Click here for "Error Codes for Commercial Air Conditioners".(Japanese Version)

Fedora35 : SNORT , Tripwire

SNORT Installation

Snort is an Intrusion Detection System (IDS) for Linux. A network-based IDS monitors the contents of communications flowing over a network to detect whether or not an attack is underway. Port scans, for example, may be more appropriately described as "preliminary investigation for an attack" rather than "attack. Network IDS can also detect such things as port scans. Also, by detecting suspicious communications, intrusion and other damage can be prevented.

1.advance preparation

①Add the CodeReady Red Hat repository and install the required software

②Installing DAQ

③Installing Lua

④Create fake release files

2. Download, compile, and install Snort

Delete fake release files

3.Create groups and users, necessary directories and files

Setup configuration files... Copy all files to the configuration directory.

4.Use of Community Rules

①Get Community Rules

②Extract rules and copy to configuration folder

There are various rule files that are not included in the community rules.
Use the sed command to comment out unnecessary lines.

5. Retrieving Registered User Rules

Once registered on the Snort website, registered user rules can be downloaded using an Oink code.
The Oink code is located in your Snort user account details.
Replace oinkcode in the following command with your personal code

Once download is complete, extract rules to the configuration directory

6. Network and Rule Configuration

7. Verification of settings

Use parameter -T to test configuration and enable test mode

Copy the relevant files to /etc/snort/rules in case of errors
In our case, the error occurred in the following file
If you get a unicode.map error
Also, if you get the error "/etc/snort/rules/snort.conf(322) => Invalid keyword '}'".
relevant line
decompress_swf { deflate lzma } \  ←Comment.
# decompress_swf { deflate lzma } \

8. Configuration Testing

①To test if Snort is logging alerts, add custom detection rule alerts for incoming ICMP connections to the local.rules file.
②Start Snort at the console and output alerts to stdout.
The correct network interface (e.g. eth0) must be selected

9. Running Snort in the background

①Create a startup script for Snort
②After defining the service, reload and run the systemctl daemon

Tripwire Installation

1.Installation

2.Initialization

Set site passphrase and local passphrase

3.Tripwire Configuration

①Configuration File Edit

②Create a Tripwire configuration file (cryptographically signed version)

③Delete Tripwire configuration file (text version)

④Policy File Settings

Contents of twpolmake.pl

⑤policy file optimization

⑥Create policy file (cryptographically signed version) based on optimized policy file
⑦Create database and check operation
⑧Tripwire Scheduled Scripts
Contents of tripwire.sh
⑨Tripwire Autorun Script Execution Settings

Reference: Script for reporting results by e-mail

Copied title and URL