Click here for "Error Codes for Commercial Air Conditioners".

Ubuntu Server 20.04 : SNORT , Tripwire install

1. Install SNORT

Snort is an open source network intrusion detection system that can perform real-time traffic analysis and packet logging over IP networks.

It can perform "protocol analysis", "content search" and "matching" and can be used to detect a variety of attacks such as "buffer overflows", "stealth port scans", "CGI attacks", "SMB probes", "OS fingerprinting attempts", "semantic URL attacks" and "server message block probes".

1.1 Install

①Required library installation

②Create working directory

③Daq download and install
Download the latest DAQ source package from the Snort web site using the wget command.
If a new source is available, please replace the version number of the command

④Download and install SNORT

1.2 Setting up user and folder structures

In order to run Snort securely without root access, a new unprivileged user and a new user group for running the daemon must be created

Create the following files

1.3 Setting up the configuration file

Copy all files to the configuration directory.

1.4 Use of community rules

Get the freely available community rules.

①Retrieve the community rules and copy them to the configuration folder

②Comment out unwanted lines en masse

1.5 Retrieving registered user rules

Free registration on the website gives you access to an Oink code that allows you to download the registered user ruleset.

①Get Oinkcode
Register as a user on the official Snort website and get the Oinkcode you need to get the community rules
In order to download the latest rule files, you need to register as a user at the official Snort website.
Go to https://www.snort.org/ 

Click on "Sign In"

Click on "Sign Up".

Enter your "Email", "Password", "Password confirmation" and check the other fields, then click "Sign Up".

If the "Sign Up" is successful, you will receive the following email to your registered email address
Click on the link in the text

Enter your registration details and login

Click on your email address

Click on "Oinkcodes" and save the "Oinkcode" separately.

②Download the registered user rules
Replace the "oinkcode" in the following with the code you got above

③Extract rules to configuration directory

1.6 Configuration of network sets and rule sets

①Edit snort.conf

Editorial content

②Configuration validation

Use the parameter -T to test the configuration and enable the test mode

If you get a "file not found" error, copy the file that gives the error to /etc/snort/rules
I had an error with the following file

If you get an invalid error, you can do the following

Again try

When you run it, you will see a message like the following example

  --== Initialization Complete ==--
,,_   -*> Snort! <*-
o" )~  Version 2.9.19 GRE (Build 85)
''''   By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
    Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
    Copyright (C) 1998-2013 Sourcefire, Inc., et al.
    Using libpcap version 1.9.1 (with TPACKET_V3)
    Using PCRE version: 8.39 2016-06-14
    Using ZLIB version: 1.2.11

    Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1>
    Preprocessor Object: SF_SDF Version 1.1 <Build 1>
    Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
    Preprocessor Object: SF_POP Version 1.0 <Build 1>
    Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
    Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
    Preprocessor Object: SF_GTP Version 1.1 <Build 1>
    Preprocessor Object: SF_DNS Version 1.1 <Build 4>
    Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
    Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
    Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
    Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1>
    Preprocessor Object: SF_SSH Version 1.1 <Build 3>
    Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
    Preprocessor Object: appid Version 1.1 <Build 5>
    Preprocessor Object: SF_SIP Version 1.1 <Build 1>
    Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>

Total snort Fixed Memory Cost - MaxRss:838424
Snort successfully validated the configuration!
Snort exiting

1.7 Testing the configuration

To test that Snort is logging alerts as intended, add a custom detection rule alert for incoming ICMP connections to the local.rules file

Test run

Replace "eno1" with your own network interface.
If the terminal is left in this state and another PC on the same network (e.g. Windows) pings this server, the terminal running Snort will show the following notification for each ICMP call

Snort records alerts in a log under /var/log/snort/snort.log.<timestamp>.

The log can be read with the following command

1.8 Run Snort in background

Add a new Snort start-up script to run Snort as a service

Script content
"eno1" is adapted to your environment

Reflection of settings and start-up

2.Install Tripwire

Install a system to detect tampering of Linux server files by crackers.
This time, we will introduce Tripwire, a host-type IDS (IDS=Intrusion Detection System) as a file tampering detection system.
Tripwire detects the addition/modification/deletion of files by creating a database of the file status at the time of deployment and comparing the database with the current status of the files.

2.1 Installation and configuration

① Create site key
Tripwire requires a site passphrase to secure the "tw.cfg" tripwire configuration file and the "tw.pol" tripwire policy file.
Encrypts both files using the specified passphrase.
The site passphrase is also required for a single instance of tripwire.

②Local Key Passphrase
A local passphrase is required to protect the tripwire database and report files.
The local key used by tripwire to avoid unauthorised changes to the tripwire baseline database.

③tripwire configuration path
The tripwire configuration is stored in the /etc/tripwire/twcfg.txt file.
It is used to generate the encrypted configuration file tw.cfg.

④tripwire Policy Path
tripwire stores the policy in the /etc/tripwire/twpol.txt file.
This is used to generate the encrypted policy file tw.pol which is used by tripwire.

Installation will proceed.

2.2 Configuration file settings

①Tripwire configuration file (twcfg.txt)
The details of the tripwire configuration file (twcfg.txt) are as follows
The paths for the encrypted policy file (tw.pol), site key (site.key) and local key (hostname local.key) are as follows

2.3 Initial setup, including key creation and database creation

①Edit twcfg.txt

② Configuration file generation

③ Optimise your policy
Use the following policy optimisation script to optimise your policy

Policy optimisation script content

④Create database

If it stops with an error in the middle of the process, use the "--v" option to display the progress and see which files stop with errors.

In our case, it stopped at a Snort-related file.

Paths and files that are expected to stop
/etc/snort/etc
/etc/snort/preproc_rules
/etc/snort/rules
/etc/snort/so_rules
/root/community-rules
After giving ownership and permissions to the above file, run the following again

When complete, the following will appear

2.4 Run a check

①Create test file

②Checking the operation of Tripwire

If successful, the following message will appear

Delete the test file.

2.5 Tripwire auto-run

①Create an autorun script (tripwire.sh) and run it automatically

Contents of the auto-run script (tripwire.sh)

②Give execution permissions and run regularly with Cron

Reference: Script for reporting results by email

タイトルとURLをコピーしました