1. SNORT installation
Install an IDS (Intrusion Detection System) to detect unauthorized access by crackers.
We will install Snort, a representative of open source network IDS.
1. 1 SNORT installation
①Install
1 |
# apt install snort |
②Configure Snort to run in NIDS mode.
You need to configure Snort on your system. This includes editing some of the configuration files, downloading the rules that Snort follows, and running Snort to run tests.
Use the command below to start the process of updating the shared library.
1 |
# ldconfig |
1. 2 Set up user names and folder structure
To safely run Snort in Debian without root access, you will need to create a new unprivileged user and a new user group to run the daemon.
1 2 |
# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort |
Then create the folder structure to house the Snort configuration, just copy over the commands below./etc/snort/rules
/var/log/snort
/usr/lib/snort_dynamicrules
The directory is created at the time of installation, and access permissions and ownership can be changed.
1 2 3 |
# chmod -R 5775 /etc/snort # chmod -R 5775 /var/log/snort # chmod -R 5775 /usr/lib/snort_dynamicrules |
1 2 3 |
# chown -R snort:snort /etc/snort # chown -R snort:snort /var/log/snort # chown -R snort:snort /usr/lib/snort_dynamicrules |
Create the following file
1 2 3 |
# touch /etc/snort/rules/white_list.rules # touch /etc/snort/rules/black_list.rules # touch /etc/snort/rules/local.rules |
1. 3 Setting up detection rules
①Use of community rules
Get community rules
1 |
# wget https://www.snort.org/rules/community -O ~/community.tar.gz |
Extract the rules and copy them to the configuration folder
1 2 |
# tar -xvf ~/community.tar.gz -C ~/ # cp ~/community-rules/* /etc/snort/rules |
Comment out unnecessary lines.
1 |
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf |
②Get registered user rules
You can register on the Snort website. Once registered, you can use an Oink code to download the registered user rules. The code can be found in your Snort user account details.
Replace oinkcode with your personal code in the following command
1 |
# wget https://www.snort.org/downloads/registered/snortrules-snapshot-29130.tar.gz?oinkcode=<oinkcode> -O ~/registered.tar.gz |
Extract rules to configuration directory
1 |
# tar -xvf ~/registered.tar.gz -C /etc/snort |
1.4 Configure network sets and rule sets.
After deploying the configuration file and rule file, edit snort.conf.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# vi /etc/snort/snort.conf Find the following section and change it as follows # Setup the network addresses you are protecting ipvar HOME_NET 192.168.11.82/32 ← IP192.168.11.82 is the lokal IP of my server in the example. # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET # Path to your rules files (this can be a relative path) var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules # Set the absolute path appropriately var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules Scroll down to Step #6. # unified2 # Recommended for most installs output unified2: filename snort.log, limit 128 Scroll to the bottom of the file. include $RULE_PATH/local.rules Add community rules if you are using them include $RULE_PATH/community.rules |
1.5 Verify the configuration
Test the configuration and enable the test mode.
1 |
# snort -T -c /etc/snort/snort.conf |
When you run the configuration test, you will see a message similar to the following example
--== Initialization Complete ==--
,,_ -*> Snort! <*- Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.0 Snort successfully validated the configuration! |
1.6 Testing the configuration
To test if Snort is logging alerts, add a custom detection rule alert for incoming ICMP connections to the local.rules file.
1 2 3 4 5 6 7 |
# vi /etc/snort/rules/local.rules Add the following to the end of the file alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) You need to select the correct network interface with the server's public IP address (eno1, eth1, etc.). # snort -A console -i <interface> -u snort -g snort -c /etc/snort/snort.conf |
If you keep the above command "# snort -A console -i <interface name> -u snort -g snort -c /etc/snort/snort.conf" and ping the server from another PC in the same network (e.g. Windows), you will see the following message You will see the following notification for each ICMP call.
07/12-11:20:33.501624 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 83.136.252.118 -> 80.69.173.202
When an alert appears, press Ctrl+C to stop Snort.
Snort records alerts in a log under /var/log/snort/snort.log.<timestamp>. The log can be read by the command below.
1 |
# snort -r /var/log/snort/snort.log.<id_number> |
1.7 Run Snort in the background.
Add a startup script for Snort to run the service in the background.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vi /lib/systemd/system/snort.service New File Contents [Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eno1 [Install] WantedBy=multi-user.target |
Reload the systemctl daemon.
1 2 |
# systemctl daemon-reload # systemctl start snort |
Check the status of the service.
1 |
# systemctl status snort |
2.Tripwire Installation
tripwire is a host-based intrusion detection system (IDS) for Linux environments. tripwire IDS's primary function is to detect and report unauthorized changes (files and directories) on Linux systems. After the installation of tripwire, a baseline database is initially created to monitor and detect changes such as the addition/creation of new files, changes to files, and users who have modified them. If the changes are legitimate, you can accept the changes to update the tripwire database.
2.1 Install
1 |
# apt install tripwire |
Tripwire requires a site passphrase to secure the "tw.cfg" tripwire configuration file and the "tw.pol" tripwire policy file. The specified passphrase will be used to encrypt both files. The site passphrase is also required for a single instance of tripwire。

②local key passphrase
A local passphrase is required to protect the tripwire database and report files; a local key used by tripwire to avoid unauthorized modification of the tripwire baseline database.
③tripwire configuration path
The tripwire configuration is stored in the /etc/tripwire/twcfg.txt file. It is used to generate the encrypted configuration file tw.cfg.
④tripwire Policy Path
tripwire stores its policies in the /etc/tripwire/twpol.txt file. This is used to generate the encrypted policy file tw.pol which is used by tripwire.
You will be asked to enter your site key passphrase again.
You will be asked to enter the lokal key passphrase again.
Installation will proceed.
2.2 Configuration file settings
①Tripwire configuration file (twcfg.txt)
The details of the tripwire configuration file (twcfg.txt) are as follows The paths to the encrypted policy file (tw.pol), site key (site.key), and local key (hostname local.key), etc. are as follows
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
ROOT =/usr/sbin executable file POLFILE =/etc/tripwire/tw.pol DBFILE =/var/lib/tripwire/$(HOSTNAME).twd data pace file REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/etc/tripwire/site.key LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key EDITOR =/usr/bin/editor LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =3 SYSLOGREPORTING =true MAILMETHOD =SMTP SMTPHOST =localhost SMTPPORT =25 TEMPDIRECTORY =/tmp |
②Initial setup for key creation, database creation, etc.
1 2 3 4 5 6 7 8 9 |
# cd /etc/tripwire # vi twcfg.txt # Per line 9 Add "#" to the beginning of the line and "LOOSEDIRECTORYCHECKING =true" to the line below it. If the setting is false, when a file in the directory is deleted or changed, two warnings will be reported, one for the file and the other for the changes in the directory. #LOOSEDIRECTORYCHECKING =false LOOSEDIRECTORYCHECKING =true # Line 12: change as needed (report level: 4 is the maximum) REPORTLEVEL =4 |
Configuration file generation
1 2 3 4 |
# cd /etc/tripwire # twadmin -m F -c tw.cfg -S site.key twcfg.txt Please enter your site passphrase: <Site key password> Wrote configuration file: /etc/tripwire/tw.cfg |
③Create a policy optimization script to optimize the policy.
1 |
# vi twpolmake.pl |
Script contents
#!/usr/bin/perl # Tripwire Policy File customize tool # ---------------------------------------------------------------- # Copyright (C) 2003 Hiroaki Izumi # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------- # Usage: # perl twpolmake.pl {Pol file} # ---------------------------------------------------------------- # $POLFILE=$ARGV[0];open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ;while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = hostname ; chomp($myhost) ;if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; |
Optimize.
1 2 3 4 |
# cd /etc/tripwire # perl twpolmake.pl twpol.txt > twpol.txt.new # twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.newPlease enter your site passphrase: <Site key password> Wrote policy file: /etc/tripwire/tw.pol |
④Database creation
1 2 |
# tripwire -m i -s -c tw.cfg Please enter your local passphrase: <local key password> |
2.3 Check Tripwire operation
①Create a test file
1 |
# echo test > /root/test.txt |
②Check Tripwire operation
1 |
# tripwire -m c -s -c /etc/tripwire/tw.cfg |
It will appear as follows
Open Source Tripwire(R) 2.4.3.1 Integrity Check Report
Report generated by: root =============================================================================== Host name: dlp.srv.world =============================================================================== ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified Total objects scanned: 20051 =============================================================================== ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Added: =============================================================================== No Errors ------------------------------------------------------------------------------- Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered |
③Delete the test file
1 |
# rm -f /root/test.txt |
2.4 Tripwire Autorun Script
①Script creation
1 2 |
# cd ~/ # vi tripwire.sh |
Script contents
#!/bin/bash
#========================================================================= PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Set passphrase cd /etc/tripwire # Run a Tripwire check # Update policy files # Database modernization |
②Give permissions and register with Cron
1 |
# chmod 700 tripwire.sh |
1 2 3 |
# crontab -e The following memo 0 3 * * * ~/tripwire.sh |