Rocky Linux8.6 : SNORT ,Tripwire ,Chkrootkit

Install SNORT

1.advance preparation

①Add the CodeReady Red Hat repository and install the required software

②Install DAQ

③Install Lua

④Create fake release files

2. Download, compile, and install Snort

Delete fake release files

3.Create groups and users, necessary directories and files

Setup configuration files... Copy all files to the configuration directory.

4.Use of Community Rules

①Get Community Rules

②Extract rules and copy to configuration folder

There are various rule files that are not included in the community rules.
Use the sed command to comment out unnecessary lines.

5. Retrieving Registered User Rules

Once registered on the Snort website, you can use your Oink code to download registered user rules; the Oink code is located in your Snort user account details.
Replace oinkcode with your personal code in the following command

Once download is complete, extract rules to the configuration directory

6. Network and Rule Configuration

7. Verification of settings

Use parameter -T to test configuration and enable test mode

If an error occurs, copy the corresponding file to /etc/snort/rules
In our case, the error occurred in the following file

If you get a unicode.map error

Also, if you get the error "/etc/snort/rules/snort.conf(322) => Invalid keyword '}'".
decompress_swf { deflate lzma } \  Comment.
# decompress_swf { deflate lzma } \

8. Configuration Testing

①To test if Snort is logging alerts, add custom detection rule alerts for incoming ICMP connections to the local.rules file.

②Start Snort at the console and output an alert to stdout. The correct network interface (e.g. eth0) must be selected

9. Running Snort in the background

①Create a startup script for Snort

②After defining the service, reload and run the systemctl daemon

Install Tripwire

1.Download and installation

2.Set passphrase

Set site passphrase and local passphrase

3.Tripwire Configuration

①Configuration File Editing

②Create a Tripwire configuration file (cryptographically signed version)

③Delete Tripwire configuration file (text version)

④Policy File Settings

twpolmake.plの内容

⑤policy file optimization

⑥Create policy file (cryptographically signed version) based on optimized policy file
⑦Create database and check operation
⑧Tripwire Scheduled Scripts
Contents of ripwire.sh
⑨Tripwire Autorun Script Execution Settings

Reference: Script for reporting results by e-mail

Install Chkrootkit

①Download and install chkrootkit

➁Create /root/bin directory and move chkrootkit command to that directory
➂Check chkrootkit.
Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed
If the above appears
It seems that you are just raising a file with execute permissions in /tmp, so I'll consider it a false positive.
For now, in our case, we have made the following files unexecutable
④Create chkrootkit periodic execution script and change permissions
Scheduled Script Contents
⑥Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command
⑦Run chkrootkit on the copied command
⑧Compresses backed up commands
⑨Send chkrootkit use command (compressed version) to root by e-mail
⑩Download and save chkrootkit_cmd.tar.gz file to Windows
⑪Delete commands on the backed up server
 

タイトルとURLをコピーしました