SNORT インストール
Snortは、 Linuxで使える侵入検知システム(IDS)です。ネットワーク型IDSは、ネットワーク上を流れる通信の内容を監視し、攻撃を受けているか否かを検出します。ポートスキャンなどは「攻撃」というよりも「攻撃のための事前調査」とした方が表現としては適切かもしれません。ネットワーク型IDSは、このポートスキャンなども検知できます。また、疑わしい通信を検出することで、侵入などの被害を未然に防ぐことができます。
1.事前準備
①CodeReady Red Hat リポジトリを追加し、必要なソフトウェアをインストールする
1 |
# dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel |
作業用ディレクトリー作成
1 |
# mkdir /var/src |
②DAQ のインストール
1 2 3 4 5 6 7 8 |
# cd /var/src # wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz # tar zxvf daq-2.0.7.tar.gz # cd daq-2.0.7 # autoreconf -f -i # ./configure # make # make install |
③Lua のインストール
1 2 3 4 5 6 |
# cd /var/src # wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz # tar -zxvf LuaJIT-2.0.5.tar.gz # cd LuaJIT-2.0.5 # make # make install |
④偽のリリース ファイルを作成
1 2 3 |
# /bin/cat << EOT >/etc/fedora-release Fedora release 28 (Rawhide) EOT |
2. Snort をダウンロード、コンパイル、インストール
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# cd /var/src # wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz # tar -zxvf snort-2.9.20.tar.gz # cd snort-2.9.20 # ./configure --enable-sourcefire zlib.h が見つからずエラーが出た場合 # dnf install zlib-devel 再度 # ./configure --enable-sourcefire # make # make install # ldconfig # ln -s /usr/local/bin/snort /usr/sbin/snort |
偽のリリース ファイルを削除
1 |
# rm /etc/fedora-release |
3.グルーブとユーザー作成、必要なディレクトリー、ファイル作成
1 2 |
# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# mkdir /etc/snort # mkdir -p /etc/snort/rules # mkdir /var/log/snort # mkdir /usr/local/lib/snort_dynamicrules # mkdir /etc/snort/preproc_rules # chmod -R 5775 /etc/snort # chmod -R 5775 /var/log/snort # chmod -R 5775 /usr/local/lib/snort_dynamicrules # chown -R snort:snort /etc/snort # chown -R snort:snort /var/log/snort # chown -R snort:snort /usr/local/lib/snort_dynamicrules 下記ファイル作成 # touch /etc/snort/rules/white_list.rules # touch /etc/snort/rules/black_list.rules # touch /etc/snort/rules/local.rules |
設定ファイルのセットアップ・・・すべてのファイルを構成ディレクトリにコピーします
1 2 |
# cp /var/src/snort-2.9.20/etc/*.conf* /etc/snort # cp /var/src/snort-2.9.20/etc/*.map* /etc/snort |
4.コミュニティルールの使用
①コミュニティルールを取得
1 |
# wget https://www.snort.org/rules/community -O ~/community.tar.gz |
②ルールを抽出し、構成フォルダーにコピー
1 2 |
# tar -xvf ~/community.tar.gz -C ~/ # cp ~/community-rules/* /etc/snort/rules |
コミュニティルールに含まれていないさまざまなルールファイルがあるので、sedコマンドを使用して、不要な行を一括コメントアウトする
1 |
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf |
5. 登録済みユーザールールの取得
Snortのウェブサイトに登録すると、Oink コードを使用して登録済みユーザールールをダウンロードできます。Oink コードは Snort ユーザーアカウントの詳細にあります。
次のコマンドのoinkcode を取得した個人コードに置き換えます。
1 |
# wget https://www.snort.org/rules/snortrules-snapshot-29181.tar.gz?oinkcode=<oink-code> -O ~/registered.tar.gz |
ダウンロードが完了したら、構成ディレクトリにルールを抽出
1 |
# tar -xvf ~/registered.tar.gz -C /etc/snort |
6. ネットワークおよびルールの構成
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
# vi /etc/snort/snort.conf ●45行目 # Setup the network addresses you are protecting ipvar HOME_NET 192.168.11.0/24 ←各自の環境に合わす ●48行目 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET ●104-106行目 コメントアウトして下に追加 # Path to your rules files (this can be a relative path) # var RULE_PATH ../rules # var SO_RULE_PATH ../so_rules # var PREPROC_RULE_PATH ../preproc_rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules ●115-116行目あたりコメントアウトして下に追加 # Set the absolute path appropriately #var WHITE_LIST_PATH ../rules #var BLACK_LIST_PATH ../rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ●525行目あたり追加 # unified2 # Recommended for most installs output unified2: filename snort.log, limit 128 ●550行目 カスタム ルールを読み込むため、local.rules のコメントを解除する include $RULE_PATH/local.rules ●コミュニティ ルールを使用している場合はlocal.rules 行のすぐ下などに次の行も追加 include $RULE_PATH/community.rules |
7. 設定の検証
パラメーター -T を使用して構成をテストし、テスト・モードを使用可能にします
1 |
# snort -T -c /etc/snort/rules/snort.conf |
エラーが出た場合該当のファイルを /etc/snort/rulesにコピーする
当方の場合、下記のファイルでエラーが出た
1 2 3 4 |
# cp /var/src/snort-2.9.20/etc/classification.config /etc/snort/rules # cp /var/src/snort-2.9.20/etc/reference.config /etc/snort/rules # cp /var/src/snort-2.9.20/etc/threshold.conf /etc/snort/rules # cp /var/src/snort-2.9.20/etc/unicode.map /etc/snort/rules/ |
また、「/etc/snort/rules/snort.conf(322) => Invalid keyword '}'」エラーが出る場合
1 2 3 4 |
# vi /etc/snort/rules/snort.conf ●321行目 : コメントアウト #decompress_swf { deflate lzma } \ |
再度次を実施する
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# snort -T -c /etc/snort/rules/snort.conf [ Number of patterns truncated to 20 bytes: 916 ] MaxRss at the end of detection rules:825960 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.20 GRE (Build 82) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.10.3 (with TPACKET_V3) Using PCRE version: 8.45 2021-06-15 Using ZLIB version: 1.2.12 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1> Preprocessor Object: appid Version 1.1 <Build 5> Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Total snort Fixed Memory Cost - MaxRss:825960 Snort successfully validated the configuration! Snort exiting |
8. 構成のテスト
①Snort がアラートをログに記録しているかどうかをテストするには、着信 ICMP 接続に関するカスタム検出ルールアラートを local.rules ファイルに追加します。
1 2 3 4 |
# vi /etc/snort/rules/local.rules ●最終行に追加 alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) |
②コンソールで Snort を起動し、アラートを stdout に出力します。正しいネットワーク インターフェイス(ens160 など)を選択する
1 2 3 4 5 6 7 8 9 10 11 12 |
# snort -A console -i ens160 -u snort -g snort -c /etc/snort/snort.conf Snortを起動して実行した状態で、他のコンピューターから ping を実行します。Snort を実行しているターミナルに ICMP 呼び出しごとに次のような通知が表示されます 03/04-12:59:09.123471 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 03/04-12:59:09.123549 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 03/04-12:59:09.123866 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 03/04-12:59:09.123905 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 03/04-12:59:10.145661 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 03/04-12:59:10.145742 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 03/04-12:59:10.146056 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 03/04-12:59:10.146094 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 |
9. バックグラウンドで Snortを実行する
①Snort のスタートアップスクリプトを作成
1 2 3 4 5 6 7 8 9 10 11 12 |
# vi /lib/systemd/system/snort.service [Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens160 [Install] WantedBy=multi-user.target |
②サービスを定義した後、systemctl デーモンを再ロードし実行する
1 2 |
# systemctl daemon-reload # systemctl start snort |
Suricata インストール
SURICATA IDS/IPSはネットワーク上の通信を監視し、不審なトラフィックを検知するオープンソースのIDSです。基本的な仕組みはシグネチャ型であるため、あらかじめ設定した不正な通信を検知できます。また、Suricataは検知だけでなく防御も行えることが特徴です。
1.Suricata のインストールと設定
EPEL リポジトリをシステム上で有効化しておく
①Suricata インストール
1 |
# dnf install suricata |
➁バージョン確認
1 2 |
# suricata -V This is Suricata version 6.0.11 RELEASE |
➂Suricataがネットワークパケットを検査するインターフェースとIPアドレスを決定
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ens160 UP 192.168.11.83/24 |
④設定ファイルを編集
1 2 3 4 5 6 7 8 9 |
# vi /etc/suricata/suricata.yaml # 15行目 : varsセクションで、ネットワークを定義する HOME_NET: "[192.168.11.0/24]" EXTRNAL_NET: "!$HOME_NET" # 589行目 : af-packetセクションのインターフェース名を設定 af-packet: - interface: ens160 |
1 2 3 4 5 |
# vi /etc/sysconfig/suricata # 8行目 :インターフェイスを指定 # Add options to be passed to the daemon OPTIONS="-i ens160 --user suricata " |
⑤Suricataのルール更新
1 |
# suricata-update |
⑥Suricataの起動
1 2 |
# systemctl enable --now suricata Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service. |
⑦Suricataの起動確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# systemctl status suricata ● suricata.service - Suricata Intrusion Detection Service Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled) Drop-In: /usr/lib/systemd/system/service.d mq10-timeout-abort.conf Active: active (running) since Wed 2023-04-26 13:53:56 JST; 1s ago Docs: man:suricata(1) Process: 1381 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS) Main PID: 1382 (Suricata-Main) Tasks: 1 (limit: 4591) Memory: 68.3M CPU: 1.743s CGroup: /system.slice/suricata.service mq1382 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens160 --user suricata Apr 26 13:53:56 Lepard systemd[1]: Starting suricata.service - Suricata Intrusion Detection Service... Apr 26 13:53:56 Lepard systemd[1]: Started suricata.service - Suricata Intrusion Detection Service. Apr 26 13:53:56 Lepard suricata[1382]: 26/4/2023 -- 13:53:56 - <Notice> - This is Suricata version 6.0.11 RELEASE running in |
ログを確認
1 2 3 4 5 6 7 8 9 10 11 12 |
# tail /var/log/suricata/suricata.log 26/4/2023 -- 15:37:14 - <Info> - Running in live mode, activating unix socket 26/4/2023 -- 15:37:25 - <Info> - 1 rule files processed. 33476 rules successfully loaded, 0 rules failed 26/4/2023 -- 15:37:25 - <Info> - Threshold config parsed: 0 rule(s) found 26/4/2023 -- 15:37:26 - <Info> - 33479 signatures processed. 1264 are IP-only rules, 5196 are inspecting packet payload, 26814 inspect application layer, 108 are decoder event only 26/4/2023 -- 15:37:34 - <Info> - Going to use 4 thread(s) 26/4/2023 -- 15:37:34 - <Info> - Running in live mode, activating unix socket 26/4/2023 -- 15:37:34 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket' 26/4/2023 -- 15:37:34 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started. 26/4/2023 -- 15:37:34 - <Info> - All AFP capture threads are running. 26/4/2023 -- 15:37:34 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Hyperscan returned error -1 |
上記末尾のように"- [ERRCODE: SC_ERR_FATAL(171)] - Hyperscan returned error -1"が表示されハングアップする場合、Hyperscanをアップデートする必要があります。
次の通りアップデートします。
1 2 |
# wget https://bodhi.fedoraproject.org/updates/FEDORA-2023-b4e0e66067 # dnf upgrade --refresh --advisory=FEDORA-2023-b4e0e66067 |
再度
1 2 3 4 5 6 7 8 9 10 11 |
# tail /var/log/suricata/suricata.log 26/4/2023 -- 16:06:04 - <Info> - Found an MTU of 1500 for 'ens160' 26/4/2023 -- 16:06:04 - <Info> - Found an MTU of 1500 for 'ens160' 26/4/2023 -- 16:06:04 - <Info> - dropped the caps for main thread 26/4/2023 -- 16:06:04 - <Info> - fast output device (regular) initialized: fast.log 26/4/2023 -- 16:06:04 - <Info> - eve-log output device (regular) initialized: eve.json 26/4/2023 -- 16:06:04 - <Info> - stats output device (regular) initialized: stats.log 26/4/2023 -- 16:06:04 - <Info> - Running in live mode, activating unix socket 26/4/2023 -- 16:06:16 - <Info> - 1 rule files processed. 33476 rules successfully loaded, 0 rules failed 26/4/2023 -- 16:06:16 - <Info> - Threshold config parsed: 0 rule(s) found 26/4/2023 -- 16:06:16 - <Info> - 33479 signatures processed. 1264 are IP-only rules, 5196 are inspecting packet payload, 26814 inspect application layer, 108 are decoder event only |
統計情報を確認するには、stats.log ファイルを確認します(デフォルトで8秒ごとに更新)
1 |
# tail -f /var/log/suricata/stats.log |
より高度な出力であるEVE JSONは、以下のコマンドで生成することができる
1 |
# tail -f /var/log/suricata/eve.json |
3.Suricata のテスト
①curl ユーティリティで ping テストを実行
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
②ログに記録されたかどうかを調べるため、アラートログを確認
1 2 3 4 |
# cat /var/log/suricata/fast.log 04/26/2023-16:26:39.689266 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 80.94.95.203:5960 04/26/2023-16:26:40.474148 [**] [1:2220000:1] SURICATA SMTP invalid reply [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 87.246.7.230:15986 |
4.Suricata Rulesの設定
①Suricataにパッケージされているルールセットの表示
1 2 3 4 5 6 7 |
# ls -al /var/lib/suricata/rules/ total 24136 drwxr-s--- 2 root suricata 57 Apr 26 15:32 . drwxrws--- 4 suricata suricata 33 Apr 26 13:48 .. -rw-r--r-- 1 root suricata 3228 Apr 26 15:32 classification.config -rw-r--r-- 1 root suricata 24708415 Apr 26 15:32 suricata.rules |
②ルールセットを提供するソースのインデックス一覧
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: sslbl/ssl-fp-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: Non-Commercial Name: sslbl/ja3-fingerprints Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: Non-Commercial Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 Name: malsilo/win-malware Vendor: malsilo Summary: Commodity malware rules License: MIT Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only |
③ソースを有効にする(et/openを有効にする場合)
1 2 3 4 5 6 7 8 |
# suricata-update enable-source et/open 26/4/2023 -- 16:30:39 - <Info> -- Using data-directory /var/lib/suricata. 26/4/2023 -- 16:30:39 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 26/4/2023 -- 16:30:39 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 26/4/2023 -- 16:30:39 - <Info> -- Found Suricata version 6.0.11 at /usr/sbin/suricata. 26/4/2023 -- 16:30:39 - <Info> -- Creating directory /var/lib/suricata/update/sources 26/4/2023 -- 16:30:39 - <Info> -- Source et/open enabled |
アップデートを実行
1 |
# suricata-update |
Suricata service再起動
1 |
# systemctl restart suricata |
5.Suricata Custom Rulesの作成
①カスタマールールを含むファイルを新規作成
1 2 3 |
# vi /etc/suricata/rules/local.rules 下記内容を記載 alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1; rev:1;) |
②設定ファイルを編集(上記local.rulesのパスを定義)
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # 1924行目あたりに追記 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules - /etc/suricata/rules/local.rules |
③設定ファイルのテスト
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# suricata -T -c /etc/suricata/suricata.yaml -v 26/4/2023 -- 16:32:53 - <Info> - Running suricata under test mode 26/4/2023 -- 16:32:53 - <Notice> - This is Suricata version 6.0.11 RELEASE running in SYSTEM mode 26/4/2023 -- 16:32:53 - <Info> - CPUs/cores online: 4 26/4/2023 -- 16:32:53 - <Info> - fast output device (regular) initialized: fast.log 26/4/2023 -- 16:32:53 - <Info> - eve-log output device (regular) initialized: eve.json 26/4/2023 -- 16:32:53 - <Info> - stats output device (regular) initialized: stats.log 26/4/2023 -- 16:33:04 - <Info> - 2 rule files processed. 33477 rules successfully loaded, 0 rules failed 26/4/2023 -- 16:33:04 - <Info> - Threshold config parsed: 0 rule(s) found 26/4/2023 -- 16:33:04 - <Info> - 33480 signatures processed. 1265 are IP-only rules, 5196 are inspecting packet payload, 26814 inspect application layer, 108 are decoder event only 26/4/2023 -- 16:33:12 - <Notice> - Configuration provided was successfully loaded. Exiting. 26/4/2023 -- 16:33:13 - <Info> - cleaning up signature grouping structure... complete |
Suricat service再起動
1 |
# systemctl restart suricata |
④Custom Rulesの適用テスト
同一ローカルネットワーク上の別のデバイスでpingを実行し、ログに記録されたかどうかを確認する
1 2 3 4 5 6 7 |
# cat /var/log/suricata/fast.log 04/26/2023-16:34:19.344482 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.22:8 -> 192.168.11.83:0 04/26/2023-16:34:19.344577 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.83:0 -> 192.168.11.22:0 04/26/2023-16:34:28.794097 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.1:11 -> 192.168.11.83:0 04/26/2023-16:34:29.411163 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 80.94.95.203:2916 04/26/2023-16:34:30.369791 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 87.246.7.230:35682 |
JSON形式のログを取得するには、システムにjqをインストールする
1 2 |
# dnf install jq # systemctl restart suricata |
下記コマンドを実行し、同一ローカルネットワーク上の別のデバイスでpingを実行する
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
# tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' pingを実行するとコンソールに下記のように表示される { "timestamp": "2023-04-26T16:36:10.577241+0900", "flow_id": 1209779886935769, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.22", "src_port": 0, "dest_ip": "192.168.11.83", "dest_port": 0, "proto": "ICMP", "icmp_type": 8, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 74, "bytes_toclient": 0, "start": "2023-04-26T16:36:10.577241+0900" } } { "timestamp": "2023-04-26T16:36:10.577301+0900", "flow_id": 1209779886935769, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.83", "src_port": 0, "dest_ip": "192.168.11.22", "dest_port": 0, "proto": "ICMP", "icmp_type": 0, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 2, "pkts_toclient": 1, "bytes_toserver": 148, "bytes_toclient": 74, "start": "2023-04-26T16:36:10.577241+0900" } } { "timestamp": "2023-04-26T16:36:15.794200+0900", "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.1", "src_port": 0, "dest_ip": "192.168.11.83", "dest_port": 0, "proto": "ICMP", "icmp_type": 11, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 } } |
Tripwire インストール
1.インストール
1 |
# dnf -y install tripwire |
2.パスフレーズ設定
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
# tripwire-setup-keyfiles ---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: ←任意の「サイトパスフレーズ」を入力 Verify the site keyfile passphrase: ←再度「サイトパスフレーズ」を入力 Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: ←任意の「ローカルパスフレーズ」を入力 Verify the local keyfile passphrase: ←再度「ローカルパスフレーズ」を入力 Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Signing configuration file... Please enter your site passphrase: ←「サイトパスフレーズ」を入力 Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file... Please enter your site passphrase: ←「サイトパスフレーズ」を入力 Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file: /etc/tripwire/twpol.txt has been preserved for your inspection. This implements a minimal policy, intended only to test essential Tripwire functionality. You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy. Once you have a satisfactory Tripwire policy file, you should move the clear-text version to a secure location and/or encrypt it in place (using a tool such as GPG, for example). Now run "tripwire --init" to enter Database Initialization Mode. This reads the policy file, generates a database based on its contents, and then cryptographically signs the resulting database. Options can be entered on the command line to specify which policy, configuration, and key files are used to create the database. The filename for the database can be specified as well. If no options are specified, the default values from the current configuration file are used. |
3.Tripwire の設定
①設定ファイル編集
1 2 3 4 5 6 7 8 9 |
# vi /etc/tripwire/twcfg.txt ●9 行目あたり 行頭に「#」を追加し、その下の行に「LOOSEDIRECTORYCHECKING =true」を追加します。 ●12 行目あたり 行頭に「#」を追加し、その下の行に「REPORTLEVEL =4」を追加します。 レベル4 にすることで「0 」~「4 」までの5 段階中、最も詳細なレポートが表示されます。 #REPORTLEVEL =3 REPORTLEVEL =4 |
②Tripwire 設定ファイル(暗号署名版)を作成
1 2 3 |
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt Please enter your site passphrase: ←サイトパスフレーズを入力 Wrote configuration file: /etc/tripwire/tw.cfg |
③Tripwire 設定ファイル(テキスト版)削除
1 |
# rm -f /etc/tripwire/twcfg.txt |
④ポリシーファイル設定
1 2 |
# cd /etc/tripwire/ # vi twpolmake.pl |
twpolmake.plの内容
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
#!/usr/bin/perl # Tripwire Policy File customize tool # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; |
⑤ポリシーファイル最適化
1 |
# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new |
⑥最適化済ポリシーファイルを元に、ポリシーファイル(暗号署名版)作成
1 2 3 4 |
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new Please enter your site passphrase: ←サイトパスフレーズを入力 Wrote policy file: /etc/tripwire/tw.pol |
⑦データベースを作成、動作確認
1 2 |
# tripwire -m i -s -c /etc/tripwire/tw.cfg Please enter your local passphrase: ←ローカルパスフレーズを入力 |
テスト用ファイルを作成
1 |
# echo test > /root/test.txt |
Tripwire の動作確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
# tripwire -m c -s -c /etc/tripwire/tw.cfg 下記のように表示されればOK Open Source Tripwire(R) 2.4.3.7 Integrity Check Report Report generated by: root Report created on: Wed 26 Apr 2023 06:46:15 PM JST Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: Lepard Host IP address: 192.168.11.83 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/Lepard.twd Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- User binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Libraries 66 0 0 0 Operating System Utilities 100 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 (/sbin/runlevel) Application Information Programs 100 0 0 0 (/sbin/rtmon) Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 Critical system boot files 100 0 0 0 * Tripwire Data Files 100 1 0 0 System boot changes 100 0 0 0 OS executables and libraries 100 0 0 0 Security Control 100 0 0 0 Login Scripts 100 0 0 0 Critical configuration files 100 0 0 0 * Root config files 100 1 0 0 Invariant Directories 66 0 0 0 Temporary directories 33 0 0 0 Critical devices 100 0 0 0 Total objects scanned: 42529 Total violations found: 2 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/var/lib/tripwire) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/var/lib/tripwire/Lepard.twd" ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/root/test.txt" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
テスト用ファイルを削除
1 |
# rm -f /root/test.txt |
⑧Tripwire 定期実行スクリプト
1 2 |
# cd /var/www/system # vi tripwire.sh |
tripwire.shの内容
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # パスフレーズ設定 LOCALPASS= ←ローカルパスフレーズ SITEPASS= ←サイトパスフレーズ cd /etc/tripwire # Tripwireチェック実行 tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root # ポリシーファイル最新化 twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # データベース最新化 rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
⑨Tripwire 自動実行スクリプト実行設定
1 2 3 4 5 |
# chmod 700 tripwire.sh cron に追加 # crontab -e 0 3 * * * /var/www/system/tripwire.sh |
参考: メールで結果報告用スクリプト
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # パスフレーズ設定 LOCALPASS=xxxxx # ローカルキーパスフレーズ SITEPASS=xxxxx # サイトキーパスフレーズ #通知先メールアドレス指定 MAIL="<your mailaddress> " cd /etc/tripwire # Tripwireチェック実行 tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL # ポリシーファイル最新化 twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # データベース最新化 rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
下記コマンドを実行し、指定したメールアドレスにtripwire実行結果が通知されることを確認
1 |
# /var/www/system/tripwire.sh |