rules.
Use the sed command to comment out unnecessary lines.
Use the sed command to comment out unnecessary lines.
|
1 |
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf |
5. Get registered user rules
If you register on the Snort website, you can use an Oink code to download the registered user rules.
The Oink code can be found in your Snort user account details.
Replace oinkcode with your personal code in the following command.
The Oink code can be found in your Snort user account details.
Replace oinkcode with your personal code in the following command.
|
1 |
# wget https://www.snort.org/rules/snortrules-snapshot-29181.tar.gz?oinkcode=<oink-code> -O ~/registered.tar.gz |
Once the download is complete, extract the rules to the configuration directory
|
1 |
# tar -xvf ~/registered.tar.gz -C /etc/snort |
6. Configure networks and rules
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# vi /etc/snort/snort.conf ●Line 45 # Setup the network addresses you are protecting ipvar HOME_NET 192.168.11.0/24 ←Adapt to your own environment ●Line 48 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET ●Line 104-106: Comment out and add below. # Path to your rules files (this can be a relative path) # var RULE_PATH ../rules # var SO_RULE_PATH ../so_rules # var PREPROC_RULE_PATH ../preproc_rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules ●Per line 116 :Comment out and add below. # Set the absolute path appropriately #var WHITE_LIST_PATH ../rules #var BLACK_LIST_PATH ../rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ●Per line526; add # unified2 # Recommended for most installs output unified2: filename snort.log, limit 128 ●Line 550: To allow custom rules to be loaded, local.rules needs to be uncommented include $RULE_PATH/local.rules ●If you are using community rules, also add the following line just below the local.rules line include $RULE_PATH/community.rules |
7. Verify the configuration
Use the parameter -T to test the configuration and enable the test mode
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# snort -T -c /etc/snort/rules/snort.conf MaxRss at the end of detection rules:809420 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.18.1 GRE (Build 1005) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.9.1 (with TPACKET_V3) Using PCRE version: 8.45 2021-06-15 Using ZLIB version: 1.2.11 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: appid Version 1.1 <Build 5> Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Total snort Fixed Memory Cost - MaxRss:809420 Snort successfully validated the configuration! Snort exiting |
If an error occurs, copy the corresponding file to /etc/snort/rules.
In our case, the error occurred with the following files
In our case, the error occurred with the following files
|
1 2 3 4 |
# cp /var/src/snort-2.9.18.1/etc/classification.config /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/reference.config /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/threshold.conf /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/unicode.map /etc/snort/rules/ |
If you get a unicode.map error
|
1 |
# cp /usr/local/src/snort-2.9.18.1/etc/unicode.map /etc/snort/rules |
8. Test the configuration
①To test if Snort is logging alerts, add a custom detection rule alert for incoming ICMP connections to the local.rules file.
|
1 2 3 |
# vi /etc/snort/rules/local.rules ●Add the following line to the last line alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) |
②Start Snort in the console and output the alert to stdout.
You need to select the correct network interface (e.g. eth0)
You need to select the correct network interface (e.g. eth0)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf With Snort up and running, perform a ping from another computer. The terminal where Snort is running will display the following notification for each ICMP call Commencing packet processing (pid=39981) 01/22-17:35:31.748180 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.82 01/22-17:35:31.748233 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.82 -> 192.168.11.20 01/22-17:35:32.761756 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.82 01/22-17:35:32.761786 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.82 -> 192.168.11.20 01/22-17:35:33.764377 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.82 01/22-17:35:33.764408 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.82 -> 192.168.11.20 01/22-17:35:34.768669 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.82 01/22-17:35:34.768699 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.82 -> 192.168.11.20 |
9. Run Snort in the background.
①Create a startup script for Snort.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# vi /lib/systemd/system/snort.service [Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 [Install] WantedBy=multi-user.target |
②After defining the service, reload and run the systemctl daemon
|
1 2 |
# systemctl daemon-reload # systemctl start snort |
Install Tripwire
1.Download and install
|
1 2 3 |
# cd /usr/local/src # wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm # rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm |
2.initialization
Set the site passphrase and local passphrase.
|
1 |
# tripwire-setup-keyfiles |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: ←Enter any "Site Passphrase". Verify the site keyfile passphrase: ←Enter any "Site Passphrase" again Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: ←Enter any "Local Passphrase". Verify the local keyfile passphrase: ←Enter any "Local Passphrase" again Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Signing configuration file... Please enter your site passphrase: ← Enter "Site Passphrase". Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file... Please enter your site passphrase: ← Enter "Site Passphrase". Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file: /etc/tripwire/twpol.txt ~abbreviation~ default values from the current configuration file are used. |
3.Configuring Tripwire
①Edit configuration file
|
1 2 3 4 5 |
# vi /etc/tripwire/twcfg.txt ●Per line9 Add "#" to the beginning of the line and "LOOSEDIRECTORYCHECKING =true" to the line below it. ●Per line13 Add "#" to the beginning of the line, and add "REPORTLEVEL =4" to the line below it. |
②Create a Tripwire configuration file (cryptographically signed version)
|
1 2 3 |
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt Please enter your site passphrase: ←Enter the site passphrase you set. Wrote configuration file: /etc/tripwire/tw.cfg |
③Delete Tripwire configuration file (text version)
|
1 |
# rm -f /etc/tripwire/twcfg.txt |
④Policy file settings
|
1 2 |
# cd /etc/tripwire/ # vi twpolmake.pl |
Contents of twpolmake.pl
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
#!/usr/bin/perl # Tripwire Policy File customize tool # ---------------------------------------------------------------- # Copyright (C) 2003 Hiroaki Izumi # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------- # Usage: # perl twpolmake.pl {Pol file} # ---------------------------------------------------------------- # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; |
⑤Policy file optimization
|
1 |
# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new |
⑥Create a policy file (cryptographically signed version) based on the optimized policy file.
|
1 2 3 |
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new Please enter your site passphrase: ←Enter your site passphrase Wrote policy file: /etc/tripwire/tw.pol |
|
1 2 |
# tripwire -m i -s -c /etc/tripwire/tw.cfg Please enter your local passphrase: ←Enter the local passphrase you set.Create a test file |
|
1 |
# echo test > /root/test.txt |
|
1 |
# tripwire -m c -s -c /etc/tripwire/tw.cfg |
|
1 |
# rm -f /root/test.txt |
⑧Tripwire Periodic Execution Script
|
1 2 |
# cd /var/www/system # vi tripwire.sh |
Contents of tripwire.sh
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Set passphrase LOCALPASS= ←local passphrase SITEPASS= ←Site passphrase cd /etc/tripwire # Run a Tripwire check tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root # Update policy files twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Database modernization rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
|
1 |
# chmod 700 tripwire.sh |
|
1 2 |
# crontab -e 0 3 * * * /var/www/system/tripwire.sh |
When running "/var/www/system/tripwire.sh" and it says there is no mail command
|
1 2 3 4 |
# dnf install mailx # systemctl start postfix # mail |
Install chkrootkit
①Download and install
|
1 2 3 |
# cd /usr/local/src # wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz # tar zxvf chkrootkit.tar.gz |
➁Create a /root/bin directory and move the chkrootkit command to that directory
|
1 2 |
# mkdir -p /root/bin # mv chkrootkit-0.55/chkrootkit /root/bin |
➂Check chkrootkit.
|
1 |
# chkrootkit | grep INFECTED |
④Create and change permissions of the chkrootkit regular execution script
|
1 |
# vi /etc/cron.daily/chkrootkit |
Contents of chkrootkit.sh
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
#!/bin/bash LOG=/tmp/$(basename ${0}) chkrootkit > $LOG 2>&1 cat $LOG | logger -t $(basename ${0}) if [ ! -z "$(grep 465 $LOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $LOG fi if [ ! -z "$(grep Suckit $LOG)" ] && \ [ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then sed -i '/Suckit/d' $LOG fi [ ! -z "$(grep INFECTED $LOG)" ] && \ grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" roo |
|
1 |
# chmod 700 /etc/cron.daily/chkrootkit |
⑤Securing the commands used by chkrootkit
If the command used by chkrootkit has been tampered with, rootkit will not be detected properly, so make a copy of the command used by chkrootkit and run chkrootkit using that command when necessary.
If the command used by chkrootkit has been tampered with, rootkit will not be detected properly, so make a copy of the command used by chkrootkit and run chkrootkit using that command when necessary.
chkrootkit use command save destination directory creation
|
1 |
# mkdir chkrootkitcmd |
|
1 |
# cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkitcmd/ |
|
1 |
# chkrootkit -p /root/chkrootkitcmd|grep INFECTED |
|
1 |
# zip -r chkrootkitcmd.zip chkrootkitcmd/ && rm -rf chkrootkitcmd |
|
1 2 |
# dnf install mailx # echo|mail -a chkrootkitcmd.zip -s chkrootkitcmd.zip root |
|
1 |
# rm -f chkrootkitcmd.zip |