Rocky Linux8.4 ; Tripwire, Chkrootkit and Snort installed

Contents

1.Tripwire Installation
2.chkrootkit installation
3.SNORT Installation

1.Tripwire Installation

1.1 Download and install

# cd /usr/local/src
src]# wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm
src]# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

# cd /usr/local/src

src]# wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm

src]# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

If you get a dependency error, enter the following

src]# wget https://repo.almalinux.org/almalinux/8/AppStream/x86_64/os/Packages/compat-openssl10-1.0.2o-3.el8.x86_64.rpm
src]# yum install compat-openssl10-1.0.2o-3.el8.x86_64.rpm

1 2	src]# wget https://repo.almalinux.org/almalinux/8/AppStream/x86_64/os/Packages/compat-openssl10-1.0.2o-3.el8.x86_64.rpm src]# yum install compat-openssl10-1.0.2o-3.el8.x86_64.rpm

again

src]# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

1	src]# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

1-2. initialization

# cd /usr/local/src

1	# cd /usr/local/src

src]# tripwire-setup-keyfiles
----------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: ←Enter any "Site Passphrase".
Verify the site keyfile passphrase: ←Enter the same "Site Passphrase" again
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: ←Enter any "Local Passphrase".
Verify the local keyfile passphrase: ←Enter the same "Local Passphrase" again.
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Signing configuration file...
Please enter your site passphrase: ←Enter "Site Passphrase".
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
----------------------------------------------
Signing policy file...
Please enter your site passphrase: ←Enter "Site Passphrase".
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
～abbreviation～
default values from the current configuration file are used

src]# tripwire-setup-keyfiles

----------------------------------------------

The Tripwire site and local passphrases are used to sign a variety of

files, such as the configuration, policy, and database files.

Passphrases should be at least 8 characters in length and contain both

letters and numbers.

See the Tripwire manual for more information.

----------------------------------------------

Creating key files...

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the site keyfile passphrase: ←Enter any "Site Passphrase".

Verify the site keyfile passphrase: ←Enter the same "Site Passphrase" again

Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the local keyfile passphrase: ←Enter any "Local Passphrase".

Verify the local keyfile passphrase: ←Enter the same "Local Passphrase" again.

Generating key (this may take several minutes)...Key generation complete.

----------------------------------------------

Signing configuration file...

Please enter your site passphrase: ←Enter "Site Passphrase".

Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file:

/etc/tripwire/twcfg.txt

has been preserved for your inspection. It is recommended that you

move this file to a secure location and/or encrypt it in place (using a

tool such as GPG, for example) after you have examined it.

----------------------------------------------

Signing policy file...

Please enter your site passphrase: ←Enter "Site Passphrase".

Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file:

/etc/tripwire/twpol.txt

～abbreviation～

default values from the current configuration file are used

1-3. Configuring Tripwire

# vi /etc/tripwire/twcfg.txt

■Per line 9
Add "#" to the beginning of the line and "LOOSEDIRECTORYCHECKING =true" to the line below it.
■Per line 13
Add "#" to the beginning of the line, and add "REPORTLEVEL =4" to the line below it.
Level 4 shows the most detailed report of the five levels from "0" to "4".
#REPORTLEVEL =3
REPORTLEVEL =4

# vi /etc/tripwire/twcfg.txt

■Per line 9

Add "#" to the beginning of the line and "LOOSEDIRECTORYCHECKING =true" to the line below it.

■Per line 13

Add "#" to the beginning of the line, and add "REPORTLEVEL =4" to the line below it.

Level 4 shows the most detailed report of the five levels from "0" to "4".

#REPORTLEVEL =3

REPORTLEVEL =4

1-4. Create a Tripwire configuration file (cryptographically signed version)

# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: ←Enter the site passphrase you set.
Wrote configuration file: /etc/tripwire/tw.cfg

# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

Please enter your site passphrase: ←Enter the site passphrase you set.

Wrote configuration file: /etc/tripwire/tw.cfg

1-5. Policy file settings

# cd /etc/tripwire/

1	# cd /etc/tripwire/

tripwire]# vi twpolmake.pl    ←Create a new policy file with the following contents

#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;

tripwire]# vi twpolmake.pl ←Create a new policy file with the following contents

#!/usr/bin/perl

# Tripwire Policy File customize tool

# ----------------------------------------------------------------

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

# ----------------------------------------------------------------

# Usage:

# perl twpolmake.pl {Pol file}

# ----------------------------------------------------------------

$POLFILE=$ARGV[0];open(POL,"$POLFILE") or die "open error: $POLFILE" ;

my($myhost,$thost) ;

my($sharp,$tpath,$cond) ;

my($INRULE) = 0 ;while (<POL>) {

chomp;

if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {

$myhost = `hostname` ; chomp($myhost) ;

if ($thost ne $myhost) {

$_="HOSTNAME=\"$myhost\";" ;

}

elsif ( /^{/ ) {

$INRULE=1 ;

}

elsif ( /^}/ ) {

$INRULE=0 ;

}

elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {

$ret = ($sharp =~ s/\#//g) ;

if ($tpath eq '/sbin/e2fsadm' ) {

$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;

}

if (! -s $tpath) {

$_ = "$sharp#$tpath$cond" if ($ret == 0) ;

}

else {

$_ = "$sharp$tpath$cond" ;

}

print "$_\n" ;

}

close(POL) ;

1-6. Policy file optimization

tripwire]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new

1	tripwire]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new

1-7. Create policy file (cryptographically signed version)

tripwire]# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key
/etc/tripwire/twpol.txt.new
Please enter your site passphrase:     ←Enter your site passphrase
Wrote policy file: /etc/tripwire/tw.pol

tripwire]# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key

/etc/tripwire/twpol.txt.new

Please enter your site passphrase: ←Enter your site passphrase

Wrote policy file: /etc/tripwire/tw.pol

Delete policy file (text version)

tripwire]# rm -f /etc/tripwire/twpol.txt*

1	tripwire]# rm -f /etc/tripwire/twpol.txt*

1-8. Create a database

Create a database

tripwire]# tripwire -m i -s -c /etc/tripwire/tw.cfg /etc/tripwire/twpol.txt.new
Please enter your local passphrase: ←Enter your local passphrase

1 2	tripwire]# tripwire -m i -s -c /etc/tripwire/tw.cfg /etc/tripwire/twpol.txt.new Please enter your local passphrase: ←Enter your local passphrase

1-9. Tripwire Periodic Execution Script

①Create a Tripwire autorun script (tripwire.sh)

tripwire]# vi tripwire.sh

#!/bin/bash
PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin
# Set passphrase
LOCALPASS=xxxxxxxx # local passphrase
SITEPASS=xxxxxxxxx  # Site passphrase
cd /etc/tripwire
# Run a Tripwire check
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root
# Update policy files
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak
# Database modernization
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS

tripwire]# vi tripwire.sh

#!/bin/bash

PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin

# Set passphrase

LOCALPASS=xxxxxxxx # local passphrase

SITEPASS=xxxxxxxxx # Site passphrase

cd /etc/tripwire

# Run a Tripwire check

tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root

# Update policy files

twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt

perl twpolmake.pl twpol.txt > twpol.txt.new

twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null

rm -f twpol.txt* *.bak

# Database modernization

rm -f /usr/local/tripwire/lib/tripwire/*.twd*

tripwire -m i -s -c tw.cfg -P $LOCALPASS

tripwire]# chmod 700 tripwire.sh

1	tripwire]# chmod 700 tripwire.sh

➁Add Tripwire to cron to be run periodically

# crontab -e

0 3 * * * /var/www/system/tripwire.sh

# crontab -e

0 3 * * * /var/www/system/tripwire.sh

Actually.
# If running /var/www/system/tripwire.sh shows no mail command
Do the following

# yum install mailx
# systemctl start postfix

1 2	# yum install mailx # systemctl start postfix

2.chkrootkit installation

2.1 Download and install chkrootkit

# cd /usr/local/src
src]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
src]# tar zxvf chkrootkit.tar.gz
src]# mv chkrootkit-0.50/chkrootkit /root/bin

# cd /usr/local/src

src]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

src]# tar zxvf chkrootkit.tar.gz

src]# mv chkrootkit-0.50/chkrootkit /root/bin

2.2 Check chkrootkit

src]#  chkrootkit | grep INFECTED
Searching for Suckit rootkit... Warning: /sbin/init INFECTED

1 2	src]# chkrootkit \| grep INFECTED Searching for Suckit rootkit... Warning: /sbin/init INFECTED

The "/sbin/init" is a false positive, so it's not a problem.

2.3 Create a chkrootkit script and change its permissions

(in this case, create it in /opt, but it is optional).

opt]# vi chkrootkit.sh

#!/bin/bash
PATH=/usr/bin:/bin:/root/binTMPLOG=`mktemp`
# Run chkrootkit
chkrootkit > $TMPLOG
# Log output
cat $TMPLOG | logger -t chkrootkit
# Handling of SMTPS bindshell false positives
if [ ! -z "$(grep 465 $TMPLOG)" ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i '/465/d' $TMPLOG
fi
# Addressed Suckit false positive when updating upstart package.
#if [ ! -z "$(grep Suckit $TMPLOG)" ] && \
# [ -z $(rpm -V `rpm -qf /sbin/init`) ]; then
# sed -i '/Suckit/d' $TMPLOG
#fi
# Send mail to root only when rootkit is detected
[ ! -z "$(grep INFECTED $TMPLOG)" ] && \
grep INFECTED $TMPLOG | mail -s "chkrootkit report in `hostname`" rootrm -f $TMPLOG

opt]# vi chkrootkit.sh

#!/bin/bash

PATH=/usr/bin:/bin:/root/binTMPLOG=`mktemp`

# Run chkrootkit

chkrootkit > $TMPLOG

# Log output

cat $TMPLOG | logger -t chkrootkit

# Handling of SMTPS bindshell false positives

if [ ! -z "$(grep 465 $TMPLOG)" ] && \

[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then

sed -i '/465/d' $TMPLOG

# Addressed Suckit false positive when updating upstart package.

#if [ ! -z "$(grep Suckit $TMPLOG)" ] && \

# [ -z $(rpm -V `rpm -qf /sbin/init`) ]; then

# sed -i '/Suckit/d' $TMPLOG

#fi

# Send mail to root only when rootkit is detected

[ ! -z "$(grep INFECTED $TMPLOG)" ] && \

grep INFECTED $TMPLOG | mail -s "chkrootkit report in `hostname`" rootrm -f $TMPLOG

opt]# chmod 700 chkrootkit.sh

1	opt]# chmod 700 chkrootkit.sh

Set cron to run chkrootkit periodically.

opt]# crontab -e
0 2 * * * /opt/chkrootkit.sh

1 2	opt]# crontab -e 0 2 * * * /opt/chkrootkit.sh

(Startup time can be set arbitrarily.)

3.SNORT Installation

Snort is an open source network intrusion detection system that can perform real-time traffic analysis and packet logging on IP networks.

It can perform "protocol analysis", "content search", and "matching", and can be used to detect a variety of attacks such as "buffer overflow", "stealth port scan", "CGI attack", "SMB probe", "OS fingerprinting attempt", "semantic URL attack", and "server message block probe".

3.1 Install the required libraries.

# dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel

1	# dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel

# mkdir /var/src

1	# mkdir /var/src

3.2 Install DAQ

# cd /var/src
src]# wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz
src]# tar zxvf daq-2.0.7.tar.gz
src]# zxvf daq-2.0.7.tar.gz
src]# cd daq-2.0.7
daq-2.0.7]# autoreconf -f -i
daq-2.0.7]# ./configure
daq-2.0.7]# make
daq-2.0.7]# make install

# cd /var/src

src]# wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz

src]# tar zxvf daq-2.0.7.tar.gz

src]# zxvf daq-2.0.7.tar.gz

src]# cd daq-2.0.7

daq-2.0.7]# autoreconf -f -i

daq-2.0.7]# ./configure

daq-2.0.7]# make

daq-2.0.7]# make install

3.3 Install Snort OpenAppID

# cd /var/src
src]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
src]# tar -zxvf LuaJIT-2.0.5.tar.gz
src]# cd LuaJIT-2.0.5
LuaJIT-2.0.5]# make
LuaJIT-2.0.5]# make install

# cd /var/src

src]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz

src]# tar -zxvf LuaJIT-2.0.5.tar.gz

src]# cd LuaJIT-2.0.5

LuaJIT-2.0.5]# make

LuaJIT-2.0.5]# make install

3.4 Install a temporary release file to use the RPC library

# /bin/cat << EOT >/etc/fedora-release
Fedora release 28 (Rawhide)
EOT

# /bin/cat << EOT >/etc/fedora-release

Fedora release 28 (Rawhide)

EOT

3.5 Download and install SNORT.

# cd /var/src
src]# wget https://snort.org/downloads/snort/snort-2.9.18.1.tar.gz
src]# tar -zxvf snort-2.9.18.1.tar.gz
src]# cd snort-2.9.18.1
snort-2.9.18.1]# ./configure --enable-sourcefire
snort-2.9.18.1]# make
snort-2.9.18.1]# make install

# cd /var/src

src]# wget https://snort.org/downloads/snort/snort-2.9.18.1.tar.gz

src]# tar -zxvf snort-2.9.18.1.tar.gz

src]# cd snort-2.9.18.1

snort-2.9.18.1]# ./configure --enable-sourcefire

snort-2.9.18.1]# make

snort-2.9.18.1]# make install

3.6 Remove the temporary release file installed in 3.3.

# /bin/rm /etc/fedora-release

1	# /bin/rm /etc/fedora-release

3.7 SNORT user and group creation

# groupadd snort
# useradd -g snort -s /sbin/nologin snort
# passwd -l snort

# groupadd snort

# useradd -g snort -s /sbin/nologin snort

# passwd -l snort

3.8 Create SNORT directory and rule files

# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /etc/snort/rules/iplists
# mkdir /etc/snort/pulledpork
# mkdir /var/log/snort
# mkdir /var/log/snort/pcap
# chown -R snort /var/log/snort
# touch /etc/snort/rules/iplists/default.whitelist
# touch /etc/snort/rules/iplists/default.blacklist
# cp /var/src/snort*/etc/* /etc/snort
# ln -s /usr/local/bin/snort /sbin/snort

# mkdir /etc/snort

# mkdir /etc/snort/rules

# mkdir /etc/snort/rules/iplists

# mkdir /etc/snort/pulledpork

# mkdir /var/log/snort

# mkdir /var/log/snort/pcap

# chown -R snort /var/log/snort

# touch /etc/snort/rules/iplists/default.whitelist

# touch /etc/snort/rules/iplists/default.blacklist

# cp /var/src/snort*/etc/* /etc/snort

# ln -s /usr/local/bin/snort /sbin/snort

3.9 PulledPork rule management policy

# yum -y install perl-libwww-perl.noarch perl-Sys-Syslog.x86_64 perl-Archive-Tar.noarch perl-LWP-Protocol-https.noarch

1	# yum -y install perl-libwww-perl.noarch perl-Sys-Syslog.x86_64 perl-Archive-Tar.noarch perl-LWP-Protocol-https.noarch

# wget https://raw.githubusercontent.com/shirkdog/pulledpork/master/pulledpork.pl -O /usr/local/bin/pulledpork.pl

1	# wget https://raw.githubusercontent.com/shirkdog/pulledpork/master/pulledpork.pl -O /usr/local/bin/pulledpork.pl

# chmod 755 /usr/local/bin/pulledpork.pl

1	# chmod 755 /usr/local/bin/pulledpork.pl

3.10 Build the PulledPork configuration file.

# /bin/cat << EOT >/etc/snort/pulledpork/pulledpork.conf
rule_url=https://www.snort.org/rules/|snortrules-snapshot-29180.tar.gz|OINKCODE
rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLOCKLIST|open
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
#
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/sid_changes.log
sorule_path=/etc/snort/snort_dynamicrules/
snort_path=/sbin/snort
config_path=/etc/snort/snort.conf
distro=RHEL-8-0
black_list=/etc/snort/rules/iplists/default.blacklist
IPRVersion=/etc/snort/rules/iplists
snort_control=/usr/bin/snort_control
snort_version=2.9.14.1
disablesid=/etc/snort/pulledpork/disablesid.conf
enablesid=/etc/snort/pulledpork/enablesid.conf
version=0.8.0
EOT

# /bin/cat << EOT >/etc/snort/pulledpork/pulledpork.conf

rule_url=https://www.snort.org/rules/|snortrules-snapshot-29180.tar.gz|OINKCODE

rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLOCKLIST|open

rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open

ignore=deleted.rules,experimental.rules,local.rules

temp_path=/tmp

rule_path=/etc/snort/rules/snort.rules

local_rules=/etc/snort/rules/local.rules

sid_msg=/etc/snort/sid-msg.map

sid_msg_version=1

sid_changelog=/var/log/sid_changes.log

sorule_path=/etc/snort/snort_dynamicrules/

snort_path=/sbin/snort

config_path=/etc/snort/snort.conf

distro=RHEL-8-0

black_list=/etc/snort/rules/iplists/default.blacklist

IPRVersion=/etc/snort/rules/iplists

snort_control=/usr/bin/snort_control

snort_version=2.9.14.1

disablesid=/etc/snort/pulledpork/disablesid.conf

enablesid=/etc/snort/pulledpork/enablesid.conf

version=0.8.0

EOT

3.11 Create a PulledPork disabled rule file

# /bin/cat << EOT >/etc/snort/pulledpork/disablesid.conf
EOT

1 2	# /bin/cat << EOT >/etc/snort/pulledpork/disablesid.conf EOT

3.12 Run the PulledPork script.

# /usr/local/bin/pulledpork.pl -W -P -c /etc/snort/pulledpork/pulledpork.conf

1	# /usr/local/bin/pulledpork.pl -W -P -c /etc/snort/pulledpork/pulledpork.conf

3.13 Build the Snort threshold file

# /bin/cat << EOT >>/etc/snort/threshold.conf
#suppress gen_id 119, sig_id 14
EOT

# /bin/cat << EOT >>/etc/snort/threshold.conf

#suppress gen_id 119, sig_id 14

EOT

3.14 Build the local rule file

# /bin/cat << EOT >/etc/snort/rules/local.rules
# ------------
# LOCAL RULES
# ------------
#
EOT

# /bin/cat << EOT >/etc/snort/rules/local.rules

# ------------

# LOCAL RULES

# ------------

EOT

3.15 Build the capture filter file.

# /bin/cat << EOT >/etc/snort/filter.bpf
( net 192.168.0.0/24 or net fdaa:0:0:0::/60 )
EOT

# /bin/cat << EOT >/etc/snort/filter.bpf

( net 192.168.0.0/24 or net fdaa:0:0:0::/60 )

EOT

3.16 Build the ipvar include file

# /bin/cat << EOT >/etc/snort/ipvar.conf
ipvar NETWORK [192.168.0.0/24,fdaa:0:0:0::/60]
#
ipvar REAL_NET [192.168.1.10/32,fdaa:0:0:0::a/128]
#
ipvar HOME_NET [\$REAL_NET]
#
ipvar DARK_NET [!\$HOME_NET]
#
ipvar EXTERNAL_NET [!\$HOME_NET]
#
ipvar DNS_SERVERS \$HOME_NET
ipvar SMTP_SERVERS \$HOME_NET
ipvar HTTP_SERVERS \$HOME_NET
ipvar SQL_SERVERS \$HOME_NET
ipvar TELNET_SERVERS \$HOME_NET
ipvar SSH_SERVERS \$HOME_NET
ipvar FTP_SERVERS \$HOME_NET
ipvar SIP_SERVERS \$HOME_NET
#
ipvar DRK_IGNORE_SRC [10.1.1.1/32]
ipvar DRK_IGNORE_DST [192.168.0.1/32]
#
ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,
205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
EOT

# /bin/cat << EOT >/etc/snort/ipvar.conf

ipvar NETWORK [192.168.0.0/24,fdaa:0:0:0::/60]

ipvar REAL_NET [192.168.1.10/32,fdaa:0:0:0::a/128]

ipvar HOME_NET [\$REAL_NET]

ipvar DARK_NET [!\$HOME_NET]

ipvar EXTERNAL_NET [!\$HOME_NET]

ipvar DNS_SERVERS \$HOME_NET

ipvar SMTP_SERVERS \$HOME_NET

ipvar HTTP_SERVERS \$HOME_NET

ipvar SQL_SERVERS \$HOME_NET

ipvar TELNET_SERVERS \$HOME_NET

ipvar SSH_SERVERS \$HOME_NET

ipvar FTP_SERVERS \$HOME_NET

ipvar SIP_SERVERS \$HOME_NET

ipvar DRK_IGNORE_SRC [10.1.1.1/32]

ipvar DRK_IGNORE_DST [192.168.0.1/32]

ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,

205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

EOT

3.17 Snort configuration file editing

# /bin/sed -i "s/^ipvar/#ipvar/" /etc/snort/snort.conf
/bin/sed -i '/protecting/i include ipvar.conf' /etc/snort/snort.conf
/bin/sed -i "s/RULE_PATH ..\/rules/RULE_PATH \/etc\/snort\/rules/" /etc/snort/snort.conf
/bin/sed -i "s/SO_RULE_PATH ..\/so_rules/SO_RULE_PATH \/etc\/snort\/so_rules/" /etc/snort/snort.conf
/bin/sed -i "s/PREPROC_RULE_PATH ..\/preproc_rules/PREPROC_RULE_PATH \/etc\/snort\/preproc_rules/" /etc/snort/snort.conf
/bin/sed -i "s/WHITE_LIST_PATH ..\/rules/WHITE_LIST_PATH \/etc\/snort\/rules\/iplists/" /etc/snort/snort.conf
/bin/sed -i "s/BLACK_LIST_PATH ..\/rules/BLACK_LIST_PATH \/etc\/snort\/rules\/iplists/" /etc/snort/snort.conf
/bin/sed -i "s/white_list.rules/default.whitelist/" /etc/snort/snort.conf
/bin/sed -i "s/black_list.rules/default.blacklist/" /etc/snort/snort.conf
/bin/sed -i "s/^dynamicdetection/#dynamicdetection/" /etc/snort/snort.conf
/bin/sed -i "s/^preprocessor normalize/#preprocessor normalize/" /etc/snort/snort.conf
/bin/sed -i "s/^# preprocessor sfportscan/preprocessor sfportscan/" /etc/snort/snort.conf
/bin/sed -i "s/memcap { 10000000/memcap { 20000000/" /etc/snort/snort.conf
/bin/sed -i "s/server_ports { 22/server_ports { 22 5224/" /etc/snort/snort.conf
/bin/sed -i "s/sensitive_data: alert_threshold 25/sensitive_data: alert_threshold 50/" /etc/snort/snort.conf
/bin/sed -i '/^# syslog/a output alert_fast: \/var\/log\/snort\/alert' /etc/snort/snort.conf
/bin/sed -i '/^# pcap/a output log_tcpdump: \/var\/log\/snort\/pcap\/snort.pcap' /etc/snort/snort.conf
/bin/sed -i "s/^include \$RULE_PATH/#include \$RULE_PATH/" /etc/snort/snort.conf
/bin/sed -i '/site specific rules/a include $RULE_PATH\/snort.rules' /etc/snort/snort.conf

# /bin/sed -i "s/^ipvar/#ipvar/" /etc/snort/snort.conf

/bin/sed -i '/protecting/i include ipvar.conf' /etc/snort/snort.conf

/bin/sed -i "s/RULE_PATH ..\/rules/RULE_PATH \/etc\/snort\/rules/" /etc/snort/snort.conf

/bin/sed -i "s/SO_RULE_PATH ..\/so_rules/SO_RULE_PATH \/etc\/snort\/so_rules/" /etc/snort/snort.conf

/bin/sed -i "s/PREPROC_RULE_PATH ..\/preproc_rules/PREPROC_RULE_PATH \/etc\/snort\/preproc_rules/" /etc/snort/snort.conf

/bin/sed -i "s/WHITE_LIST_PATH ..\/rules/WHITE_LIST_PATH \/etc\/snort\/rules\/iplists/" /etc/snort/snort.conf

/bin/sed -i "s/BLACK_LIST_PATH ..\/rules/BLACK_LIST_PATH \/etc\/snort\/rules\/iplists/" /etc/snort/snort.conf

/bin/sed -i "s/white_list.rules/default.whitelist/" /etc/snort/snort.conf

/bin/sed -i "s/black_list.rules/default.blacklist/" /etc/snort/snort.conf

/bin/sed -i "s/^dynamicdetection/#dynamicdetection/" /etc/snort/snort.conf

/bin/sed -i "s/^preprocessor normalize/#preprocessor normalize/" /etc/snort/snort.conf

/bin/sed -i "s/^# preprocessor sfportscan/preprocessor sfportscan/" /etc/snort/snort.conf

/bin/sed -i "s/memcap { 10000000/memcap { 20000000/" /etc/snort/snort.conf

/bin/sed -i "s/server_ports { 22/server_ports { 22 5224/" /etc/snort/snort.conf

/bin/sed -i "s/sensitive_data: alert_threshold 25/sensitive_data: alert_threshold 50/" /etc/snort/snort.conf

/bin/sed -i '/^# syslog/a output alert_fast: \/var\/log\/snort\/alert' /etc/snort/snort.conf

/bin/sed -i '/^# pcap/a output log_tcpdump: \/var\/log\/snort\/pcap\/snort.pcap' /etc/snort/snort.conf

/bin/sed -i "s/^include \$RULE_PATH/#include \$RULE_PATH/" /etc/snort/snort.conf

/bin/sed -i '/site specific rules/a include $RULE_PATH\/snort.rules' /etc/snort/snort.conf

3.18 Creating the Snort Service

# /bin/cat << EOT >/usr/lib/systemd/system/snort.service
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/sbin/snort -i eth0 -c /etc/snort/snort.conf -F /etc/snort/filter.bpf -u snort -g snort --pid-path /var/log/snort --no-interface-pidfile --nolock-pidfile
ExecStop=/bin/kill -9 $MAINPID
PrivateTmp=true
PidFile=/var/log/snort/snort.pid

[Install]
WantedBy=multi-user.target
EOT

# /bin/cat << EOT >/usr/lib/systemd/system/snort.service

[Unit]

Description=Snort NIDS Daemon

After=syslog.target network.target

[Service]

Type=simple

ExecStart=/usr/sbin/snort -i eth0 -c /etc/snort/snort.conf -F /etc/snort/filter.bpf -u snort -g snort --pid-path /var/log/snort --no-interface-pidfile --nolock-pidfile

ExecStop=/bin/kill -9 $MAINPID

PrivateTmp=true

PidFile=/var/log/snort/snort.pid

[Install]

WantedBy=multi-user.target

EOT

# systemctl enable --now snort

1	# systemctl enable --now snort

3.19 Create a Snort log rotation configuration file

# /bin/cat << EOT >/etc/logrotate.d/snort
/var/log/snort/alert
{
weekly
rotate 13
missingok
compress
sharedscripts
postrotate
/bin/systemctl restart snort 1>/dev/null || true
endscript
}
EOT

# /bin/cat << EOT >/etc/logrotate.d/snort

/var/log/snort/alert

{

weekly

rotate 13

missingok

compress

sharedscripts

postrotate

/bin/systemctl restart snort 1>/dev/null || true

endscript

}

EOT

3.20 Create a Snort rule update script

# mkdir /script

1	# mkdir /script

# /bin/cat <<\EOT >/script/snort_update.sh
#!/bin/bash
#
# snort_update.sh
# Snort signature update script
#
# Command Variables
CONF=/etc/snort/pulledpork/pulledpork.conf
LOGDIR=/var/log/snort
PULL=/usr/local/bin/pulledpork.pl
SYSTEMCTL=/bin/systemctl
#
$PULL -W -P -c /etc/snort/pulledpork/pulledpork.conf
$SYSTEMCTL restart snort
#
# Cleanup
cd $LOGDIR
/bin/ls -t $LOGDIR | /bin/grep "alert\." | /bin/tail -n +14 | /bin/xargs -d '\n' rm -- >/dev/null 2>&1
cd $LOGDIR/pcap
/bin/ls -t $LOGDIR/pcap | /bin/grep "snort\.pcap\." | /bin/tail -n +14 | /bin/xargs -d '\n' rm -- >/dev/null 2>&1
#
exit
EOT

# /bin/cat <<\EOT >/script/snort_update.sh

#!/bin/bash

# snort_update.sh

# Snort signature update script

# Command Variables

CONF=/etc/snort/pulledpork/pulledpork.conf

LOGDIR=/var/log/snort

PULL=/usr/local/bin/pulledpork.pl

SYSTEMCTL=/bin/systemctl

$PULL -W -P -c /etc/snort/pulledpork/pulledpork.conf

$SYSTEMCTL restart snort

# Cleanup

cd $LOGDIR

/bin/ls -t $LOGDIR | /bin/grep "alert\." | /bin/tail -n +14 | /bin/xargs -d '\n' rm -- >/dev/null 2>&1

cd $LOGDIR/pcap

/bin/ls -t $LOGDIR/pcap | /bin/grep "snort\.pcap\." | /bin/tail -n +14 | /bin/xargs -d '\n' rm -- >/dev/null 2>&1

exit

EOT

# chmod 700 /script/snort_update.sh

1	# chmod 700 /script/snort_update.sh

3.21 Periodic execution of Snort rule update script

# crontab -l | { cat; echo "0 0 * * 1-5 /script/snort_update.sh >/dev/null 2>&1"; } | crontab -

1	# crontab -l \| { cat; echo "0 0 * * 1-5 /script/snort_update.sh >/dev/null 2>&1"; } \| crontab -

Go to top