Install SNORT
1.advance preparation
①Add the CodeReady Red Hat repository and install the required software
libpcap-devel pcre-devel openssl-devel libdnet-devel \
libtirpc-devel git gcc-c++ libunwind-devel cmake hwloc-devel \
luajit-devel xz-devel libnfnetlink-devel libmnl-devel \
libnetfilter_queue-devel uuid-devel libsafec-devel
# cd /var/src
# wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz
# tar zxvf daq-2.0.7.tar.gz
# cd daq-2.0.7
# autoreconf -f -i
# ./configure
# make
# make install
# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
# tar -zxvf LuaJIT-2.0.5.tar.gz
# cd LuaJIT-2.0.5
# make
# make install
Fedora release 28 (Rawhide)
EOT
2. Download, compile, and install Snort
# wget https://snort.org/downloads/archive/snort/snort-2.9.18.1.tar.gz
# tar -zxvf snort-2.9.18.1.tar.gz
# cd snort-2.9.18.1
# ./configure --enable-sourcefire
# make
# make install
# ldconfig
# ln -s /usr/local/bin/snort /usr/sbin/snort
3.Create groups and users, necessary directories and files
# useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
# mkdir /etc/snort
# mkdir -p /etc/snort/rules
# mkdir /var/log/snort
# mkdir /usr/local/lib/snort_dynamicrules
# mkdir /etc/snort/preproc_rules
# chmod -R 5775 /etc/snort
# chmod -R 5775 /var/log/snort
# chmod -R 5775 /usr/local/lib/snort_dynamicrules
# chown -R snort:snort /etc/snort
# chown -R snort:snort /var/log/snort
# chown -R snort:snort /usr/local/lib/snort_dynamicrules
Create the following files
# touch /etc/snort/rules/white_list.rules
# touch /etc/snort/rules/black_list.rules
# touch /etc/snort/rules/local.rules
Setup configuration files... Copy all files to the configuration directory.
# cp /var/src/snort-2.9.18.1/etc/*.map* /etc/snort
4.Use of Community Rules
①Get Community Rules
# cp ~/community-rules/* /etc/snort/rules
Use the sed command to comment out unnecessary lines.
5. Retrieving Registered User Rules
Replace oinkcode with your personal code in the following command
Once download is complete, extract rules to the configuration directory
6. Network and Rule Configuration
●Line 45
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.11.0/24 ←adapt to one's environment
●Line 48
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET
●Line 104-106 : Comment out and add below
# Path to your rules files (this can be a relative path)
# var RULE_PATH ../rules
# var SO_RULE_PATH ../so_rules
# var PREPROC_RULE_PATH ../preproc_rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
●Per line 116 : Comment out and add below
# Set the absolute path appropriately
#var WHITE_LIST_PATH ../rules
#var BLACK_LIST_PATH ../rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
●Per line 525 : add
# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128
●Per line 550 : To make custom rules readable, local.rules must be uncommented
include $RULE_PATH/local.rules
●If you are using community rules, also add the following line just below the local.rules line, for example
include $RULE_PATH/community.rules
7. Verification of settings
# snort -T -c /etc/snort/rules/snort.conf
MaxRss at the end of detection rules:809420
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.18.1 GRE (Build 1005)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.9.1 (with TPACKET_V3)
Using PCRE version: 8.45 2021-06-15
Using ZLIB version: 1.2.11
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: appid Version 1.1 <Build 5>
Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Total snort Fixed Memory Cost - MaxRss:809420
Snort successfully validated the configuration!
Snort exiting
In our case, the error occurred in the following file
cp /var/src/snort-2.9.18.1/etc/reference.config /etc/snort/rules
cp /var/src/snort-2.9.18.1/etc/threshold.conf /etc/snort/rules
cp /var/src/snort-2.9.18.1/etc/unicode.map /etc/snort/rules/
decompress_swf { deflate lzma } \ Comment.
# decompress_swf { deflate lzma } \
8. Configuration Testing
●Add the following line to the last line
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
# snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf
With Snort up and running, ping from another computer; you will see the following notification for each ICMP call in the terminal where Snort is running
Commencing packet processing (pid=39776)
06/13-10:19:56.262263 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83
06/13-10:19:56.262316 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20
06/13-10:19:57.267099 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83
06/13-10:19:57.267145 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20
06/13-10:19:58.272613 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83
06/13-10:19:58.272657 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20
06/13-10:19:59.277961 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83
06/13-10:19:59.278005 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20
9. Running Snort in the background
# vi /lib/systemd/system/snort.service
Description=Snort NIDS Daemon
After=syslog.target network.target
Type=simple
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
WantedBy=multi-user.target
②After defining the service, reload and run the systemctl daemon
# systemctl start snort
Install Tripwire
1.Download and installation
# wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm
# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm
2.Set passphrase
Set site passphrase and local passphrase
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: ←Enter any "Site Passphrase"
Verify the site keyfile passphrase: ←Enter "Site Passphrase" again
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: ←Enter any "local passphrase
Verify the local keyfile passphrase: ←Enter "Local Passphrase" again
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Signing configuration file...
Please enter your site passphrase: ←Enter "Site Passphrase"
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
----------------------------------------------
Signing policy file...
Please enter your site passphrase: ←Enter "Site Passphrase"
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
~中略~
default values from the current configuration file are used.
3.Tripwire Configuration
①Configuration File Editing
●Line 9
Add "#" at the beginning of the line and "LOOSEDIRECTORYCHECKING =true" on the line below it
●Line 12
Add "#" at the beginning of the line and "REPORTLEVEL =4" on the line below it.
#REPORTLEVEL =3
REPORTLEVEL =4
Please enter your site passphrase: ←Enter site passphrase
Wrote configuration file: /etc/tripwire/tw.cfg
# vi twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
⑤policy file optimization
Please enter your site passphrase: ←Enter site passphrase
Wrote policy file: /etc/tripwire/tw.pol
Please enter your local passphrase: ←Enter local passphrase
Create test files
# echo test > /root/test.txt
Check Tripwire operation
# tripwire -m c -s -c /etc/tripwire/tw.cfg
Delete test files
# rm -f /root/test.txt
# vi tripwire.sh
#!/bin/bash
PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin
# Passphrase setting
LOCALPASS= ←local passphrase
SITEPASS= ←site passphrase
cd /etc/tripwire
# Tripwire check run
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root
# Policy File Update
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak
# Database modernization
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS
⑨Tripwire Autorun Script Execution Settings
# chmod 700 tripwire.sh
Add to cron
# crontab -e
0 3 * * * /var/www/system/tripwire.sh
Reference: Script for reporting results by e-mail
#!/bin/bash
PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin
# Passphrase setting
LOCALPASS=xxxxx # local key passphrase
SITEPASS=xxxxx # site key passphrase
#Email Address for Notification
MAIL="<your mailaddress> "
cd /etc/tripwire
# Tripwire check run
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL
# Policy File Update
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak
# Database modernization
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS
Install Chkrootkit
①Download and install chkrootkit
# cd /usr/local/src
# wget https://launchpad.net/chkrootkit/main/0.55/+download/chkrootkit-0.55.tar.gz
# tar xvf chkrootkit-0.55.tar.gz
# mv chkrootkit-0.55/chkrootkit /root/bin
If nothing is displayed, no problem.
If the above appears
It seems that you are just raising a file with execute permissions in /tmp, so I'll consider it a false positive.
For now, in our case, we have made the following files unexecutable
Create chkrootkit execution script in a directory where it is automatically executed daily
# vi /etc/cron.daily/chkrootkit
#!/bin/bash
PATH=/usr/bin:/bin:/root/bin
LOG=/tmp/$(basename ${0})
# Execute chkrootkit
chkrootkit > $LOG 2>&1
# log output
cat $LOG | logger -t $(basename ${0})
# SMTPSのbindshell誤検知対応
if [ ! -z "$(grep 465 $LOG)" ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i '/465/d' $LOG
fi
if [ ! -z "$(grep Suckit $LOG)" ] && \
[ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then
sed -i '/Suckit/d' $LOG
fi
# Send mail to root only when rootkit is detected
[ ! -z "$(grep INFECTED $LOG)" ] && \
grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root
# chmod 700 /etc/cron.daily/chkrootkit
Back up these commands.
If necessary, run chkrootkit with the backed up command
# mkdir /root/chkrootkit_cmd
# cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/
# ls -l /root/chkrootkit_cmd/
total 2484
-rwxr-xr-x 1 root root 685712 Jun 13 11:08 awk
-rwxr-xr-x 1 root root 50840 Jun 13 11:08 cut
-rwxr-xr-x 1 root root 38376 Jun 13 11:08 echo
-rwxr-xr-x 1 root root 28 Jun 13 11:08 egrep
-rwxr-xr-x 1 root root 228856 Jun 13 11:08 find
-rwxr-xr-x 1 root root 46736 Jun 13 11:08 head
-rwxr-xr-x 1 root root 46672 Jun 13 11:08 id
-rwxr-xr-x 1 root root 143400 Jun 13 11:08 ls
-rwxr-xr-x 1 root root 162432 Jun 13 11:08 netstat
-rwxr-xr-x 1 root root 138096 Jun 13 11:08 ps
-rwxr-xr-x 1 root root 118024 Jun 13 11:08 sed
-rwxr-xr-x 1 root root 775632 Jun 13 11:08 ssh
-rwxr-xr-x 1 root root 38320 Jun 13 11:08 strings
-rwxr-xr-x 1 root root 38392 Jun 13 11:08 uname
If nothing is displayed, no problem.
chkrootkit_cmd/
chkrootkit_cmd/awk
chkrootkit_cmd/cut
chkrootkit_cmd/echo
chkrootkit_cmd/egrep
chkrootkit_cmd/find
chkrootkit_cmd/head
chkrootkit_cmd/id
chkrootkit_cmd/ls
chkrootkit_cmd/netstat
chkrootkit_cmd/ps
chkrootkit_cmd/strings
chkrootkit_cmd/sed
chkrootkit_cmd/ssh
chkrootkit_cmd/uname
total 93924
-rw-------. 1 root root 1460 Jun 11 13:35 anaconda-ks.cfg
drwxr-xr-x 2 root root 24 Jun 13 10:52 bin
drwxr-xr-x 2 root root 172 Jun 13 11:08 chkrootkit_cmd
-rw-r--r-- 1 root root 1161551 Jun 13 11:10 chkrootkit_cmd.tar.gz