SNORT2 Install
Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform "protocol analysis," "content search," and "matching," and can be used to detect a variety of attacks, including "buffer overflows," "stealth port scans," "CGI attacks," "SMB probes," "OS fingerprinting attempts," "semantic URL attacks," and "server message block probes.
1. Advance preparation
①Add the CodeReady Red Hat repository and install the required software
1 2 3 4 |
# dnf config-manager --set-enabled ol8_codeready_builder # dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm # dnf config-manager --set-enabled epel # dnf upgrade |
1 2 3 4 5 |
# dnf -y install bison flex libtool nghttp2 libnghttp2-devel \ libpcap-devel pcre-devel openssl-devel libdnet-devel \ libtirpc-devel git gcc-c++ libunwind-devel cmake hwloc-devel \ luajit-devel xz-devel libnfnetlink-devel libmnl-devel \ libnetfilter_queue-devel uuid-devel libsafec-devel |
1 2 3 4 5 6 7 8 |
# mkdir /var/src && cd /var/src # wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz # tar zxvf daq-2.0.7.tar.gz # cd daq-2.0.7 # autoreconf -f -i # ./configure # make # make install |
1 2 3 4 5 6 |
# cd /var/src # wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz # tar -zxvf LuaJIT-2.0.5.tar.gz # cd LuaJIT-2.0.5 # make # make install |
1 2 3 |
# /bin/cat << EOT >/etc/fedora-release Fedora release 28 (Rawhide) EOT |
2. Download, compile, and install Snort
1 2 3 4 5 6 7 8 9 |
# cd /var/src # wget https://snort.org/downloads/archive/snort/snort-2.9.18.1.tar.gz # tar -zxvf snort-2.9.18.1.tar.gz # cd snort-2.9.18.1 # ./configure --enable-sourcefire # make # make install # ldconfig # ln -s /usr/local/bin/snort /usr/sbin/snort |
1 |
# rm /etc/fedora-release |
3.Create group and user, necessary directories and files
1 2 |
# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort |
1 2 3 4 5 6 7 8 9 10 11 12 |
# mkdir /etc/snort # mkdir -p /etc/snort/rules # mkdir /var/log/snort # mkdir /usr/local/lib/snort_dynamicrules # mkdir /etc/snort/preproc_rules # chmod -R 5775 /etc/snort # chmod -R 5775 /var/log/snort # chmod -R 5775 /usr/local/lib/snort_dynamicrules # chown -R snort:snort /etc/snort # chown -R snort:snort /var/log/snort # chown -R snort:snort /usr/local/lib/snort_dynamicrules |
Create the following files
1 2 3 |
# touch /etc/snort/rules/white_list.rules # touch /etc/snort/rules/black_list.rules # touch /etc/snort/rules/local.rules |
Setup configuration files... Copy all files to the configuration directory.
1 2 |
# cp /var/src/snort-2.9.18.1/etc/*.conf* /etc/snort # cp /var/src/snort-2.9.18.1/etc/*.map* /etc/snort |
4.Use of Community Rules
①Get Community Rules
1 |
# wget https://www.snort.org/rules/community -O ~/community.tar.gz |
1 2 |
# tar -xvf ~/community.tar.gz -C ~/ # cp ~/community-rules/* /etc/snort/rules |
Use the sed command to comment out unnecessary lines.
1 |
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf |
5. Retrieving Registered User Rules
The Oink code is located in your Snort user account details.
Replace oinkcode in the following command with your personal code
1 |
# wget https://www.snort.org/rules/snortrules-snapshot-29181.tar.gz?oinkcode=<oink-code> -O ~/registered.tar.gz |
Once download is complete, extract rules to the configuration directory
1 |
# tar -xvf ~/registered.tar.gz -C /etc/snort |
6. Network and Rule Configuration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# vi /etc/snort/snort.conf ●Line 45. # Setup the network addresses you are protecting ipvar HOME_NET 192.168.11.0/24 ←adapt to one's environment ●Line 48 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET ●Line 104-106 Comment out and add below # Path to your rules files (this can be a relative path) # var RULE_PATH ../rules # var SO_RULE_PATH ../so_rules # var PREPROC_RULE_PATH ../preproc_rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules ●Per line 116. Comment out and add below # Set the absolute path appropriately #var WHITE_LIST_PATH ../rules #var BLACK_LIST_PATH ../rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ●Per line 525. Add # unified2 # Recommended for most installs output unified2: filename snort.log, limit 128 ●Line 550 To make custom rules readable, local.rules must be uncommented include $RULE_PATH/local.rules ●If you are using community rules, also add the following line just below the local.rules line, for example include $RULE_PATH/community.rules |
7. Verification of settings
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# snort -T -c /etc/snort/rules/snort.conf MaxRss at the end of detection rules:809420 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.18.1 GRE (Build 1005) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.9.1 (with TPACKET_V3) Using PCRE version: 8.45 2021-06-15 Using ZLIB version: 1.2.11 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: appid Version 1.1 <Build 5> Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Total snort Fixed Memory Cost - MaxRss:809420 Snort successfully validated the configuration! Snort exiting |
In our case, the error occurred in the following file
1 2 3 4 |
# cp /var/src/snort-2.9.18.1/etc/classification.config /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/reference.config /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/threshold.conf /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/unicode.map /etc/snort/rules/ |
1 |
# cp /usr/local/src/snort-2.9.18.1/etc/unicode.map /etc/snort/rules |
decompress_swf { deflate lzma } \ Comment.
# decompress_swf { deflate lzma } \
8. Configuration Test
1 2 3 |
# vi /etc/snort/rules/local.rules ●Add the following line to the last line alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) |
1 2 3 4 5 6 7 8 9 10 11 12 |
# snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf With Snort up and running, ping from another computer; you will see the following notification for each ICMP call in the terminal where Snort is running Commencing packet processing (pid=72802) 07/13-19:12:13.146987 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83 07/13-19:12:13.147033 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20 07/13-19:12:14.163690 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83 07/13-19:12:14.163776 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20 07/13-19:12:15.174863 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83 07/13-19:12:15.174948 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20 07/13-19:12:16.184889 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83 07/13-19:12:16.184922 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20 |
9. Running Snort in the background
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# vi /lib/systemd/system/snort.service [Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 [Install] WantedBy=multi-user.target |
②After defining the service, reload and run the systemctl daemon
1 2 |
# systemctl daemon-reload # systemctl start snort |
Tripwire Install
1.Download and installation
1 2 3 |
# cd /usr/local/src # wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm # rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm |
2.Passphrase setting
Set site passphrase and local passphrase
1 |
# tripwire-setup-keyfiles |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: ←Enter any "Site Passphrase" Verify the site keyfile passphrase: ←Enter "Site Passphrase" again Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: ←Enter any "Local Passphrase" Verify the local keyfile passphrase: ←Enter "Local Passphrase" again Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Signing configuration file... Please enter your site passphrase: ←Enter "Site Passphrase" Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file... Please enter your site passphrase: ←Enter "Site Passphrase" Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file: /etc/tripwire/twpol.txt ~abbreviation~ default values from the current configuration file are used. |
3.Tripwire Configuration
①Configuration File Edit
1 2 3 4 5 6 7 8 |
# vi /etc/tripwire/twcfg.txt ●Per line 9 Add "#" at the beginning of the line and "LOOSEDIRECTORYCHECKING =true" on the line below it. ●Per line 12 Add "#" at the beginning of the line and "REPORTLEVEL =4" on the line below it. Level 4 provides the most detailed report of the 5 levels from "0" to "4".。 #REPORTLEVEL =3 REPORTLEVEL =4 |
1 2 3 |
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt Please enter your site passphrase: ←Enter site passphrase Wrote configuration file: /etc/tripwire/tw.cfg |
1 |
# rm -f /etc/tripwire/twcfg.txt |
1 2 |
# cd /etc/tripwire/ # vi twpolmake.pl |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
#!/usr/bin/perl # Tripwire Policy File customize tool # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; |
⑤Policy File Optimizations
1 |
# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new |
1 2 3 |
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new Please enter your site passphrase: ←Enter site passphrase Wrote policy file: /etc/tripwire/tw.pol |
1 2 |
# tripwire -m i -s -c /etc/tripwire/tw.cfg Please enter your local passphrase: ←Enter local passphrase |
Create test files
1 |
# echo test > /root/test.txt |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
Check Tripwire operation # tripwire -m c -s -c /etc/tripwire/tw.cfg OK if it appears as follows Open Source Tripwire(R) 2.4.3.7 Integrity Check Report Report generated by: root Report created on: Sat 03 Sep 2022 10:37:48 AM JST Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: Lepard Host IP address: 192.168.11.83 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/Lepard.twd Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg <abbreviation> Added: "/root/test.txt" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
Delete test files
1 |
# rm -f /root/test.txt |
1 2 |
# cd /var/www/system # vi tripwire.sh |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Passphrase setting LOCALPASS= ←local passphrase SITEPASS= ←site passphrase cd /etc/tripwire # Tripwire check run tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root # Policy File Modernization twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Database modernization rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
⑨Tripwire Autorun Script Execution Settings
1 |
# chmod 700 tripwire.sh |
1 2 3 |
Add to cron # crontab -e 0 3 * * * /var/www/system/tripwire.sh |
Reference: Script for reporting results by e-mail
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Passphrase setting LOCALPASS=xxxxx # local passphrase SITEPASS=xxxxx # site passphrase #Designation of e-mail address to be notified MAIL="<your mailaddress> " cd /etc/tripwire # Tripwire check run tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL # Policy File Modernization twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Database modernization rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
Execute the following command to confirm that the mail has been received
1 |
# /var/www/system/tripwire.sh |
Chkrootkit Install
①chkrootkit Download and installation
1 2 3 |
# cd /usr/local/src # wget https://launchpad.net/chkrootkit/main/0.55/+download/chkrootkit-0.55.tar.gz # tar xvf chkrootkit-0.55.tar.gz |
1 2 |
# mkdir -p /root/bin # mv chkrootkit-0.55/chkrootkit /root/bin |
1 |
# chkrootkit | grep INFECTED |
If you see "Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed".
is displayed, there is an executable file under /tmp and it is probably a false positive.
In our case we have the following file, which we have disabled from being executed as follows
1 2 |
# chmod -x /tmp/ks-script-3kcozcnc # chmod -x /tmp/ks-script-nv0jg8gy |
Create chkrootkit execution script in a directory where it is automatically executed daily
1 |
# vi /etc/cron.daily/chkrootkit |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#!/bin/bash PATH=/usr/bin:/bin:/root/bin LOG=/tmp/$(basename ${0}) # chkrootkit run chkrootkit > $LOG 2>&1 # log output cat $LOG | logger -t $(basename ${0}) # SMTPS bindshellFalse positive response if [ ! -z "$(grep 465 $LOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $LOG fi # Support for Suckit false positives when updating upstart package if [ ! -z "$(grep Suckit $LOG)" ] && \ [ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then sed -i '/Suckit/d' $LOG fi # Send mail to root only when rootkit is detected [ ! -z "$(grep INFECTED $LOG)" ] && \ grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root |
Add execution permission to chkrootkit execution script
1 |
# chmod 700 /etc/cron.daily/chkrootkit |
Back up these commands.
If necessary, run chkrootkit with the backed up command
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# cd /root # mkdir /root/chkrootkit_cmd # cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/ # ls -l /root/chkrootkit_cmd/ total 2512 -rwxr-xr-x 1 root root 685712 Sep 3 16:21 awk -rwxr-xr-x 1 root root 50696 Sep 3 16:21 cut -rwxr-xr-x 1 root root 38208 Sep 3 16:21 echo -rwxr-xr-x 1 root root 28 Sep 3 16:21 egrep -rwxr-xr-x 1 root root 261712 Sep 3 16:21 find -rwxr-xr-x 1 root root 46568 Sep 3 16:21 head -rwxr-xr-x 1 root root 46512 Sep 3 16:21 id -rwxr-xr-x 1 root root 143224 Sep 3 16:21 ls -rwxr-xr-x 1 root root 162416 Sep 3 16:21 netstat -rwxr-xr-x 1 root root 137832 Sep 3 16:21 ps -rwxr-xr-x 1 root root 118024 Sep 3 16:21 sed -rwxr-xr-x 1 root root 775680 Sep 3 16:21 ssh -rwxr-xr-x 1 root root 38320 Sep 3 16:21 strings -rwxr-xr-x 1 root root 38208 Sep 3 16:21 uname |
1 |
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED |
If nothing is displayed, no problem.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd chkrootkit_cmd/ chkrootkit_cmd/awk chkrootkit_cmd/cut chkrootkit_cmd/echo chkrootkit_cmd/egrep chkrootkit_cmd/find chkrootkit_cmd/head chkrootkit_cmd/id chkrootkit_cmd/ls chkrootkit_cmd/netstat chkrootkit_cmd/ps chkrootkit_cmd/strings chkrootkit_cmd/sed chkrootkit_cmd/ssh chkrootkit_cmd/uname |
1 2 3 4 5 |
# ls -l total 97188 drwxr-xr-x 2 root root 24 Sep 3 16:07 bin drwxr-xr-x 2 root root 172 Sep 3 16:21 chkrootkit_cmd -rw-r--r-- 1 root root 1162184 Sep 3 16:23 chkrootkit_cmd.tar.gz |
1 |
# echo|mail -a chkrootkit_cmd.tar.gz -s chkrootkit_cmd.tar.gz root |
1 |
# rm -f chkrootkit_cmd.tar.gz |