Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

OracleLinux8.6 : SNORT2 , Tripwire , Chkrootkit Install

SNORT2 Install

Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks.

It can perform "protocol analysis," "content search," and "matching," and can be used to detect a variety of attacks, including "buffer overflows," "stealth port scans," "CGI attacks," "SMB probes," "OS fingerprinting attempts," "semantic URL attacks," and "server message block probes.

1. Advance preparation

①Add the CodeReady Red Hat repository and install the required software

②DAQ install

③Lua install

④Create fake release files

2. Download, compile, and install Snort

Delete fake release files

3.Create group and user, necessary directories and files

Create the following files

Setup configuration files... Copy all files to the configuration directory.

4.Use of Community Rules

①Get Community Rules

②Extract rules and copy to configuration folder

There are various rule files that are not included in the community rules.
Use the sed command to comment out unnecessary lines.

5. Retrieving Registered User Rules

Once registered on the Snort website, registered user rules can be downloaded using an Oink code.
The Oink code is located in your Snort user account details.
Replace oinkcode in the following command with your personal code

Once download is complete, extract rules to the configuration directory

6. Network and Rule Configuration

7. Verification of settings

Use parameter -T to test configuration and enable test mode

Copy the relevant files to /etc/snort/rules in case of errors
In our case, the error occurred in the following file

If you get unicode.map error

Also, if you get the error "/etc/snort/rules/snort.conf(322) => Invalid keyword '}'".
decompress_swf { deflate lzma } \  Comment.
# decompress_swf { deflate lzma } \

8. Configuration Test

①To test if Snort is logging alerts, add a custom detection rule alert for incoming ICMP connections to the local.rules file.

②Start Snort at the console and output an alert to stdout. The correct network interface (e.g. eth0) must be selected

9. Running Snort in the background

①Create a startup script for Snort

②After defining the service, reload and run the systemctl daemon

Tripwire Install

1.Download and installation

2.Passphrase setting

Set site passphrase and local passphrase

3.Tripwire Configuration

①Configuration File Edit

②Create a Tripwire configuration file (cryptographically signed version)

③Delete Tripwire configuration file (text version)

④Policy File Settings

Contents of twpolmake.pl

⑤Policy File Optimizations

⑥Create policy file (cryptographically signed version) based on optimized policy file

⑦Create database and check operation

Create test files

Delete test files

⑧Tripwire Scheduled Scripts

Contents of tripwire.sh

⑨Tripwire Autorun Script Execution Settings

Reference: Script for reporting results by e-mail

Execute the following command to confirm that the mail has been received

Chkrootkit Install

①chkrootkit Download and installation

➁Create /root/bin directory and move chkrootkit command to that directory
➂Check chkrootkit.
If nothing is displayed, no problem.
If you see "Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed".
is displayed, there is an executable file under /tmp and it is probably a false positive.
In our case we have the following file, which we have disabled from being executed as follows
④Create chkrootkit periodic execution script and change permissions

Create chkrootkit execution script in a directory where it is automatically executed daily

Scheduled Script Contents

Add execution permission to chkrootkit execution script

⑥Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command

⑦Run chkrootkit on the copied command

If nothing is displayed, no problem.

⑧Compresses backed up commands
⑨Send chkrootkit use command (compressed version) to root by e-mail
⑩Download and save chkrootkit_cmd.tar.gz file to Windows
⑪Delete commands on the backed up server
Copied title and URL