Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

Debian11.5 ; SNORT2 , Tripwire Install

1.Install SNORT2

Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks.

It can perform "protocol analysis," "content search," and "matching," and can be used to detect a variety of attacks, including "buffer overflows," "stealth port scans," "CGI attacks," "SMB probes," "OS fingerprinting attempts," "semantic URL attacks," and "server message block probes.

1.1 Install

①Required library installation

②working directory creation

③Download and install Daq
Download the latest DAQ source package from the Snort Web site using the wget command. If newer sources are available, replace the version number in the command

https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz

Download and install SNORT

1.2 Setting up users and folder structure

To run Snort securely without root access, you will need to create a new unprivileged user and a new user group to run the daemon

Create the following files

1.3 Setup of configuration files

Copy all files to the configuration directory.

1.4 Use of Community Rules

Get freely available community rules.

①Retrieve community rules and copy them to the configuration folder

②Comment out unnecessary lines at once

1.5 Retrieving Registered User Rules

By registering for free on the website, you will have access to an Oink code that will allow you to download the registered user rule set.

①Get Oinkcode
Register as a user at the official Snort website to obtain the Oinkcode needed to obtain community rules.
Register as a user at the official Snort website to download the latest rules file.

Accessed at https://www.snort.org/

Click on "Sign in"

Click on "Sign up"

Enter "Email", "Passsword", and "Password confirmation", then click "Sign up".

If "Sign up" is successful, you will receive the following email to your registered email add

Enter your registered information and log in

Click on "Oinkcodes" and save "Oinkcode" separately.

②Download Registered User Rules
Replace the "oinkcode" section below with the code obtained above.

③Extract rules to configuration directory

1.6 Configuration of network sets and rule sets

①Edit snort.conf

Editorial content

②Verification of settings

Use parameter -T to test configuration and enable test mode

If you get a "file not found" error, copy the file with the error to /etc/snort/rules
In our case, we got the following file error

If an invalid error occurs, do the following

again

When executed, a message similar to the following example is displayed

1.7 Configuration Testing

To test if Snort is logging alerts as intended, add a custom detection rule alert for incoming ICMP connections to the local.rules file

test run

Rewrite "eno1" to your own network interface.
If you leave the terminal in this state and ping this server from another PC on the same network (e.g. Windows), the terminal running Snort will display the following notification for each ICMP call

Snort logs alerts to a log under /var/log/snort/. The log can be read with the following command

1.8 Run Snort in the background

Add a new Snort startup script to run Snort as a service

Script Contents
Each "eno1" is tailored to its own environment.

Reflecting settings and starting up

2.Install Tripwire

Implement a system to detect file tampering on Linux servers by crackers.
This time, Tripwire, a host-based IDS (IDS=Intrusion Detection System), will be installed as the file tampering detection system.
Tripwire creates a database of file status at the time of installation, and detects file additions/changes/deletions by comparing the database with the current status of the file.

2.1 Installation and Configuration

①Site Key Creation
Tripwire requires a site passphrase to secure the "tw.cfg" tripwire configuration file and the "tw.pol" tripwire policy file. The specified passphrase is used to encrypt both files. The site passphrase is also required for a single instance of tripwire.

②local key Creation
A local passphrase is required to protect the tripwire database and report files; a local key used by tripwire to avoid unauthorized modification of the tripwire baseline database.

③Installation proceeds and completes.

2.2 Configuration File Settings

①Tripwire configuration file (twcfg.txt)
The tripwire configuration file (twcfg.txt) is detailed below. The paths to the encrypted policy file (tw.pol), site key (site.key), and local key (hostnamelocal.key), etc. are as follows

2.3 Initial setup including key creation, database creation, etc.

①Edit twcfg.txt

② configuration file generation
③ Optimize policies
Use the following policy optimization scripts to optimize your policy
Policy Optimization Script Contents

④Database Creation
If it stops with an error on the way, reexecute with the "--verbose" option.
View the progress and check the files that stop with errors. In our environment, it stopped at Snort-related files.
Paths and files expected to stop
/etc/snort/etc
/etc/snort/preproc_rules
/etc/snort/rules
/etc/snort/so_rules
/root/community-rules
After granting ownership and permissions to the above file, run the following again

2.4 Perform checks

①Create test files
②Check Tripwire operation
If successful, the following display appears

Delete the test file.

2.5 Tripwire Autorun

①Create an auto-execution script (tripwire.sh) and have it run automatically

Contents of auto-execute script (tripwire.sh)

②Give execute permission and execute periodically by Cron.

Reference: Script for reporting results by e-mail

Copied title and URL