Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

MiracleLinux8.4 ; SNORT ,Tripwire , Checkrootkit

Install  SNORT

1.Preliminary preparations

①Add the CodeReady Red Hat repository and install the required software

②Install DAQ

③Install Lua

④Create a fake release file

2. Download, compile, and install Snort.

Remove the fake release file

3.Create grooves and users, and create necessary directories and files.

Set up the configuration files... Copy all files to the configuration directory.

4.Use of community rules

①Get community rules

②Extract the rules and copy them to the configuration folder

There are various rule files that are not included in the community rules.
Use the sed command to comment out unnecessary lines.

5. Get registered user rules

If you register on the Snort website, you can use an Oink code to download the registered user rules.
The Oink code can be found in your Snort user account details.
Replace oinkcode with your personal code in the following command.

Once the download is complete, extract the rules to the configuration directory

6. Configure networks and rules

7. Verify the configuration

Use the parameter -T to test the configuration and enable the test mode

If an error occurs, copy the corresponding file to /etc/snort/rules.
In our case, the error occurred with the following files

If you get a unicode.map error

8. Test the configuration

①To test if Snort is logging alerts, add a custom detection rule alert for incoming ICMP connections to the local.rules file.

②Start Snort in the console and output the alert to stdout.
You need to select the correct network interface (e.g. eth0)

9. Run Snort in the background.

①Create a startup script for Snort.

②After defining the service, reload and run the systemctl daemon

Install Tripwire

1.Download and install

2.initialization

Set the site passphrase and local passphrase.

3.Configuring Tripwire

①Edit configuration file

②Create a Tripwire configuration file (cryptographically signed version)

③Delete Tripwire configuration file (text version)

④Policy file settings

Contents of twpolmake.pl

⑤Policy file optimization

⑥Create a policy file (cryptographically signed version) based on the optimized policy file.
⑦Create a database and check its operation.

Check Tripwire operation
Delete the test file
⑧Tripwire Periodic Execution Script
Contents of tripwire.sh
⑨Tripwire AutoRun Script Execution Settings

Add to cron
When running "/var/www/system/tripwire.sh" and it says there is no mail command

Install chkrootkit

①Download and install

➁Create a /root/bin directory and move the chkrootkit command to that directory
➂Check chkrootkit.
④Create and change permissions of the chkrootkit regular execution script
Contents of chkrootkit.sh
⑤Securing the commands used by chkrootkit
If the command used by chkrootkit has been tampered with, rootkit will not be detected properly, so make a copy of the command used by chkrootkit and run chkrootkit using that command when necessary.
chkrootkit use command save destination directory creation
Copy chkrootkit commands to the destination directory
Execute chkrootkit using the saved chkrootkit use command
chkrootkit use command save destination directory compressed and deleted
Send chkrootkit use command (compressed version) to root by e-mail
chkrootkit use command (compressed version) removed
Copied title and URL