SNORT
Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform "protocol analysis," "content search," and "matching," and can be used to detect a variety of attacks, including "buffer overflows," "stealth port scans," "CGI attacks," "SMB probes," "OS fingerprinting attempts," "semantic URL attacks," and "server message block probes.
1.Advance preparation
①Add the CodeReady Red Hat repository and install the required software
|
1 |
# dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel |
Creation of working directory
|
1 |
# mkdir /var/src |
②DAQ install
|
1 2 3 4 5 6 7 8 |
# cd /var/src # wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz # tar zxvf daq-2.0.7.tar.gz # cd daq-2.0.7 # autoreconf -f -i # ./configure # make # make install |
③Lua install
|
1 2 3 4 5 6 |
# cd /var/src # wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz # tar -zxvf LuaJIT-2.0.5.tar.gz # cd LuaJIT-2.0.5 # make # make install |
④Create fake release files
|
1 2 3 |
# /bin/cat << EOT >/etc/fedora-release Fedora release 28 (Rawhide) EOT |
2. Download, compile, and install Snort2
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# cd /var/src # wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz # tar -zxvf snort-2.9.20.tar.gz # cd snort-2.9.20 # ./configure --enable-sourcefire If an error occurs because zlib.h is not found # dnf install zlib-devel Again # ./configure --enable-sourcefire # make # make install # ldconfig # ln -s /usr/local/bin/snort /usr/sbin/snort |
Delete fake release files
|
1 |
# rm /etc/fedora-release |
3.Create groups and users, necessary directories and files
|
1 2 |
# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# mkdir /etc/snort # mkdir -p /etc/snort/rules # mkdir /var/log/snort # mkdir /usr/local/lib/snort_dynamicrules # mkdir /etc/snort/preproc_rules # chmod -R 5775 /etc/snort # chmod -R 5775 /var/log/snort # chmod -R 5775 /usr/local/lib/snort_dynamicrules # chown -R snort:snort /etc/snort # chown -R snort:snort /var/log/snort # chown -R snort:snort /usr/local/lib/snort_dynamicrules Create the following files # touch /etc/snort/rules/white_list.rules # touch /etc/snort/rules/black_list.rules # touch /etc/snort/rules/local.rules |
Setup configuration files… Copy all files to the configuration directory.
|
1 2 |
# cp /var/src/snort-2.9.20/etc/*.conf* /etc/snort # cp /var/src/snort-2.9.20/etc/*.map* /etc/snort |
4.Use of Community Rules
①Get Community Rules
|
1 |
# wget https://www.snort.org/rules/community -O ~/community.tar.gz |
②Extract rules and copy to configuration folder
|
1 2 |
# tar -xvf ~/community.tar.gz -C ~/ # cp ~/community-rules/* /etc/snort/rules |
There are various rule files that are not included in the community rules.
Use the sed command to comment out unnecessary lines.
|
1 |
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf |
5. Retrieving Registered User Rules
Once registered on the Snort website, registered user rules can be downloaded using an Oink code.
The Oink code is located in your Snort user account details.
Replace oinkcode in the following command with your personal code
|
1 |
# wget https://www.snort.org/rules/snortrules-snapshot-29181.tar.gz?oinkcode=<oink-code> -O ~/registered.tar.gz |
Once download is complete, extract rules to the configuration directory
|
1 |
# tar -xvf ~/registered.tar.gz -C /etc/snort |
6. Network and Rule Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
# vi /etc/snort/snort.conf ●Line 45 # Setup the network addresses you are protecting ipvar HOME_NET 192.168.11.0/24 ←adapt to one's environment ●Line 48 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET ●Line 104-106 Comment out and add below # Path to your rules files (this can be a relative path) # var RULE_PATH ../rules # var SO_RULE_PATH ../so_rules # var PREPROC_RULE_PATH ../preproc_rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules ●Per Line 115-116 Comment out and add below # Set the absolute path appropriately #var WHITE_LIST_PATH ../rules #var BLACK_LIST_PATH ../rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ●Per Line 525 : Add # unified2 # Recommended for most installs output unified2: filename snort.log, limit 128 ●Line 550 : To make custom rules readable, local.rules must be uncommented include $RULE_PATH/local.rules ●If you are using community rules, also add the following line just below the local.rules line, for exampl include $RULE_PATH/community.rules |
7. Verification of settings
Use parameter -T to test configuration and enable test mode
|
1 |
# snort -T -c /etc/snort/rules/snort.conf |
Copy the relevant files to /etc/snort/rules in case of errors
In our case, the error occurred in the following file
|
1 2 3 4 |
# cp /var/src/snort-2.9.20/etc/classification.config /etc/snort/rules # cp /var/src/snort-2.9.20/etc/reference.config /etc/snort/rules # cp /var/src/snort-2.9.20/etc/threshold.conf /etc/snort/rules # cp /var/src/snort-2.9.20/etc/unicode.map /etc/snort/rules/ |
Also, if you get the error "/etc/snort/rules/snort.conf(322) => Invalid keyword '}'".
relevant line
|
1 2 3 4 |
# vi /etc/snort/rules/snort.conf ●Line 321 : comment-out #decompress_swf { deflate lzma } \ |
Conduct the following again
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# snort -T -c /etc/snort/rules/snort.conf [ Number of patterns truncated to 20 bytes: 916 ] MaxRss at the end of detection rules:825960 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.20 GRE (Build 82) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.10.3 (with TPACKET_V3) Using PCRE version: 8.45 2021-06-15 Using ZLIB version: 1.2.12 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1> Preprocessor Object: appid Version 1.1 <Build 5> Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Total snort Fixed Memory Cost - MaxRss:825960 Snort successfully validated the configuration! Snort exiting |
8. Configuration Testing
①To test if Snort is logging alerts, add custom detection rule alerts for incoming ICMP connections to the local.rules file.
|
1 2 3 4 |
# vi /etc/snort/rules/local.rules ●Add the following line to the last line alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) |
②Start Snort at the console and output alerts to stdout.
The correct network interface (e.g. ens160) must be selected
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# snort -A console -i ens160 -u snort -g snort -c /etc/snort/snort.conf With Snort up and running, ping from another computer. The terminal where Snort is running will display the following notification for each ICMP call 03/04-12:59:09.123471 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 03/04-12:59:09.123549 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 03/04-12:59:09.123866 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 03/04-12:59:09.123905 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 03/04-12:59:10.145661 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 03/04-12:59:10.145742 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 03/04-12:59:10.146056 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 03/04-12:59:10.146094 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 |
9. Running Snort in the background
①Create a startup script for Snort
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# vi /lib/systemd/system/snort.service [Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens160 [Install] WantedBy=multi-user.target |
②After defining the service, reload and run the systemctl daemon
|
1 2 |
# systemctl daemon-reload # systemctl start snort |
Suricata
SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.
1.Suricata Installation and Configuration
Enable the EPEL repository on your system.
①Suricata Install
|
1 |
# dnf install suricata |
➁Version Check
|
1 2 |
# suricata -V This is Suricata version 6.0.11 RELEASE |
➂Determine interface and IP address where Suricata will inspect network packets
|
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ens160 UP 192.168.11.83/24 |
④Edit configuration file
|
1 2 3 4 5 6 7 8 9 |
# vi /etc/suricata/suricata.yaml # Line 15 : In the "vars" section, define the network HOME_NET: "[192.168.11.0/24]" EXTRNAL_NET: "!$HOME_NET" # Line 589 : Set interface name in "af-packet" section af-packet: - interface: ens160 |
|
1 2 3 4 5 |
# vi /etc/sysconfig/suricata # Line 8 :Specify interface # Add options to be passed to the daemon OPTIONS="-i ens160 --user suricata " |
⑤Suricata rules update
|
1 |
# suricata-update |
⑥Activate Suricata
|
1 2 |
# systemctl enable --now suricata Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service. |
⑦Confirm Suricata startup
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# systemctl status suricata ● suricata.service - Suricata Intrusion Detection Service Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled) Drop-In: /usr/lib/systemd/system/service.d mq10-timeout-abort.conf Active: active (running) since Wed 2023-04-26 13:53:56 JST; 1s ago Docs: man:suricata(1) Process: 1381 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS) Main PID: 1382 (Suricata-Main) Tasks: 1 (limit: 4591) Memory: 68.3M CPU: 1.743s CGroup: /system.slice/suricata.service mq1382 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens160 --user suricata Apr 26 13:53:56 Lepard systemd[1]: Starting suricata.service - Suricata Intrusion Detection Service... Apr 26 13:53:56 Lepard systemd[1]: Started suricata.service - Suricata Intrusion Detection Service. Apr 26 13:53:56 Lepard suricata[1382]: 26/4/2023 -- 13:53:56 - <Notice> - This is Suricata version 6.0.11 RELEASE running in |
Check Log
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# tail /var/log/suricata/suricata.log 26/4/2023 -- 15:37:14 - <Info> - Running in live mode, activating unix socket 26/4/2023 -- 15:37:25 - <Info> - 1 rule files processed. 33476 rules successfully loaded, 0 rules failed 26/4/2023 -- 15:37:25 - <Info> - Threshold config parsed: 0 rule(s) found 26/4/2023 -- 15:37:26 - <Info> - 33479 signatures processed. 1264 are IP-only rules, 5196 are inspecting packet payload, 26814 inspect application layer, 108 are decoder event only 26/4/2023 -- 15:37:34 - <Info> - Going to use 4 thread(s) 26/4/2023 -- 15:37:34 - <Info> - Running in live mode, activating unix socket 26/4/2023 -- 15:37:34 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket' 26/4/2023 -- 15:37:34 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started. 26/4/2023 -- 15:37:34 - <Info> - All AFP capture threads are running. 26/4/2023 -- 15:37:34 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Hyperscan returned error -1 |
If you get "- [ERRCODE: SC_ERR_FATAL(171)] - Hyperscan returned error -1" and hangs up as shown at the end above, you need to update Hyperscan.
Update as follows
|
1 2 |
# wget https://bodhi.fedoraproject.org/updates/FEDORA-2023-b4e0e66067 # dnf upgrade --refresh --advisory=FEDORA-2023-b4e0e66067 |
Again
|
1 2 3 4 5 6 7 8 9 10 11 |
# tail /var/log/suricata/suricata.log 26/4/2023 -- 16:06:04 - <Info> - Found an MTU of 1500 for 'ens160' 26/4/2023 -- 16:06:04 - <Info> - Found an MTU of 1500 for 'ens160' 26/4/2023 -- 16:06:04 - <Info> - dropped the caps for main thread 26/4/2023 -- 16:06:04 - <Info> - fast output device (regular) initialized: fast.log 26/4/2023 -- 16:06:04 - <Info> - eve-log output device (regular) initialized: eve.json 26/4/2023 -- 16:06:04 - <Info> - stats output device (regular) initialized: stats.log 26/4/2023 -- 16:06:04 - <Info> - Running in live mode, activating unix socket 26/4/2023 -- 16:06:16 - <Info> - 1 rule files processed. 33476 rules successfully loaded, 0 rules failed 26/4/2023 -- 16:06:16 - <Info> - Threshold config parsed: 0 rule(s) found 26/4/2023 -- 16:06:16 - <Info> - 33479 signatures processed. 1264 are IP-only rules, 5196 are inspecting packet payload, 26814 inspect application layer, 108 are decoder event only |
Check the stats.log file for statistics (updated every 8 seconds by default)
|
1 |
# tail -f /var/log/suricata/stats.log |
A more advanced output, EVE JSON, can be generated with the following command
|
1 |
# tail -f /var/log/suricata/eve.json |
3.Suricata Testing
①Run ping test with curl utility
|
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
②Check the alert log to see if it has been logged
|
1 2 3 4 |
# cat /var/log/suricata/fast.log 04/26/2023-16:26:39.689266 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 80.94.95.203:5960 04/26/2023-16:26:40.474148 [**] [1:2220000:1] SURICATA SMTP invalid reply [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 87.246.7.230:15986 |
4.Setting Suricata Rules
①Display of rule sets packaged in Suricata
|
1 2 3 4 5 6 7 |
# ls -al /var/lib/suricata/rules/ total 24136 drwxr-s--- 2 root suricata 57 Apr 26 15:32 . drwxrws--- 4 suricata suricata 33 Apr 26 13:48 .. -rw-r--r-- 1 root suricata 3228 Apr 26 15:32 classification.config -rw-r--r-- 1 root suricata 24708415 Apr 26 15:32 suricata.rules |
②Index list of sources providing rule sets
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: sslbl/ssl-fp-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: Non-Commercial Name: sslbl/ja3-fingerprints Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: Non-Commercial Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 Name: malsilo/win-malware Vendor: malsilo Summary: Commodity malware rules License: MIT Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only |
③Enable source (if et/open is enabled)
|
1 2 3 4 5 6 7 8 |
# suricata-update enable-source et/open 26/4/2023 -- 16:30:39 - <Info> -- Using data-directory /var/lib/suricata. 26/4/2023 -- 16:30:39 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 26/4/2023 -- 16:30:39 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 26/4/2023 -- 16:30:39 - <Info> -- Found Suricata version 6.0.11 at /usr/sbin/suricata. 26/4/2023 -- 16:30:39 - <Info> -- Creating directory /var/lib/suricata/update/sources 26/4/2023 -- 16:30:39 - <Info> -- Source et/open enabled |
Perform update
|
1 |
# suricata-update |
Restart Suricata service
|
1 |
# systemctl restart suricata |
5.Creating Suricata Custom Rules
①Create files containing customer rules
|
1 2 3 |
# vi /etc/suricata/rules/local.rules Include the following information alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1; rev:1;) |
②Edit configuration file(Define the path to the above local.rules)
|
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # Added around line 1924 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules - /etc/suricata/rules/local.rules |
③Testing the configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# suricata -T -c /etc/suricata/suricata.yaml -v 26/4/2023 -- 16:32:53 - <Info> - Running suricata under test mode 26/4/2023 -- 16:32:53 - <Notice> - This is Suricata version 6.0.11 RELEASE running in SYSTEM mode 26/4/2023 -- 16:32:53 - <Info> - CPUs/cores online: 4 26/4/2023 -- 16:32:53 - <Info> - fast output device (regular) initialized: fast.log 26/4/2023 -- 16:32:53 - <Info> - eve-log output device (regular) initialized: eve.json 26/4/2023 -- 16:32:53 - <Info> - stats output device (regular) initialized: stats.log 26/4/2023 -- 16:33:04 - <Info> - 2 rule files processed. 33477 rules successfully loaded, 0 rules failed 26/4/2023 -- 16:33:04 - <Info> - Threshold config parsed: 0 rule(s) found 26/4/2023 -- 16:33:04 - <Info> - 33480 signatures processed. 1265 are IP-only rules, 5196 are inspecting packet payload, 26814 inspect application layer, 108 are decoder event only 26/4/2023 -- 16:33:12 - <Notice> - Configuration provided was successfully loaded. Exiting. 26/4/2023 -- 16:33:13 - <Info> - cleaning up signature grouping structure... complete |
Restart Suricat service
|
1 |
# systemctl restart suricata |
④Testing the application of Custom Rules
Ping another device on the same local network to see if it was logged
|
1 2 3 4 5 6 7 |
# cat /var/log/suricata/fast.log 04/26/2023-16:34:19.344482 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.22:8 -> 192.168.11.83:0 04/26/2023-16:34:19.344577 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.83:0 -> 192.168.11.22:0 04/26/2023-16:34:28.794097 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.1:11 -> 192.168.11.83:0 04/26/2023-16:34:29.411163 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 80.94.95.203:2916 04/26/2023-16:34:30.369791 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 87.246.7.230:35682 |
To get logs in JSON format, install jq on your system
|
1 2 |
# dnf install jq # systemctl restart suricata |
Execute the following command to ping another device on the same local network
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
# tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' When ping is executed, the following is displayed in the console { "timestamp": "2023-04-26T16:36:10.577241+0900", "flow_id": 1209779886935769, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.22", "src_port": 0, "dest_ip": "192.168.11.83", "dest_port": 0, "proto": "ICMP", "icmp_type": 8, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 74, "bytes_toclient": 0, "start": "2023-04-26T16:36:10.577241+0900" } } { "timestamp": "2023-04-26T16:36:10.577301+0900", "flow_id": 1209779886935769, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.83", "src_port": 0, "dest_ip": "192.168.11.22", "dest_port": 0, "proto": "ICMP", "icmp_type": 0, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 2, "pkts_toclient": 1, "bytes_toserver": 148, "bytes_toclient": 74, "start": "2023-04-26T16:36:10.577241+0900" } } { "timestamp": "2023-04-26T16:36:15.794200+0900", "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.1", "src_port": 0, "dest_ip": "192.168.11.83", "dest_port": 0, "proto": "ICMP", "icmp_type": 11, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 } } |
Tripwire
1.Install
|
1 |
# dnf -y install tripwire |
2.Passphrase setting
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
# tripwire-setup-keyfiles ---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: ←Enter any "Site Passphrase" Verify the site keyfile passphrase: ←Enter "Site Passphrase" again Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: ←Enter any "local passphrase" Verify the local keyfile passphrase: ←Enter "Local Passphrase" again Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Signing configuration file... Please enter your site passphrase: ←Enter "Site Passphrase" Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file... Please enter your site passphrase: ←Enter "Site Passphrase" Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file: /etc/tripwire/twpol.txt has been preserved for your inspection. This implements a minimal policy, intended only to test essential Tripwire functionality. You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy. Once you have a satisfactory Tripwire policy file, you should move the clear-text version to a secure location and/or encrypt it in place (using a tool such as GPG, for example). Now run "tripwire --init" to enter Database Initialization Mode. This reads the policy file, generates a database based on its contents, and then cryptographically signs the resulting database. Options can be entered on the command line to specify which policy, configuration, and key files are used to create the database. The filename for the database can be specified as well. If no options are specified, the default values from the current configuration file are used. |
3.Tripwire Configuration
①Configuration File Edit
|
1 2 3 4 5 6 7 8 9 |
# vi /etc/tripwire/twcfg.txt ●Per line 9 Add "#" at the beginning of the line and "LOOSEDIRECTORYCHECKING =true" on the line below it ●Per line 12 Add "#" at the beginning of the line and "REPORTLEVEL =4" on the line below it. Level 4 provides the most detailed report of the five levels from "0" to "4". #REPORTLEVEL =3 REPORTLEVEL =4 |
②Create a Tripwire configuration file (cryptographically signed version)
|
1 2 3 |
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt Please enter your site passphrase: ←Enter site passphrase" Wrote configuration file: /etc/tripwire/tw.cfg |
③Delete Tripwire configuration file (text version)
|
1 |
# rm -f /etc/tripwire/twcfg.txt |
④Policy File Settings
|
1 2 |
# cd /etc/tripwire/ # vi twpolmake.pl |
Contents of twpolmake.pl
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
#!/usr/bin/perl # Tripwire Policy File customize tool # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; |
⑤Policy File Optimizations
|
1 |
# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new |
⑥Create policy file (cryptographically signed version) based on optimized policy file
|
1 2 3 4 |
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new Please enter your site passphrase: ←Enter local passphrase Wrote policy file: /etc/tripwire/tw.pol |
⑦Create database and check operation
|
1 2 |
# tripwire -m i -s -c /etc/tripwire/tw.cfg Please enter your local passphrase: ←Enter local passphrase |
Create test files
|
1 |
# echo test > /root/test.txt |
Check Tripwire operation
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
# tripwire -m c -s -c /etc/tripwire/tw.cfg OK if it appears as follows Open Source Tripwire(R) 2.4.3.7 Integrity Check Report Report generated by: root Report created on: Wed 26 Apr 2023 06:46:15 PM JST Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: Lepard Host IP address: 192.168.11.83 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/Lepard.twd Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- User binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Libraries 66 0 0 0 Operating System Utilities 100 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 (/sbin/runlevel) Application Information Programs 100 0 0 0 (/sbin/rtmon) Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 Critical system boot files 100 0 0 0 * Tripwire Data Files 100 1 0 0 System boot changes 100 0 0 0 OS executables and libraries 100 0 0 0 Security Control 100 0 0 0 Login Scripts 100 0 0 0 Critical configuration files 100 0 0 0 * Root config files 100 1 0 0 Invariant Directories 66 0 0 0 Temporary directories 33 0 0 0 Critical devices 100 0 0 0 Total objects scanned: 42529 Total violations found: 2 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/var/lib/tripwire) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/var/lib/tripwire/Lepard.twd" ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/root/test.txt" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
Delete test files
|
1 |
# rm -f /root/test.txt |
⑧Tripwire Scheduled Scripts
|
1 2 |
# cd /var/www/system # vi tripwire.sh |
Contents of tripwire.sh
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Passphrase setting LOCALPASS= ←local passphrase SITEPASS= ←site passphrase cd /etc/tripwire # Tripwire check run tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root # Policy File Update twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Database Update rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
⑨Tripwire Autorun Script Execution Settings
|
1 2 3 4 5 |
# chmod 700 tripwire.sh Add to cron # crontab -e 0 3 * * * /var/www/system/tripwire.sh |
Reference: Script for reporting results by e-mail
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Passphrase setting LOCALPASS=xxxxx # local passphrase SITEPASS=xxxxx # site passphrase #Specify e-mail address for notification MAIL="<your mailaddress> " cd /etc/tripwire # Tripwire check run tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL # Policy File Update twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Database update rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
Confirmation that the results of the tripwire execution are notified to the specified e-mail address
|
1 |
# /var/www/system/tripwire.sh |