Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

Debian10.13 ; SNORT2 , Tripwire

1.SNORT2 Install

Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks.

It can perform "protocol analysis," "content search," and "matching," and can be used to detect a variety of attacks, including "buffer overflows," "stealth port scans," "CGI attacks," "SMB probes," "OS fingerprinting attempts," "semantic URL attacks," and "server message block probes.

1.1 Install

①Required library installation

②working directory creation

③Download and install Daq
Download the latest DAQ source package from the Snort Web site using the wget command. If newer sources are available, replace the version number in the command

④Download and install SNORT

1.2 Setting up users and folder structure

To run Snort securely without root access, you will need to create a new unprivileged user and a new user group to run the daemon

Create the following files

1.3 Setting up the configuration file

Copy all files to the configuration directory.

1.4 Use of Community Rules

Get freely available community rules.

①Retrieve community rules and copy them to the configuration folder

②Comment out unnecessary lines at once

1.5 Retrieving Registered User Rules

By registering for free on the website, you will have access to an Oink code that will allow you to download the registered user rule set.

①Get Oinkcode
Once registered on the Snort website, you can download registered user rules using an Oink code; the Oink code is located in your Snort user account details.
②Download Registered User Rules
Replace the "oinkcode" section below with the code obtained above.

③Extract rules to configuration directory

1.6 Configuration of network sets and rule sets

①Edit snort.conf

Editorial content

Line 45 : to match your server's environment
Setup the network addresses you are protecting
ipvar HOME_NET

Line 48 :
Set up the external network addresses. Leave as "any" in most situations

Line 104-106 : Comment out and add the following
Path to your rules files (this can be a relative path)
#var RULE_PATH ../rules
#var SO_RULE_PATH ../so_rules
#var PREPROC_RULE_PATH ../preproc_rules

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

Line 113,114 : Comment out and add the following
Set the absolute path appropriately
#var WHITE_LIST_PATH ../rules
#var BLACK_LIST_PATH ../rules

var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

Scroll down to Step #6 and configure unified2 output to log with the file name snort.log as follows
Per Line 522 : add
#Recommended for most installs
#output unified2: filename merged.log, limit 128, nostamp, mpls_event_types , vlan_event_types
output unified2: filename snort.log, limit 128

Finally, scroll to the bottom of the file to find the list of rule sets included; you will need to uncomment local.rules to allow Snort to read your custom rules.
Per line 546.
include $RULE_PATH/local.rules
If you are using community rules, add them immediately below the local.rules line.
include $RULE_PATH/community.rules

②Verification of settings
Use parameter -T to test configuration and enable test mode

If you get a "file not found" error, copy the file with the error to /etc/snort/rules
In our case, we got the following file error

If an invalid error occurs, do the following


When executed, a message similar to the following example will be displayed

--== Initialization Complete ==--
,,_ -> Snort! <-
o" )~ Version 2.9.20 GRE (Build 82)
'''' By Martin Roesch & The Snort Team:
Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.8.1
Using PCRE version: 8.39 2016-06-14
Using ZLIB version: 1.2.11

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2
Preprocessor Object: SF_DCERPC2 Version 1.0
Preprocessor Object: SF_SSLPP Version 1.1
Preprocessor Object: appid Version 1.1
Preprocessor Object: SF_SDF Version 1.1
Preprocessor Object: SF_POP Version 1.0
Preprocessor Object: SF_GTP Version 1.1
Preprocessor Object: SF_FTPTELNET Version 1.2
Preprocessor Object: SF_SIP Version 1.1
Preprocessor Object: SF_IMAP Version 1.0
Preprocessor Object: SF_MODBUS Version 1.1
Preprocessor Object: SF_SMTP Version 1.1
Preprocessor Object: SF_DNS Version 1.1
Preprocessor Object: SF_SSH Version 1.1
Preprocessor Object: SF_DNP3 Version 1.1
Preprocessor Object: SF_REPUTATION Version 1.1
Preprocessor Object: SF_S7COMMPLUS Version 1.0

Total snort Fixed Memory Cost - MaxRss:825912
Snort successfully validated the configuration!
Snort exiting

1.7 Configuration Testing

To test if Snort is logging alerts as intended, add a custom detection rule alert for incoming ICMP connections to the local.rules file

test run

Rewrite "eno1" to your own network interface.
If you leave the terminal in this state and ping this server from another PC on the same network (e.g. Windows), the terminal running Snort will display the following notification for each ICMP call

Commencing packet processing (pid=36794)
02/11-14:56:50.751093 [] [1:10000001:1] ICMP test [] [Priority: 0] {ICMP} ->
02/11-14:56:50.751128 [] [1:10000001:1] ICMP test [] [Priority: 0] {ICMP} ->
02/11-14:56:51.838246 [] [1:10000001:1] ICMP test [] [Priority: 0] {ICMP} ->
02/11-14:56:51.838298 [] [1:10000001:1] ICMP test [] [Priority: 0] {ICMP} ->
02/11-14:56:52.934644 [] [1:10000001:1] ICMP test [] [Priority: 0] {ICMP} ->
02/11-14:56:52.934717 [] [1:10000001:1] ICMP test [] [Priority: 0] {ICMP} ->
02/11-14:56:54.037295 [] [1:10000001:1] ICMP test [] [Priority: 0] {ICMP} ->
02/11-14:56:54.037343 [] [1:10000001:1] ICMP test [] [Priority: 0] {ICMP} ->

Snort logs alerts to a log under /var/log/snort/. The log can be read with the following command

1.8 Run Snort in the background

Add a new Snort startup script to run Snort as a service

Script Contents
Each "eno1" is tailored to its own environment.

Reflecting settings and startup

2.Tripwire Install

Implement a system to detect file tampering on Linux servers by crackers.
This time, Tripwire, a host-based IDS (IDS=Intrusion Detection System), will be installed as the file tampering detection system.
Tripwire detects file additions/changes/deletions by creating a database of file status at the time of installation and comparing the database with the current status of the file.

2.1 Installation and Configuration

①Site Key Creation
Tripwire requires the site passphrase to secure the "tw.cfg" tripwire configuration file and the "tw.pol" tripwire policy file.
Encrypt both files using the specified passphrase. The site passphrase is also required for a single instance of tripwire.

②local key passphrase
A local passphrase is required to protect the tripwire database and report file; a local key used by tripwire to avoid unauthorized modification of the tripwire baseline database.

③tripwire configuration path
The tripwire configuration is stored in the file /etc/tripwire/twcfg.txt. It is used to generate the encrypted configuration file tw.cfg.

④tripwire policy path
tripwire stores policies in the file /etc/tripwire/twpol.txt. This is used to generate the encrypted policy file tw.pol used by tripwire.

⑤Enter site key passphrase

Asked to enter the site key passphrase again

⑥Enter local key passphrase

⑦You will be asked to enter the local key passphrase again.

⑧Installation will proceed and complete.

2.2 Configuration File Settings

①Tripwire configuration file (twcfg.txt)
The tripwire configuration file (twcfg.txt) is detailed below. The paths to the encrypted policy file (tw.pol), site key (site.key), and local key (hostname local.key), etc. are as follows

2.3 Initial setup including key creation, database creation, etc.

①Edit twcfg.txt

② configuration file generation

③ Optimize policies
Use the following policy optimization scripts to optimize your policy

Policy Optimization Script Contents

④Database Creation

If an error occurs during the process, rerun with the "--verbose" option.

View the progress and check the files that stop with errors. In our environment, it stopped at Snort-related files.

Paths and files expected to stop
After granting ownership and permissions to the above file, run the following again

2.4 Perform checks

①Create test files

②Check Tripwire operation

If successful, the following display appears

Delete the test file.

2.5 Tripwire Auto-Run

①Create an auto-execution script ( and have it run automatically

Contents of auto-execute script (

Give execute permission and execute periodically by Cron.

Reference: Script for reporting results by e-mail

Copied title and URL