Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

OracleLinux8.8 ; SNORT3 , Tripwire , Chkrootkit

SNORT3 Install

Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks.

It can perform "protocol analysis," "content search," and "matching," and can be used to detect a variety of attacks, including "buffer overflows," "stealth port scans," "CGI attacks," "SMB probes," "OS fingerprinting attempts," "semantic URL attacks," and "server message block probes.

1.Advance preparation

①Add the CodeReady Red Hat repository and install the required software

Install required build tools and libraries

DAQ install
Create a working directory and move to that directory to proceed

③Tcmalloc install

2. Download, compile, and install Snort3

Please change to the latest version.

Update shared libraries

Check version

3. Network Interface Card Configuration

Put the interface on which Snort is listening for network traffic into promiscuous mode so that it can see all network traffic sent to Snort.


Disabling Interface Offloading
First check if this feature is enabled

Disable GRO,LRO

Create and enable systemd service unit to ensure that changes persist after system reboot and reflect changes

Reload configuration to start and enable services at startup

4.Use of Community Rules

Create Snort Rules directory

➁Download Snort 3 Community Rules from the Snort 3 Download Page
Extract the rules and copy them to the configuration folder

Check inside the configuration folder

5. Edit Main Configuration File

OpenAppID install
Download and install Snort OpenAppID from the Snort 3 download page
Please change to the latest version.

Edit the snort 3 configuration file to define the location of the OpenAppID library

Snorts log directory creation

Check configuration files

OK if the check results in the following

6. Create custom local rules

7. Verification of settings

Use parameter -T to test configuration and enable test mode

Next, run the test by executing the following command

When pinging this server from another PC in the same local network, an alert line is written on the console screen of this server as shown below.

Settings for writing to log files

Perform syntax check

Now, instead of the -A alert_fast option, add the option -l /var/log/snort to specify the log directory

When I pinged the server again from another PC in the same network, this time nothing appeared on the console screen, but
Checking the log directory, an alert_fast.txt file has been created

To check the alert_fast.txt file

Include local rules in snort.lua

8. Create user for Snort

Create a non-login system user account for Snort

9. Create systemd service unit for Snort

Reload systemd configuration

Set ownership and permissions for log files

Enable Snort to start and run at system startup

status check

Tripwire Install

1.Download and installation

2.Passphrase setting

Set site passphrase and local passphrase

3.Tripwire Configuration

Configuration File Edit

Create a Tripwire configuration file (cryptographically signed version)

③Delete Tripwire configuration file (text version)

Policy File Settings

Contents of

Policy File Optimizations

⑥Create policy file (cryptographically signed version) based on optimized policy file

Create database and check operation

Create test files

Delete test files

Tripwire Scheduled Scripts

Contents of

Tripwire Autorun Script Execution Settings

Reference: Script for reporting results by e-mail

Execute the following command to confirm that the mail has been received

Chkrootkit Install

chkrootkit Download and installation

Create /root/bin directory and move chkrootkit command to that directory

Check chkrootkit.

If nothing is displayed, no problem.
If you see "Searching for Linux.Xor.DDoS … INFECTED: Possible Malicious Linux.Xor.DDoS installed".
is displayed, there is an executable file under /tmp and it is probably a false positive.
Disable executables under /tmp or delete them if they are not problematic

④Create chkrootkit periodic execution script and change permissions

Create chkrootkit execution script in a directory where it is automatically executed daily

Scheduled Script Contents

Add execution permission to chkrootkit execution script

Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command

Run chkrootkit on the copied command

If nothing is displayed, no problem.

⑧Compresses backed up commands

⑨Send chkrootkit use command (compressed version) to root by e-mail

⑩Download and save chkrootkit_cmd.tar.gz file to Windows

⑪Delete commands on the backed up server

Copied title and URL