Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

RockyLinux 9.1 ; Suricata , Tripwire , Chkrootkit

 Suricata

SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.

1.advance preparation

①Activate the EPEL Repository

②System updates

2.Suricata Installation and Configuration

①Suricata install

②Determine interface and IP address where Suricata will inspect network packets

③Edit configuration file

④Suricata rules update

<Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
You will get a warning like the one above, but it is supposed to be negligible, so proceed as you are.

⑤Activate Suricata

⑥Confirm Suricata startup

Check Log

Check the stats.log file for statistics (updated every 8 seconds by default)

A more advanced output, EVE JSON, can be generated with the following command

3.Suricata Testing

①Run ping test with curl utility

②Check the alert log to see if it has been logged

4.Setting Suricata Rules

①Display of rule sets packaged in Suricata

②Index list of sources providing rule sets

③Enable source (if et/open is enabled)

Perform update

Restart Suricata service

5.Creating Suricata Custom Rules

①Create files containing customer rules

②Edit configuration file (define new rule paths)

 ③Testing the configuration file

Restart Suricat service

④Testing the application of Custom Rules
Ping another device on the same local network to see if it was logged

To get logs in JSON format, install jq on your system

Execute the following command to ping another device on the same local network

Tripwire

1.Download and installation

2.Passphrase setting

Set site passphrase and local passphrase

3.Tripwire Configuration

①Configuration File Edit

②Create a Tripwire configuration file (cryptographically signed version)

③Delete Tripwire configuration file (text version)

④Policy File Settings

Contents of twpolmake.pl

⑤Policy File Optimizations

⑥Create policy file (cryptographically signed version) based on optimized policy file
⑦Create database and check operation

Delete test files

⑧Tripwire Scheduled Scripts

Contents of tripwire.sh

⑨Tripwire Autorun Script Execution Settings

Reference: Script for reporting results by e-mail

Confirmation that the results of the tripwire execution are notified to the specified e-mail address

Chkrootkit

①Download and install chkrootkit

➁Create /root/bin directory and move chkrootkit command to that directory
➂Check chkrootkit.
Checking `chsh'... INFECTED

If the above display appears, it is probably a false positive.

④Create chkrootkit periodic execution script and change permissions

Scheduled Script Contents

Add execution permission to chkrootkit execution script

⑥Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command

⑦Run chkrootkit on the copied command

If nothing is displayed, no problem.

⑧Compresses backed up commands
⑨Send chkrootkit use command (compressed version) to root by e-mail
⑩Download and save chkrootkit_cmd.tar.gz file to Windows
⑪Delete commands on the backed up server
Copied title and URL