AlmaLinux8.8 ; Snort3+Snortsnarf , Chkrootkit Install

Snort3+Snortsnarf Install

Implement Snort, a network-based IDS, in the unauthorized access detection system.
SnortSnarf will also be installed to enable the unauthorized access logs extracted by Snort to be checked on a Web browser.
AlmaLinux8 does not have a Snort3 repository, so build, compile and install Snort3 from source code

Advance preparation

①Install required build tools and libraries

Install the EPEL repository and enable the Powertools repository.

②SNORT3 installation working directory creation

③DAQ Download Install

Tcmalloc Install
Installed gperftools to improve speed when memory usage increases

Snort3 Download Install

①Download, compile, and install Snort3

②Update shared libraries

Configure Snort3

①Network Interface Card Configuration

Disable interface offloading so that Snort does not truncate packets larger than 1518 bytes
Confirmation of current status

Disable GRO and LRO as they are turned on.

Create and enable systemd service so that changes will take effect after system reboot

Contents of snort3-promisc.service

②Configure rule sets
Set community rules this time

Create Snort Rules directory

③Download Snort 3 Community Rules from the Snort 3 Download Page
Extract the rules and copy them to the configuration folder

④Edit Main Configuration File

⑤Update path to rules

OpenAppID install
Download and install Snort OpenAppID from the Snort 3 download page
Please change to the latest version.

⑦Snorts log directory creation

⑧Check configuration files

⑨Create custom local rules

Next, run the test by executing the following command

When pinging this server from another PC in the same local network, an alert line is written on the console screen of this server as shown below.

⑩Settings for writing to log files

An alert_fast.txt file is created in the log directory

Perform syntax check

When I pinged the server again from another PC in the same network, this time nothing appeared on the console screen, but
Checking the log directory, an alert_fast.txt file has been created
To check the alert_fast.txt file

⑪Include local rules in snort.lua

Run Snort in the background

①Create a non-login system user account for Snort

②Create systemd service unit for Snort

Describe the following

Reload systemd configuration

Set ownership and permissions for log files

③Enable Snort to start and run at system startup

Place log rotation configuration file

①Configuration File Creation

➁Test # Force execution with -f option

Log file confirmation

Snortsnarf Install

①advance preparation
Install Perl Time-modules

Cpan Installation

➁Download and install Snortsnarf

➂Edit configuration files, etc.

④Creation of analysis result output directory

⑤Access control to analysis results

⑥Execution and Confirmation

Access http://[server IP]/snortsnarf/ with a browser, and you should see the following screen

chkrootkit Install

Download and install chkrootkit

Create /root/bin directory and move chkrootkit command to that directory

Check chkrootkit.

Searching for Linux.Xor.DDoS … INFECTED: Possible Malicious Linux.Xor.DDoS installed
If the above message appears, there may be an executable file under /tmp.
When I checked the files under /tmp, I found a file "ks-script-xxx", so I deleted it and reexecuted the file.
INFECTED disappeared.

Create chkrootkit periodic execution script and change permissions
Create chkrootkit execution script in a directory where it is automatically executed daily

chkrootkit contents

Add execution permission to chkrootkit execution script

④Securing commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command

chkrootkit use command save destination directory creation

Copy chkrootkit commands to the destination directory

Execute chkrootkit using the saved chkrootkit use command

chkrootkit use command save destination directory compressed and deleted

Send chkrootkit use command (compressed version) to root by e-mail

chkrootkit use command (compressed version) removed

Copied title and URL