MiracleLinux9.2 ; SNORT3 , Tripwire Install

SNORT3 Install

Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform "protocol analysis," "content search," and "matching," and can be used to detect a variety of attacks, including "buffer overflows," "stealth port scans," "CGI attacks," "SMB probes," "OS fingerprinting attempts," "semantic URL attacks," and "server message block probes.

MiracleLinux9 does not have a Snort3 repository, so build, compile and install Snort3 from source code

1. Advance preparation

①Install required build tools and libraries

Install CERT Forensics Tools repository as libsafec-devel is not available in the EPEL repository.
Install libsafec-devel

②SNORT3 installation working directory creation

③DAQ Download Install

Tcmalloc Install
Installed gperftools to improve speed when memory usage increases

2. Snort3 Download Install

①Download, compile, and install Snort3

②Update shared libraries

Check version

3. Network Interface Card Configuration

①Configure network interface card
※The "ens160" part below should be adapted to your environment.

Disable interface offloading so that Snort does not truncate packets larger than 1518 bytes
Confirmation of current status

Disable GRO and LRO as they are turned on.

Create and enable systemd service so that changes will take effect after system reboot

Contents of snort3-promisc.service

Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot

ExecStart=/usr/sbin/ip link set dev ens160 promisc on
ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off


4.Use of Community Rules

Set community rules this time
Create Snort Rules directory

➁Download Snort 3 Community Rules from the Snort 3 Download Page
Extract the rules and copy them to the configuration folder

Check inside the configuration folder

5. Edit Main Configuration File

Update path to rules

OpenAppID install
Download and install Snort OpenAppID from the Snort 3 download page
Please change to the latest version.

Edit the snort 3 configuration file to define the location of the OpenAppID library

Snorts log directory creation

Check configuration files

OK if the check results in the following

6. Create custom local rules

7. Verification of settings

Use parameter -T to test configuration and enable test mode

Next, run the test by executing the following command

When pinging this server from another PC in the same local network, an alert line is written on the console screen of this server as shown below.

Settings for writing to log files

An alert_fast.txt file is created in the log directory

Perform syntax check

Now, instead of the -A alert_fast option, add the option -l /var/log/snort to specify the log directory

When I pinged the server again from another PC in the same network, this time nothing appeared on the console screen, but
Checking the log directory, an alert_fast.txt file has been created
To check the alert_fast.txt file

Include local rules in snort.lua

8. Create user for Snort

Create a non-login system user account for Snort

9. Create systemd service unit for Snort

Reload systemd configuration

Set ownership and permissions for log files

Enable Snort to start and run at system startup

status check



2.Passphrase setting

Set site passphrase and local passphrase

3.Tripwire Configuration

Configuration File Edit

Create a Tripwire configuration file (cryptographically signed version)

Delete Tripwire configuration file (text version)

Policy File Settings

Contents of twpolmake.pl

Policy File Optimizations

Create policy file (cryptographically signed version) based on optimized policy file

Create database and check operation

Create test files

Check Tripwire operation

The following is displayed and test.txt is detected

Delete test files

Tripwire Scheduled Scripts

Contents of tripwire.sh

Tripwire Autorun Script Execution Settings

Subscribe to cron and run it periodically

Reference: Script for reporting results by e-mail

Execute the following command to confirm that the mail has been received

Copied title and URL