Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

Fedora35 : SNORT , Tripwire , Chkrootkit

SNORT Installation

1.advance preparation

①Add the CodeReady Red Hat repository and install the required software

# dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel
# mkdir /var/src
②Installing DAQ
# cd /var/src
# wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz
# tar zxvf daq-2.0.7.tar.gz
# cd daq-2.0.7
# autoreconf -f -i
# ./configure
# make
# make install
③Installing Lua
# cd /var/src
# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
# tar -zxvf LuaJIT-2.0.5.tar.gz
# cd LuaJIT-2.0.5
# make
# make install
④Create fake release files
# /bin/cat << EOT >/etc/fedora-release
Fedora release 28 (Rawhide)
EOT

2. Download, compile, and install Snort

# cd /var/src
# wget https://snort.org/downloads/archive/snort/snort-2.9.18.1.tar.gz
# tar -zxvf snort-2.9.18.1.tar.gz
# cd snort-2.9.18.1
# ./configure --enable-sourcefire
If an error occurs because zlib.h is not found
# dnf install zlib-devel
再度
# ./configure --enable-sourcefire
# make
# make install
# ldconfig
# ln -s /usr/local/bin/snort /usr/sbin/snort
Delete fake release files
# rm /etc/fedora-release

3.Create groups and users, necessary directories and files

# groupadd snort
# useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

# mkdir /etc/snort
# mkdir -p /etc/snort/rules
# mkdir /var/log/snort
# mkdir /usr/local/lib/snort_dynamicrules
# mkdir /etc/snort/preproc_rules

# chmod -R 5775 /etc/snort
# chmod -R 5775 /var/log/snort
# chmod -R 5775 /usr/local/lib/snort_dynamicrules
# chown -R snort:snort /etc/snort
# chown -R snort:snort /var/log/snort
# chown -R snort:snort /usr/local/lib/snort_dynamicrules

Create the following files
# touch /etc/snort/rules/white_list.rules
# touch /etc/snort/rules/black_list.rules
# touch /etc/snort/rules/local.rules

Setup configuration files... Copy all files to the configuration directory.

# cp /var/src/snort-2.9.18.1/etc/*.conf* /etc/snort
# cp /var/src/snort-2.9.18.1/etc/*.map* /etc/snort

4.Use of Community Rules

①Get Community Rules

# wget https://www.snort.org/rules/community -O ~/community.tar.gz
②Extract rules and copy to configuration folder
# tar -xvf ~/community.tar.gz -C ~/
# cp ~/community-rules/* /etc/snort/rules
There are various rule files that are not included in the community rules.
Use the sed command to comment out unnecessary lines.
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

5. Retrieving Registered User Rules

Once registered on the Snort website, registered user rules can be downloaded using an Oink code.
The Oink code is located in your Snort user account details.
Replace oinkcode in the following command with your personal code
# wget https://www.snort.org/rules/snortrules-snapshot-29181.tar.gz?oinkcode=<oink-code> -O ~/registered.tar.gz

Once download is complete, extract rules to the configuration directory

# tar -xvf ~/registered.tar.gz -C /etc/snort

6. Network and Rule Configuration

# vi /etc/snort/snort.conf
●Line 45
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.11.0/24 ←adapt to one's environment
●Line 48
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET
●Line 104-106 Comment out and add below
# Path to your rules files (this can be a relative path)
# var RULE_PATH ../rules
# var SO_RULE_PATH ../so_rules
# var PREPROC_RULE_PATH ../preproc_rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
●Per line 116. Comment out and add below
# Set the absolute path appropriately
#var WHITE_LIST_PATH ../rules
#var BLACK_LIST_PATH ../rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
●Per line 525 add
# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128
●Line 550 To make custom rules readable, local.rules must be uncommented
include $RULE_PATH/local.rules
●If you are using community rules, also add the following line just below the local.rules line, for example
include $RULE_PATH/community.rules

7. Verification of settings

Use parameter -T to test configuration and enable test mode

# snort -T -c /etc/snort/rules/snort.conf

MaxRss at the end of detection rules:809420

--== Initialization Complete ==--

,,_       -*> Snort! <*-
o" )~    Version 2.9.18.1 GRE (Build 1005)
''''       By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.9.1 (with TPACKET_V3)
Using PCRE version: 8.45 2021-06-15
Using ZLIB version: 1.2.11

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: appid Version 1.1 <Build 5>
Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>

Total snort Fixed Memory Cost - MaxRss:809420
Snort successfully validated the configuration!
Snort exiting

Copy the relevant files to /etc/snort/rules in case of errors
In our case, the error occurred in the following file
# cp /var/src/snort-2.9.18.1/etc/classification.config /etc/snort/rules
cp /var/src/snort-2.9.18.1/etc/reference.config /etc/snort/rules
cp /var/src/snort-2.9.18.1/etc/threshold.conf /etc/snort/rules
cp /var/src/snort-2.9.18.1/etc/unicode.map /etc/snort/rules/
If you get a unicode.map error
# cp /usr/local/src/snort-2.9.18.1/etc/unicode.map /etc/snort/rules
Also, if you get the error "/etc/snort/rules/snort.conf(322) => Invalid keyword '}'".
relevant line
decompress_swf { deflate lzma } \  ←Comment.
# decompress_swf { deflate lzma } \

8. Configuration Testing

①To test if Snort is logging alerts, add custom detection rule alerts for incoming ICMP connections to the local.rules file.
# vi /etc/snort/rules/local.rules
●Add the following line to the last line
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
②Start Snort at the console and output alerts to stdout.
The correct network interface (e.g. eth0) must be selected

# snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf

With Snort up and running, ping from another computer.
The terminal where Snort is running will display the following notification for each ICMP call
Commencing packet processing (pid=39981)
01/22-17:35:31.748180 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.82
01/22-17:35:31.748233 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.82 -> 192.168.11.20
01/22-17:35:32.761756 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.82
01/22-17:35:32.761786 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.82 -> 192.168.11.20
01/22-17:35:33.764377 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.82
01/22-17:35:33.764408 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.82 -> 192.168.11.20
01/22-17:35:34.768669 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.82
01/22-17:35:34.768699 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.82 -> 192.168.11.20

9. Running Snort in the background

①Create a startup script for Snort

# vi /lib/systemd/system/snort.service

[Unit] Description=Snort NIDS Daemon
After=syslog.target network.target

[Service] Type=simple
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

[Install] WantedBy=multi-user.target

②After defining the service, reload and run the systemctl daemon

# systemctl daemon-reload
# systemctl start snort

Tripwire Installation

1.Download and installation

# cd /usr/local/src
# wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm
# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

2.initialization

Set site passphrase and local passphrase

# tripwire-setup-keyfiles
----------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: ←Enter any "Site Passphrase"
Verify the site keyfile passphrase: ←Enter the same "Site Passphrase" again
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: ←Enter any "local passphrase"
Verify the local keyfile passphrase: ←Enter the same "local Passphrase" again
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Signing configuration file...
Please enter your site passphrase: ←Enter "Site Passphrase"
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
----------------------------------------------
Signing policy file...
Please enter your site passphrase: ←Enter "Site Passphrase"
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
~summary~
default values from the current configuration file are used.

3.Tripwire Configuration

①Configuration File Edit

# vi /etc/tripwire/twcfg.txt
●Per line 9
Add "#" at the beginning of the line and "LOOSEDIRECTORYCHECKING =true" on the line below it.
●Per line 13
Add "#" at the beginning of the line and "REPORTLEVEL =4" on the line below it.
Level 4 provides the most detailed report of the five levels from "0" to "4".
#REPORTLEVEL =3
REPORTLEVEL =4
②Create a Tripwire configuration file (cryptographically signed version)
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: ←Enter the site passphrase you set
Wrote configuration file: /etc/tripwire/tw.cfg
③Delete Tripwire configuration file (text version)
# rm -f /etc/tripwire/twcfg.txt
④Policy File Settings
# cd /etc/tripwire/
# vi twpolmake.pl
Contents of twpolmake.pl

#!/usr/bin/perl
# Tripwire Policy File customize tool
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;

⑤policy file optimization

# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new
⑥Create policy file (cryptographically signed version) based on optimized policy file
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new
Please enter your site passphrase: ←Enter site passphrase
Wrote policy file: /etc/tripwire/tw.pol
⑦Create database and check operation
# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: ←Enter the local passphrase you set

Create test files
# echo test > /root/test.txtCheck Tripwire operation
# tripwire -m c -s -c /etc/tripwire/tw.cfgDelete test files
# rm -f /root/test.txt
⑧Tripwire Scheduled Scripts
# cd /var/www/system
# vi tripwire.sh
Contents of tripwire.sh

#!/bin/bash

PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin

# Passphrase setting
LOCALPASS= ←local passphrase
SITEPASS=  ←site passphrase

cd /etc/tripwire

# Tripwire check run
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root

# Policy File Modernization
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak

# Database modernization
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS

⑨Tripwire Autorun Script Execution Settings

# chmod 700 tripwire.sh

Add to cron
# crontab -e
0 3 * * * /var/www/system/tripwire.sh

Chkrootkit install

①Download and install chkrootkit

# cd /usr/local/src
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# tar zxvf chkrootkit.tar.gz
➁Create /root/bin directory and move chkrootkit command to that directory
# mkdir -p /root/bin
# mv chkrootkit-0.55/chkrootkit /root/bin
➂Check chkrootkit.
# chkrootkit | grep INFECTED
④Create chkrootkit periodic execution script and change permissions
# vi 
Contents of chkrootkit.sh

#!/bin/bash

PATH=/usr/bin:/bin:/root/bin

TMPLOG=`mktemp`

# Run chkrootkit
chkrootkit > $TMPLOG

# log output
cat $TMPLOG | logger -t chkrootkit

#SMTPS' response to false positive windshell detections.
if [ ! -z "$(grep 465 $TMPLOG)" ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i '/465/d' $TMPLOG
fi

# Support for Suckit false positives when updating upstart package
#if [ ! -z "$(grep Suckit $TMPLOG)" ] && \
# [ -z $(rpm -V `rpm -qf /sbin/init`) ]; then
# sed -i '/Suckit/d' $TMPLOG
#fi

#Send mail to root only when rootkit is detected
[ ! -z "$(grep INFECTED $TMPLOG)" ] && \
grep INFECTED $TMPLOG | mail -s "chkrootkit report in `hostname`" root

rm -f $TMPLOG

# chmod 700 /var/www/system/chkrootkit.sh
⑤Register in cron to be executed periodically
# crontab -e
0 4 * * * /var/www/system/chkrootkit.sh
タイトルとURLをコピーしました