SNORT3 Install
Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform "protocol analysis," "content search," and "matching," and can be used to detect a variety of attacks, including "buffer overflows," "stealth port scans," "CGI attacks," "SMB probes," "OS fingerprinting attempts," "semantic URL attacks," and "server message block probes.
1.Advance preparation
①Add the CodeReady Red Hat repository and install the required software
1 2 3 4 |
# dnf config-manager --set-enabled ol8_codeready_builder # dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm # dnf config-manager --set-enabled epel # dnf upgrade |
Install required build tools and libraries
1 2 3 4 5 |
# dnf -y install bison flex libtool nghttp2 libnghttp2-devel \ libpcap-devel pcre-devel openssl-devel libdnet-devel \ libtirpc-devel git gcc-c++ libunwind-devel cmake hwloc-devel \ luajit-devel xz-devel libnfnetlink-devel libmnl-devel \ libnetfilter_queue-devel uuid-devel libsafec-devel |
②DAQ install
Create a working directory and move to that directory to proceed
1 2 3 4 5 6 7 |
# mkdir snort-source && cd snort-source # git clone https://github.com/snort3/libdaq.git # cd libdaq # ./bootstrap # ./configure # make # make install |
③Tcmalloc install
1 2 3 4 5 6 7 |
# cd ../ # wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz # tar xzf gperftools-2.9.1.tar.gz # cd gperftools-2.9.1/ # ./configure # make # make install |
2. Download, compile, and install Snort3
Please change to the latest version.
1 2 3 4 5 6 7 8 9 |
# cd ../ # wget https://github.com/snort3/snort3/archive/refs/tags/3.1.28.0.tar.gz # tar xzf 3.1.28.0.tar.gz # cd snort3-3.1.28.0 # ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc # cd build # export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/local/lib64/pkgconfig:/usr/local/lib/pkgconfig # make # make install |
Update shared libraries
1 2 3 |
# ln -s /usr/local/lib/libtcmalloc.so.4 /lib/ # ln -s /usr/local/lib/libdaq.so.3 /lib/ # ldconfig |
Check version
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.1.28.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.12 Using LuaJIT version 2.1.0-beta3 Using OpenSSL 1.1.1k FIPS 25 Mar 2021 Using libpcap version 1.9.1 (with TPACKET_V3) Using PCRE version 8.42 2018-03-20 Using ZLIB version 1.2.11 Using LZMA version 5.2.4 |
3. Network Interface Card Configuration
Put the interface on which Snort is listening for network traffic into promiscuous mode so that it can see all network traffic sent to Snort.
1 |
# ip link set dev ens160 promisc on |
verification
1 2 3 4 5 6 |
# ip add sh ens160 2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:02:01:27 brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever |
Disabling Interface Offloading
First check if this feature is enabled
1 2 3 |
# ethtool -k ens160 | grep receive-offload generic-receive-offload: on large-receive-offload: on |
Disable GRO,LRO
1 |
# ethtool -K ens160 gro off lro off |
Create and enable systemd service unit to ensure that changes persist after system reboot and reflect changes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# vi /etc/systemd/system/snort3-nic.service Describe the following [Unit] Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip link set dev ens160 promisc on ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off TimeoutStartSec=0 RemainAfterExit=yes [Install] WantedBy=default.target |
Reload configuration to start and enable services at startup
1 2 |
# systemctl daemon-reload # systemctl enable --now snort3-nic.service |
4.Use of Community Rules
①Create Snort Rules directory
1 |
# mkdir /usr/local/etc/rules |
➁Download Snort 3 Community Rules from the Snort 3 Download Page
Extract the rules and copy them to the configuration folder
1 2 |
# wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz \ | tar xz -C /usr/local/etc/rules/ |
Check inside the configuration folder
1 2 3 4 5 6 |
# ls -1 /usr/local/etc/rules/snort3-community-rules/ AUTHORS LICENSE sid-msg.map snort3-community.rules VRT-License.txt |
5. Edit Main Configuration File
1 |
# vi /usr/local/etc/snort/snort.lua |
1 2 3 4 5 6 7 8 9 10 11 |
Line 24: Change to own server IP address HOME_NET = '192.168.11.83/24' Line 28 : change EXTERNAL_NET = '!$HOME_NET' Per Line186 : Update rule paths in the ips section variables = default_variables, rules = [[ include $RULE_PATH/snort3-community-rules/snort3-community.rules ]] |
OpenAppID install
Download and install Snort OpenAppID from the Snort 3 download page
Please change to the latest version.
1 2 3 |
# wget https://www.snort.org/downloads/openappid/33380 # tar -xzvf 33380 # cp -R odp /usr/local/lib/ |
Edit the snort 3 configuration file to define the location of the OpenAppID library
1 2 3 4 5 6 7 8 9 10 |
# vi /usr/local/etc/snort/snort.lua Per Line 98 : Add to appid section appid = { -- appid requires this to use appids in rules --app_detector_dir = 'directory to load appid detectors from' app_detector_dir = '/usr/local/lib', log_stats = true, } |
Snorts log directory creation
1 |
# mkdir /var/log/snort |
Check configuration files
1 |
# snort -T -c /usr/local/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -i ens160 -l /var/log/snort |
OK if the check results in the following
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 |
-------------------------------------------------- o")~ Snort++ 3.1.28.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: Loading file_magic.lua: Finished file_magic.lua: ssh host_cache pop so_proxy stream_tcp mms smtp gtp_inspect packets dce_http_proxy stream_icmp normalizer ips binder wizard appid file_id stream_udp http2_inspect http_inspect ftp_data search_engine ftp_server port_scan dce_http_server dce_smb dce_tcp netflow iec104 cip telnet ssl sip rpc_decode modbus host_tracker stream_user stream_ip back_orifice trace classifications dnp3 active process ftp_client decode daq alerts stream network references arp_spoof output hosts dns dce_udp imap file_policy s7commplus stream_file Finished /usr/local/etc/snort/snort.lua: Loading ips.rules: Loading ../rules/snort3-community-rules/snort3-community.rules: Finished ../rules/snort3-community-rules/snort3-community.rules: Finished ips.rules: -------------------------------------------------- ips policies rule stats id loaded shared enabled file 0 4021 0 4021 /usr/local/etc/snort/snort.lua -------------------------------------------------- rule counts total rules loaded: 4021 text rules: 4021 option chains: 4021 chain headers: 323 flowbits: 48 flowbits not checked: 23 -------------------------------------------------- port rule counts tcp udp icmp ip any 473 58 147 22 src 177 17 0 0 dst 778 153 0 0 both 6 11 0 0 total 1434 239 147 22 -------------------------------------------------- service rule counts to-srv to-cli dcerpc: 7 4 dhcp: 2 2 dns: 28 7 ftp: 90 4 ftp-data: 1 97 http: 2082 256 http2: 2082 256 imap: 35 118 irc: 5 2 kerberos: 5 0 ldap: 0 1 mysql: 3 0 netbios-dgm: 1 1 netbios-ns: 4 3 netbios-ssn: 69 17 nntp: 2 0 pop3: 23 118 rdp: 5 0 sip: 5 5 smtp: 130 2 snmp: 18 7 ssdp: 3 0 ssl: 20 42 sunrpc: 68 4 telnet: 12 6 tftp: 1 0 wins: 1 0 total: 4702 952 -------------------------------------------------- fast pattern groups src: 59 dst: 158 any: 4 to_server: 47 to_client: 34 -------------------------------------------------- search engine fast pattern only: 4971 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
6. Create custom local rules
1 2 3 |
# vi /usr/local/etc/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;) |
7. Verification of settings
Use parameter -T to test configuration and enable test mode
1 |
# snort -T -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules --daq-dir /usr/local/lib/daq -i ens160 -l /var/log/snort |
Next, run the test by executing the following command
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules --daq-dir /usr/local/lib/daq -i ens160 -l /var/log/snort -A alert_fast -s 65535 -k none |
When pinging this server from another PC in the same local network, an alert line is written on the console screen of this server as shown below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
++ [0] ens160 08/19-10:53:10.149326 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 08/19-10:53:10.149343 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 08/19-10:53:10.149467 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 08/19-10:53:11.159190 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 08/19-10:53:11.159224 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 08/19-10:53:11.159264 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 08/19-10:53:11.159371 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 08/19-10:53:12.167132 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 08/19-10:53:12.167150 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 08/19-10:53:12.167197 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 08/19-10:53:12.167278 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 08/19-10:53:13.177170 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 08/19-10:53:13.177220 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 08/19-10:53:13.177260 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 08/19-10:53:13.177405 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 |
Settings for writing to log files
1 2 3 4 5 6 7 8 |
# vi /usr/local/etc/snort/snort.lua Per Line258-- Add the following to the configure outputs section alert_fast = { file = true, packet = false, limit = 10, } |
Perform syntax check
1 |
# snort -c /usr/local/etc/snort/snort.lua --daq-dir /usr/local/lib/daq |
Now, instead of the -A alert_fast option, add the option -l /var/log/snort to specify the log directory
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules --daq-dir /usr/local/lib/daq -i ens160 -s 65535 -k none -l /var/log/snort/ |
When I pinged the server again from another PC in the same network, this time nothing appeared on the console screen, but
Checking the log directory, an alert_fast.txt file has been created
To check the alert_fast.txt file
1 2 3 4 5 6 7 8 9 10 11 12 |
# tail -f /var/log/snort/alert_fast.txt 08/19-10:58:51.281913 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 08/19-10:58:51.281994 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 08/19-10:58:52.293533 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 08/19-10:58:52.293553 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 08/19-10:58:52.293596 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 08/19-10:58:52.293690 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 08/19-10:58:53.308536 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 08/19-10:58:53.308557 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 08/19-10:58:53.308597 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 08/19-10:58:53.308676 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 |
Include local rules in snort.lua
1 2 3 4 5 6 7 |
# vi /usr/local/etc/snort/snort.lua Per Line 198 : Add in ips section rules = [[ include $RULE_PATH/snort3-community-rules/snort3-community.rules include $RULE_PATH/local.rules ]] |
8. Create user for Snort
Create a non-login system user account for Snort
1 |
# useradd -r -s /usr/sbin/nologin -M -c SNORT_IDS snort |
9. Create systemd service unit for Snort
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# vi /etc/systemd/system/snort3.service Describe the following [Unit] Description=Snort Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort --daq-dir /usr/local/lib/daq -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort ExecStop=/bin/kill -9 $MAINPID [Install] WantedBy=multi-user.target |
Reload systemd configuration
1 |
# systemctl daemon-reload |
Set ownership and permissions for log files
1 2 |
# chmod -R 5775 /var/log/snort # chown -R snort:snort /var/log/snort |
Enable Snort to start and run at system startup
1 2 |
# systemctl enable --now snort3 Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service. |
status check
1 2 3 4 5 6 7 8 9 10 11 |
# systemctl status snort3 ● snort3.service - Snort Daemon Loaded: loaded (/etc/systemd/system/snort3.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2023-08-19 11:18:11 JST; 1min 31s ago Main PID: 136931 (snort) Tasks: 2 (limit: 22884) Memory: 270.4M CGroup: /system.slice/snort3.service mq136931 /usr/local/bin/snort --daq-dir /usr/local/lib/daq -c /usr/local/etc/snort/snort.lua -s 65535 -k none> Aug 19 11:18:11 Lepard systemd[1]: Started Snort Daemon. |
Tripwire Install
1.Download and installation
1 2 3 |
# cd /usr/local/src # wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm # rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm |
2.Passphrase setting
Set site passphrase and local passphrase
1 |
# tripwire-setup-keyfiles |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: ←Enter any "Site Passphrase" Verify the site keyfile passphrase: ←Enter "Site Passphrase" again Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: ←Enter any "Local Passphrase" Verify the local keyfile passphrase: ←Enter "Local Passphrase" again Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Signing configuration file... Please enter your site passphrase: ←Enter "Site Passphrase" Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file... Please enter your site passphrase: ←Enter "Site Passphrase" Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file: /etc/tripwire/twpol.txt ~abbreviation~ default values from the current configuration file are used. |
3.Tripwire Configuration
①Configuration File Edit
1 2 3 4 5 6 7 8 9 10 |
# vi /etc/tripwire/twcfg.txt Per line 9 Add "#" at the beginning of the line and "LOOSEDIRECTORYCHECKING =true" on the line below it. Per line 12 Add "#" at the beginning of the line and "REPORTLEVEL =4" on the line below it. Level 4 provides the most detailed report of the 5 levels from "0" to "4". #REPORTLEVEL =3 REPORTLEVEL =4 |
②Create a Tripwire configuration file (cryptographically signed version)
1 2 3 |
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt Please enter your site passphrase: ←Enter site passphrase Wrote configuration file: /etc/tripwire/tw.cfg |
③Delete Tripwire configuration file (text version)
1 |
# rm -f /etc/tripwire/twcfg.txt |
④Policy File Settings
1 2 |
# cd /etc/tripwire/ # vi twpolmake.pl |
Contents of twpolmake.pl
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
#!/usr/bin/perl # Tripwire Policy File customize tool # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; |
⑤Policy File Optimizations
1 |
# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new |
⑥Create policy file (cryptographically signed version) based on optimized policy file
1 2 3 |
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new Please enter your site passphrase: ←Enter site passphrase Wrote policy file: /etc/tripwire/tw.pol |
⑦Create database and check operation
1 2 |
# tripwire -m i -s -c /etc/tripwire/tw.cfg Please enter your local passphrase: ←Enter local passphrase |
Create test files
1 |
# echo test > /root/test.txt |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
Check Tripwire operation # tripwire -m c -s -c /etc/tripwire/tw.cfg OK if it appears as follows Open Source Tripwire(R) 2.4.3.7 Integrity Check Report Report generated by: root Report created on: Sat 12 Aug 2023 02:43:38 PM JST Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: Lepard Host IP address: 192.168.11.83 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/Lepard.twd Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg --omission-- ------------------------------------------------------------------------------- Added: "/root/test.txt" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
Delete test files
1 |
# rm -f /root/test.txt |
⑧Tripwire Scheduled Scripts
1 2 |
# cd /var/www/system # vi tripwire.sh |
Contents of tripwire.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Passphrase setting LOCALPASS= ←local passphrase SITEPASS= ←site passphrase cd /etc/tripwire # Tripwire check run tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root # Policy File Modernization twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Database modernization rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
⑨Tripwire Autorun Script Execution Settings
1 |
# chmod 700 tripwire.sh |
1 2 3 |
Add to cron # crontab -e 0 3 * * * /var/www/system/tripwire.sh |
Reference: Script for reporting results by e-mail
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Passphrase setting LOCALPASS=xxxxx # local passphrase SITEPASS=xxxxx # site passphrase # Designation of e-mail address to be notified MAIL="<your mailaddress> " cd /etc/tripwire # Tripwire check run tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL # Policy File Modernization twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Database modernization rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
Execute the following command to confirm that the mail has been received
1 |
# /var/www/system/tripwire.sh |
Chkrootkit Install
①chkrootkit Download and installation
1 2 3 |
# cd /usr/local/src # wget https://launchpad.net/chkrootkit/main/0.55/+download/chkrootkit-0.55.tar.gz # tar xvf chkrootkit-0.55.tar.gz |
➁Create /root/bin directory and move chkrootkit command to that directory
1 2 |
# mkdir -p /root/bin # mv chkrootkit-0.55/chkrootkit /root/bin |
➂Check chkrootkit.
1 |
# chkrootkit | grep INFECTED |
If nothing is displayed, no problem.
If you see "Searching for Linux.Xor.DDoS … INFECTED: Possible Malicious Linux.Xor.DDoS installed".
is displayed, there is an executable file under /tmp and it is probably a false positive.
Disable executables under /tmp or delete them if they are not problematic
④Create chkrootkit periodic execution script and change permissions
Create chkrootkit execution script in a directory where it is automatically executed daily
1 |
# vi /etc/cron.daily/chkrootkit |
Scheduled Script Contents
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#!/bin/bash PATH=/usr/bin:/bin:/root/bin LOG=/tmp/$(basename ${0}) # chkrootkit run chkrootkit > $LOG 2>&1 # log output cat $LOG | logger -t $(basename ${0}) # SMTPS bindshellFalse positive response if [ ! -z "$(grep 465 $LOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $LOG fi # Support for Suckit false positives when updating upstart package if [ ! -z "$(grep Suckit $LOG)" ] && \ [ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then sed -i '/Suckit/d' $LOG fi # Send mail to root only when rootkit is detected [ ! -z "$(grep INFECTED $LOG)" ] && \ grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root |
Add execution permission to chkrootkit execution script
1 |
# chmod 700 /etc/cron.daily/chkrootkit |
⑥Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# cd /root # mkdir /root/chkrootkit_cmd # cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/ # ls -l /root/chkrootkit_cmd/ total 2512 -rwxr-xr-x. 1 root root 685712 Aug 19 12:18 awk -rwxr-xr-x. 1 root root 50784 Aug 19 12:18 cut -rwxr-xr-x. 1 root root 38328 Aug 19 12:18 echo -rwxr-xr-x. 1 root root 28 Aug 19 12:18 egrep -rwxr-xr-x. 1 root root 261712 Aug 19 12:18 find -rwxr-xr-x. 1 root root 46672 Aug 19 12:18 head -rwxr-xr-x. 1 root root 46608 Aug 19 12:18 id -rwxr-xr-x. 1 root root 143328 Aug 19 12:18 ls -rwxr-xr-x. 1 root root 162416 Aug 19 12:18 netstat -rwxr-xr-x. 1 root root 137936 Aug 19 12:18 ps -rwxr-xr-x. 1 root root 118024 Aug 19 12:18 sed -rwxr-xr-x. 1 root root 775648 Aug 19 12:18 ssh -rwxr-xr-x. 1 root root 38368 Aug 19 12:18 strings -rwxr-xr-x. 1 root root 38312 Aug 19 12:18 uname |
⑦Run chkrootkit on the copied command
1 |
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED |
If nothing is displayed, no problem.
⑧Compresses backed up commands
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd chkrootkit_cmd/ chkrootkit_cmd/awk chkrootkit_cmd/cut chkrootkit_cmd/echo chkrootkit_cmd/egrep chkrootkit_cmd/find chkrootkit_cmd/head chkrootkit_cmd/id chkrootkit_cmd/ls chkrootkit_cmd/netstat chkrootkit_cmd/ps chkrootkit_cmd/strings chkrootkit_cmd/sed chkrootkit_cmd/ssh chkrootkit_cmd/uname |
1 2 3 4 5 6 |
# ls -l total 1140 -rw-------. 1 root root 1464 Aug 18 15:00 anaconda-ks.cfg drwxr-xr-x. 2 root root 24 Aug 19 12:16 bin drwxr-xr-x. 2 root root 172 Aug 19 12:18 chkrootkit_cmd -rw-r--r--. 1 root root 1162479 Aug 19 12:19 chkrootkit_cmd.tar.gz |
⑨Send chkrootkit use command (compressed version) to root by e-mail
1 |
# echo|mail -a chkrootkit_cmd.tar.gz -s chkrootkit_cmd.tar.gz root |
⑩Download and save chkrootkit_cmd.tar.gz file to Windows
⑪Delete commands on the backed up server
1 |
# rm -f chkrootkit_cmd.tar.gz |