Ubuntu Server23.04 ; SNORT2 , Tripwire

1.SNORT2 Install

Snort is an open source network intrusion detection system that can perform real-time traffic analysis and packet logging on IP networks.

It can perform "protocol analysis," "content search," and "matching," and can be used to detect a variety of attacks, including buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, semantic URL attacks, and server message block probes. The SNORT3 can be used to detect a wide variety of attacks, including

To install SNORT3, see

1.1 Install

①Required library installation

②working directory creation

③Daq download and install
Download the latest DAQ source package from the Snort Web site using the wget command. If newer sources are available, replace the version number in the command

④SNORT download and install

There are many cases where an error occurs that a file/directory cannot be found when executing "make".
In our case, the following file error occurred, so we installed "libntirpc-dev" and copied it to the specified location.

Let me know if you have a better way. (^_^)

⑤SNORT Version Check

1.2 Setting up users and folder structure

To run Snort securely without root access, you will need to create a new unprivileged user and a new user group to run the daemon

Create the following files

1.3 Setup of configuration files

Copy all files to the configuration directory.

1.4 Use of Community Rules

Get freely available community rules.

①Retrieve community rules and copy them to the configuration folder

②Comment out unnecessary lines at once

1.5Retrieving Registered User Rules

By registering for free on the website, you will have access to an Oink code that will allow you to download the registered user rule set.

①Get Oinkcode
Register as a user on the official Snort website to obtain the Oinkcode required to obtain community rules.
To download the latest rule files, register as a user at the official Snort website.
Go to https://www.snort.org/,

Click on "Sign in"

Click on "Sign up"

Enter "Email", "Passsword", and "Password confirmation
Click on "Sign up"

If "Sign up" is successful, you will receive the following email to your registered email address
Click the link in the body of the email.

Enter your registered information and log in

Click on your e-mail address

Click on "Oinkcodes" and save "Oinkcode" separately.

②Download Registered User Rules
Replace the "oinkcode" section below with the code obtained above.

③Extract rules to configuration directory

1.6 Configuration of network sets and rule sets

①Edit snort.conf

Editing Contents

②Verification of configuration
Use parameter -T to test configuration and enable test mode

If you get a "file not found" error, copy the file with the error to /etc/snort/rules
In our case, we got the following file error

If you get an invalid error, do the following


When executed, a message similar to the following example is displayed

1.7 Configuration Testing

To test if Snort is logging alerts as intended, add a custom detection rule alert for incoming ICMP connections to the local.rules file

Test Execution

Rewrite "enp0s3" to your own network interface.
If you leave the terminal in this state and ping this server from another PC on the same network (e.g. Windows), the terminal running Snort will display the following notification for each ICMP call

Snort logs alerts to a log under /var/log/snort/. The log can be read with the following command

1.8 Run Snort in the background

Add a new Snort startup script to run Snort as a service

Script Contents
"enp0s3" is adapted to each environment.

Reflecting settings and starting up

2.Tripwire Install

Implement a system to detect file tampering on Linux servers by crackers.
This time, Tripwire, a host-based IDS (IDS=Intrusion Detection System), will be installed as the file tampering detection system.
Tripwire detects file additions/changes/deletions by creating a database of file status at the time of installation and comparing the database with the current status of the file.

2.1 Installation and configuration.

①Create Site Key
Tripwire requires a site passphrase to secure the "tw.cfg" tripwire configuration file and the "tw.pol" tripwire policy file.
The specified passphrase is used to encrypt both files.
The site passphrase is also required for a single instance of tripwire.

②local key passphrase
A local passphrase is required to protect the tripwire database and report files.
A local key used by tripwire to avoid unauthorized modification of the tripwire baseline database.

③tripwire configuration path
The tripwire configuration is stored in the file /etc/tripwire/twcfg.txt.
It is used to generate the encrypted configuration file tw.cfg.

④tripwire policy path
tripwire stores policies in the file /etc/tripwire/twpol.txt.
This is used to generate the encrypted policy file tw.pol used by tripwire.

⑤Enter site key passphrase

You will be asked to enter the site key passphrase again.

⑥Enter local key passphrase

⑦You will be asked to enter the local key passphrase again.

⑧Installation will proceed and complete.

2.2 Configuration File Settings

①Tripwire configuration file (twcfg.txt)
The tripwire configuration file (twcfg.txt) is detailed below.
The paths to the encrypted policy file (tw.pol), site key (site.key), and local key (hostname local.key), etc. are as follows

2.3 Initial setup such as key creation, database creation, etc.

①Edit twcfg.txt

② configuration file generation

③Optimize Policy
Use the following policy optimization scripts to optimize your policy

Policy Optimization Script Contents

Database Creation

If it stops with an error on the way, re-run with the "--verbose" option.

View the progress and check the files that stop with errors.
In our environment, it stopped at Snort-related files.

Paths and files expected to stop
After granting ownership and permissions to the above file, run the following again

When completed, the following will appear

2.4 Perform checks

①Create test file

②Check Tripwire operation

If successful, the following display appears

Delete the test file.

2.5 Tripwire Autorun

Create an auto-execution script (tripwire.sh) and have it run automatically

Contents of auto-execute script (tripwire.sh)

②Give execute permission and execute periodically by Cron.

Reference: Script for reporting results by e-mail

Execute the following command to confirm that notifications are delivered to the address set above

Copied title and URL