Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

Fedora38 ; SNORT2 , Suricata , Tripwire

SNORT

Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks.

It can perform "protocol analysis," "content search," and "matching," and can be used to detect a variety of attacks, including "buffer overflows," "stealth port scans," "CGI attacks," "SMB probes," "OS fingerprinting attempts," "semantic URL attacks," and "server message block probes.

1.Advance preparation

①Add the CodeReady Red Hat repository and install the required software

Creation of working directory

DAQ install

Lua install

④Create fake release files

2. Download, compile, and install Snort2

Delete fake release files

3.Create groups and users, necessary directories and files

Setup configuration files… Copy all files to the configuration directory.

4.Use of Community Rules

①Get Community Rules

Extract rules and copy to configuration folder

There are various rule files that are not included in the community rules.
Use the sed command to comment out unnecessary lines.

5. Retrieving Registered User Rules

Once registered on the Snort website, registered user rules can be downloaded using an Oink code.
The Oink code is located in your Snort user account details.
Replace oinkcode in the following command with your personal code

Once download is complete, extract rules to the configuration directory

6. Network and Rule Configuration

7. Verification of settings

Use parameter -T to test configuration and enable test mode

Copy the relevant files to /etc/snort/rules in case of errors
In our case, the error occurred in the following file

Also, if you get the error "/etc/snort/rules/snort.conf(322) => Invalid keyword '}'".
relevant line

Conduct the following again

8. Configuration Testing

①To test if Snort is logging alerts, add custom detection rule alerts for incoming ICMP connections to the local.rules file.

②Start Snort at the console and output alerts to stdout.
The correct network interface (e.g. ens160) must be selected

9. Running Snort in the background

Create a startup script for Snort

After defining the service, reload and run the systemctl daemon

Suricata

SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.

1.Suricata Installation and Configuration

Enable the EPEL repository on your system.

①Suricata Install

Version Check

Determine interface and IP address where Suricata will inspect network packets

Edit configuration file

Suricata rules update

Activate Suricata

Confirm Suricata startup

Check Log

If you get "- [ERRCODE: SC_ERR_FATAL(171)] - Hyperscan returned error -1" and hangs up as shown at the end above, you need to update Hyperscan.
Update as follows

Again

Check the stats.log file for statistics (updated every 8 seconds by default)

A more advanced output, EVE JSON, can be generated with the following command

3.Suricata Testing

Run ping test with curl utility

②Check the alert log to see if it has been logged

4.Setting Suricata Rules

①Display of rule sets packaged in Suricata

Index list of sources providing rule sets

Enable source (if et/open is enabled)

Perform update

Restart Suricata service

5.Creating Suricata Custom Rules

Create files containing customer rules

Edit configuration file(Define the path to the above local.rules)

Testing the configuration file

Restart Suricat service

Testing the application of Custom Rules

Ping another device on the same local network to see if it was logged

To get logs in JSON format, install jq on your system

Execute the following command to ping another device on the same local network

Tripwire

1.Install

2.Passphrase setting

3.Tripwire Configuration

Configuration File Edit

Create a Tripwire configuration file (cryptographically signed version)

Delete Tripwire configuration file (text version)

Policy File Settings

Contents of twpolmake.pl

Policy File Optimizations

⑥Create policy file (cryptographically signed version) based on optimized policy file

⑦Create database and check operation

Create test files

Check Tripwire operation