Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

Debian10; SNORT, Tripwire installation

1. SNORT installation

Install an IDS (Intrusion Detection System) to detect unauthorized access by crackers.
We will install Snort, a representative of open source network IDS.

1. 1 SNORT installation

①Install

②Configure Snort to run in NIDS mode.
You need to configure Snort on your system. This includes editing some of the configuration files, downloading the rules that Snort follows, and running Snort to run tests.
Use the command below to start the process of updating the shared library.

1. 2 Set up user names and folder structure

To safely run Snort in Debian without root access, you will need to create a new unprivileged user and a new user group to run the daemon.

Then create the folder structure to house the Snort configuration, just copy over the commands below./etc/snort/rules
/var/log/snort
/usr/lib/snort_dynamicrules

The directory is created at the time of installation, and access permissions and ownership can be changed.

Create the following file

1. 3 Setting up detection rules

①Use of community rules
Get community rules

Extract the rules and copy them to the configuration folder

Comment out unnecessary lines.

②Get registered user rules
You can register on the Snort website. Once registered, you can use an Oink code to download the registered user rules. The code can be found in your Snort user account details.
Replace oinkcode with your personal code in the following command

Extract rules to configuration directory

1.4 Configure network sets and rule sets.

After deploying the configuration file and rule file, edit snort.conf.

1.5 Verify the configuration

Test the configuration and enable the test mode.

When you run the configuration test, you will see a message similar to the following example

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.9.12 GRE (Build 325)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.8.1
Using PCRE version: 8.39 2016-06-14
Using ZLIB version: 1.2.8

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.0
Preprocessor Object: SF_POP Version 1.0
Preprocessor Object: SF_MODBUS Version 1.1
Preprocessor Object: SF_DNP3 Version 1.1
Preprocessor Object: SF_DNS Version 1.1
Preprocessor Object: SF_DCERPC2 Version 1.0
Preprocessor Object: appid Version 1.1
Preprocessor Object: SF_SSLPP Version 1.1
Preprocessor Object: SF_SSH Version 1.1
Preprocessor Object: SF_GTP Version 1.1
Preprocessor Object: SF_FTPTELNET Version 1.2
Preprocessor Object: SF_IMAP Version 1.0
Preprocessor Object: SF_SDF Version 1.1
Preprocessor Object: SF_SMTP Version 1.1
Preprocessor Object: SF_SIP Version 1.1
Preprocessor Object: SF_REPUTATION Version 1.1

Snort successfully validated the configuration!
Snort exiting

1.6 Testing the configuration

To test if Snort is logging alerts, add a custom detection rule alert for incoming ICMP connections to the local.rules file.

If you keep the above command "# snort -A console -i <interface name> -u snort -g snort -c /etc/snort/snort.conf" and ping the server from another PC in the same network (e.g. Windows), you will see the following message You will see the following notification for each ICMP call.

07/12-11:20:33.501624 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 83.136.252.118 -> 80.69.173.202

When an alert appears, press Ctrl+C to stop Snort.

Snort records alerts in a log under /var/log/snort/snort.log.<timestamp>. The log can be read by the command below.

1.7 Run Snort in the background.

Add a startup script for Snort to run the service in the background.

Reload the systemctl daemon.

Check the status of the service.

2.Tripwire Installation

tripwire is a host-based intrusion detection system (IDS) for Linux environments. tripwire IDS's primary function is to detect and report unauthorized changes (files and directories) on Linux systems. After the installation of tripwire, a baseline database is initially created to monitor and detect changes such as the addition/creation of new files, changes to files, and users who have modified them. If the changes are legitimate, you can accept the changes to update the tripwire database.

2.1 Install

①Create a site key
Tripwire requires a site passphrase to secure the "tw.cfg" tripwire configuration file and the "tw.pol" tripwire policy file. The specified passphrase will be used to encrypt both files. The site passphrase is also required for a single instance of tripwire。

②local key passphrase
A local passphrase is required to protect the tripwire database and report files; a local key used by tripwire to avoid unauthorized modification of the tripwire baseline database.

③tripwire configuration path
The tripwire configuration is stored in the /etc/tripwire/twcfg.txt file. It is used to generate the encrypted configuration file tw.cfg.

④tripwire Policy Path
tripwire stores its policies in the /etc/tripwire/twpol.txt file. This is used to generate the encrypted policy file tw.pol which is used by tripwire.


You will be asked to enter your site key passphrase again.

You will be asked to enter the lokal key passphrase again.


Installation will proceed.

2.2 Configuration file settings

①Tripwire configuration file (twcfg.txt)
The details of the tripwire configuration file (twcfg.txt) are as follows The paths to the encrypted policy file (tw.pol), site key (site.key), and local key (hostname local.key), etc. are as follows

②Initial setup for key creation, database creation, etc.

Configuration file generation

③Create a policy optimization script to optimize the policy.

Script contents

#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = hostname ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;

Optimize.

④Database creation

2.3 Check Tripwire operation

①Create a test file

②Check Tripwire operation

It will appear as follows

Open Source Tripwire(R) 2.4.3.1 Integrity Check Report

Report generated by: root
Report created on: Thu Nov 29 19:04:52 2018
Database last updated on: Never

===============================================================================
Report Summary:
===============================================================================

Host name: dlp.srv.world
Host IP address: 10.0.0.30
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/dlp.srv.world.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Other binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Other libraries 66 0 0 0
Root file-system executables 100 0 0 0
* Tripwire Data Files 100 1 0 0
System boot changes 100 0 0 0
Root file-system libraries 100 0 0 0
(/lib)
Critical system boot files 100 0 0 0
Other configuration files 66 0 0 0
(/etc)
Boot Scripts 100 0 0 0
Security Control 66 0 0 0
Root config files 100 0 0 0
Devices & Kernel information 100 0 0 0
(/dev)
Invariant Directories 66 0 0 0

Total objects scanned: 20051
Total violations found: 1

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire/dlp.srv.world.twd)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/dlp.srv.world.twd"

===============================================================================
Error Report:
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.

③Delete the test file

2.4 Tripwire Autorun Script

①Script creation

Script contents

#!/bin/bash

#=========================================================================
# Job Name : Tripwire Periodic Execution Script
# Description : Run Tripwire periodically.
# Owner Dept. : korodes.com
#=========================================================================

PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin

# Set passphrase
LOCALPASS=xxxxxxxx # local passphrase
SITEPASS=xxxxxxxx # Site passphrase

cd /etc/tripwire

# Run a Tripwire check
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in hostname" root

# Update policy files
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak

# Database modernization
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS

②Give permissions and register with Cron

タイトルとURLをコピーしました