Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

OracleLinux9.3 ; Suricata , SNORT3 Install

 Suricata

SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.

1.advance preparation

Activate the EPEL Repository

System updates

2.Suricata Installation and Configuration

Suricata install

Determine interface and IP address where Suricata will inspect network packets

Edit configuration file

Suricata rules update

Activate Suricata

Confirm Suricata startup

Check Log

Check the stats.log file for statistics (updated every 8 seconds by default)

A more advanced output, EVE JSON, can be generated with the following command

3.Suricata Testing

Run ping test with curl utility

Check the alert log to see if it has been logged

4.Setting Suricata Rules

Display of rule sets packaged in Suricata

Index list of sources providing rule sets

Enable source (if et/open is enabled)

Perform update

Restart Suricata service

5.Creating Suricata Custom Rules

Create files containing customer rules

Edit configuration file (define new rule paths)

 ③Testing the configuration file

Restart Suricat service

Testing the application of Custom Rules
Ping another device on the same local network to see if it was logged

To get logs in JSON format, install jq on your system

Execute the following command to ping another device on the same local network

SNORT3

 Snort is an open source network intrusion detection system that can perform real-time traffic analysis and packet logging on IP networks.

It can perform "protocol analysis," "content search," and "matching" and can be used to detect a variety of attacks such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, semantic URL attacks, and server message block probes. detection.

1.Advance preparation

1.1 Install Required Packages

1.openssl-devel install

 2.Enabling codeready repositories

Check the repository

3.cmake install

1.2 Install Dependent Packages
1.3 LibDAQ install
1.4 Install optional packages

1. Installation of ZMA and UUID

2.Installing Hyperscan

3.Safec Installation

4.Installing Tcmalloc

2. Snort3 Install

Execute configure

Build, compile, and install

Version Check

test run

Network interface settings

Check network interface

The network interface name is ens160

Set the network interface to promiscuous mode. This way, the network device can capture and inspect all network packets.

Confirm settings

Check the offload status of the network interface. If you need to monitor network traffic on an interface, you must disable offloading

Set LRO and GRO offload status to off state

Create systemd service for Snort network interface

systemd daemon applies changes

Check Snort NIC Service Status

Added Snort Community Ruleset

1.Create a folder for Snort rules, download the community ruleset from the Snort website, and place it in the designated rules directory

2.Edit Snort main configuration file

3.Test Snort's main configuration changes

Adding custom rules

1.Create a file in the Snort rules directory

2.Edit Snort main configuration file
Edit Snort main configuration file to include custom rules file directory in main configuration

3.Test Snort's main configuration changes

Install OpenAppID extension

Once the OpenAppID extension is installed, Snort can detect network threats at the application layer level

1.OpenAppID Extension Download and Deployment

2.Copy the extracted folder (odp) to the following directory

3.Edit the Snort main configuration file to define the location of the OpenAppID folder

4.Test Snort's main configuration changes

Verify that all configurations are set up correctly

Send a ping command from a remote computer to the IP address of the server. This will cause an alert log to appear in the console window of the host server

Configure Snort systemd service

1.Creating Users for the Snort Service

2.Create log folder and set permissions
Create directory folder for Snort logs and set folder permissions

3.Create Systemd service file

Reload and activate the Snort service.

Launched Snort service

Check Status