Click here for "Error Codes for Commercial Air Conditioners".(Japanese Version)

Ubuntu22.04 Server : SNORT , Tripwire

1.SNORT Install

Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks.

It can perform "protocol analysis," "content search," and "matching," and can be used to detect a variety of attacks, including "buffer overflows," "stealth port scans," "CGI attacks," "SMB probes," "OS fingerprinting attempts," "semantic URL attacks," and "server message block probes.

To install SNORT3

1.1 Install

①Required library installation

②working directory creation

③Download and install Daq
If a newer source is available, replace the version number of the command

④Download and install SNORT

There are many cases where an error occurs that a file/directory cannot be found when executing "make".
In our case, we had the following file error, so we installed "libntirpc-dev" and copied it to the specified location

Let me know if you have a better way.  (^_^)

1.2 Setting up users and folder structure

To run Snort securely without root access, you will need to create a new unprivileged user and a new user group to run the daemon

Create the following files

1.3 Setup of configuration files

Copy all files to the configuration directory.

1.4 Use of Community Rules

①Retrieve community rules and copy them to the configuration folder

②Comment out unnecessary lines at once

1.5 Retrieving Registered User Rules

By registering for free on the website, you will have access to an Oink code that will allow you to download the registered user rule set.

①Get Oinkcode
Register as a user on the official Snort website to obtain the Oinkcode required to obtain community rules.
Register as a user at the official Snort website to download the latest rule files.
Go to https://www.snort.org/ and click on

Click on "Sign in"

Click on "Sign up"

Enter your "Email", "Passsword", "Password confirmation" and check the other fields, then click "Sign Up".

After successful "Sign Up", you will receive the following email to your registered email address, click the link in the body of the email.

Enter your registered information and log in

Click on your e-mail address

Click on "Oinkcodes" and save "Oinkcode" separately.

②Download Registered User Rules
Replace the "oinkcode" section below with the code obtained above.

③Extract rules to configuration directory

1.6 Configuration of network sets and rule sets

①Edit snort.conf

Editorial content

②Verification of settings

Use parameter -T to test configuration and enable test mode

If you get a "file not found" error, copy the file with the error to /etc/snort/rules
In our case, we got the following file error

If an invalid error occurs, do the following

again

When executed, a message similar to the following example is displayed

1.7 Configuration Testing

To test if Snort is logging alerts as intended, add a custom detection rule alert for incoming ICMP connections to the local.rules file

test run

Rewrite "eno1" to your own network interface.
If you leave the terminal in this state and ping this server from another PC on the same network (e.g. Windows), the terminal running Snort will display the following notification for each ICMP call

Snort logs alerts to a log under /var/log/snort/. The log can be read with the following command

1.8Run Snort in the background

Add a new Snort startup script to run Snort as a service

Script Contents
Each "eno1" is tailored to its own environment.

Reflecting settings and starting up

2.Tripwire  Install

Implement a system to detect file tampering on Linux servers by crackers.
This time, Tripwire, a host-based IDS (IDS=Intrusion Detection System), will be installed as the file tampering detection system.
Tripwire creates a database of file status at the time of installation, and detects file additions/changes/deletions by comparing the database with the current status of the file.

2.1 Installation and Configuration

①Site Key Creation
Tripwire requires a site passphrase to secure the "tw.cfg" tripwire configuration file and the "tw.pol" tripwire policy file. The specified passphrase is used to encrypt both files. The site passphrase is also required for a single instance of tripwire。

②local key passphrase
A local passphrase is required to protect the tripwire database and report files; a local key used by tripwire to avoid unauthorized modification of the tripwire baseline database.

③tripwire configuration path
The tripwire configuration is stored in the file /etc/tripwire/twcfg.txt. It is used to generate the encrypted configuration file tw.cfg.

④tripwire policy path
tripwire stores policies in the file /etc/tripwire/twpol.txt. This is used to generate the encrypted policy file tw.pol used by tripwire.

⑤Enter site key passphrase


You will be asked to enter the site key passphrase again.

⑥Enter local key passphrase


⑦You will be asked to enter the local key passphrase again.

⑧Installation proceeds and completes.

2.2 Configuration File Settings

①Tripwire configuration file (twcfg.txt)
The tripwire configuration file (twcfg.txt) is detailed below. The paths to the encrypted policy file (tw.pol), site key (site.key), and local key (hostnamelocal.key), etc. are as follows

2.3 Initial setup including key creation, database creation, etc.

①Edit twcfg.txt

② configuration file generation
③ Optimize policies

Use the following policy optimization scripts to optimize your policy

Policy Optimization Script Contents

④Database Creation
If it stops with an error on the way, reexecute with the "--verbose" option.
View the progress and check the files that stop with errors. In our environment, it stopped at Snort-related files.
Paths and files expected to stop
/etc/snort/etc
/etc/snort/preproc_rules
/etc/snort/rules
/etc/snort/so_rules
/root/community-rules
After granting ownership and permissions to the above file, run the following again
When completed, the following will appear

2.4 Perform checks

①Create test files

②Check Tripwire operation
If successful, the following display appears

Delete the test file.

2.5 Tripwire Autorun

①Create an auto-execution script (tripwire.sh) and have it run automatically

Contents of auto-execute script (tripwire.sh)

②Give execute permission and execute periodically by Cron.

Reference: Script for reporting results by e-mail

Copied title and URL