Could i get a detailed guide on how to install tripwire and snort in Qubes?

anon42456682 · December 29, 2021, 9:03am

I would really appreciate if i could get a detailed guide on HOWTO install tripwire and snort in Qubes the right way…
I read on the forum those are the best intrusion detection systems in Qubes, and i think they should be installed by default, but they are not.
Could i get a link or a guide on howto install those in Qubes 4.1 the right way?

ppc · December 29, 2021, 9:49am

snort

just install in template of sys-firewall or a dedicated vm as in normal fedora, afaik

more detail:
How to install software | Qubes OS

tripwire

i haven’t tried it, maybe install in all template?

anon42456682 · December 29, 2021, 9:57am

Thanks! Do you mean the service sys-firewall for snort, nethogs and similar sniffers?
Is that the best place to sniff traffic in qubes overall?

I will need to read more about tripwire, and how to sniff in qubes. Thanks

ppc · December 29, 2021, 10:00am

no, i mean a services qubes

might, it easy to remember were it is but a dedicated qubes also good too

anon42456682 · December 29, 2021, 10:03am

Yes i meant the service sys-firewall. I tried that just now…
Thanks.
Another thing… If running a VPN you can’t sniff traffic because it’s encrypted.
Let’s say a system would be compromised. You would have to turn off the VPN and then sniff the traffic to see if you got some trojan/virus or similar am i right?

No way to sniff the traffic otherwise in between right?

ppc · December 29, 2021, 10:05am

that were a dedicated qubes come in

anon42456682 · December 29, 2021, 10:10am

Can you explain more detailed? How can that one sniff if Qubes is connected to a VPN?

github.com

Qubes-Community/Contents/blob/master/docs/configuration/vpn.md


How To make a VPN Gateway in Qubes
==================================

<div class="alert alert-info" role="alert">
  <i class="fa fa-info-circle"></i>
  <b>Note:</b> If you seek to enhance your privacy, you may also wish to consider <a href="/doc/whonix/">Whonix</a>.
  You should also be aware of <a href="https://www.whonix.org/wiki/Tunnels/Introduction">the potential risks of VPNs</a>.
</div>

Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.

Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)

### NetVM

The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:

- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

This file has been truncated. show original

" Set up a ProxyVM as a VPN gateway using iptables and CLI scripts"

If that setup is used… Does the disposable whonix or qubes overall go through a VPN, or only the qubes you set to use a VPN then?
I’m not good with networks really…

Could you please explain some how the traffic works in Qubes a bit? How can i sniff traffic in Qubes, and also when i have a VPN and stuff… Also, which part of Qubes would be compromised firstly if an attacker tried to hack Qubes? You could install tripwire there i guess also, and maybe wireshark also?

I appreciate your knowledge on this here on this forum. Because i lack it, but want to understand some more. Where to install wireshark, tripwire in qubes and so on in the best way.
Hardening Qubes could be good, and to have an IDS. Every linux dist should have it really in my opinion… Open source.
Thanks!

ppc · December 29, 2021, 10:20am

you can still use if your ids is in between sys-vpn (for example) and your qubes

depend on how hacker get to your system
same network? sys-net!
browser? the qubes you run browser!
file? the qube you run the file
… and so on

anon42456682 · December 29, 2021, 1:46pm

Thanks. So IDS between sys-vpn and qubes is sys-firewall then? That’s where snort or any other should be? How do you put it between? I would be good if i can sniff, and nobody else…
The traffic is encryped so yeah… I did not think it was possible to sniff end-to-end encryption that’s all, i don’t know how it works really…

Ok, good to know that sys-net is the first one getting “owned”. Then they work up and take over dom0 i guess…
Also, yes i know about browser exploits existing, and files…

What are the best tools to harden Qubes with? Tripwire, snort, wireshark, what else?

ppc · December 29, 2021, 1:52pm

no
ie: you qubes is “personal”
then you should place it between “personal” and sys-vpn
by that way it will see the unencrypted traffic

it very hard to do so, impractical for most hacker

as same as normal linux (selinux is a common example)(might tricky for you to find how to do it in qubes in the most effective way)

anon42456682 · December 29, 2021, 2:06pm

I have not read on how to reply like you do, so i’m answering in my own way now.

no
ie: you qubes is “personal”
then you should place it between “personal” and sys-vpn
by that way it will see the unencrypted traffic

How do i do that? Where do i place it? Not in sys-firewall then as you wrote earlier?

it very hard to do so, impractical for most hacker

Ok, how do they hack Qubes then?

as same as normal linux (selinux is a common example)(might tricky for you to find how to do it in qubes in the most effective way)

I’m not good with linux so i would not know how to harden it… But i did read that selinux was unsecure, i could be wrong… It was shady or something, that was the impression i got last time i read about it.
I meant more with tools… hardening. Wireshark, tripwire and so on… close down stuff that are unnecessary, but i’m sure the expert hackers and coders that have created Qubes have thought about the security like that.
Still…
An IDS would not mess up anything in my opinion…

ppc · December 29, 2021, 2:22pm

in dedicated qubes

they can just hack the appvm and persist there until reboot
afaik, there no malware for qubes because it doesn’t worth it
the only way to attack dom0 is xen flaw, which is unlikely to be found easily

anon42456682 · December 30, 2021, 12:50pm

ok, could you link me some info on how to set up snort on dedicated qubes? Wireshark could be used in sys-firewall right? Or do you need to create a dedicated qube, and then what? What setting do you change and so on?

Ok, so that’s how they work… Yeah well the annoying thing about hackers or crackers is that they don’t even ask for permission…
They just break in. And theres not much one can do. You can try to get some protection like VPN and a secure OS, that’s it…
Good to know if hackers don’t easily hack Qubes and Xen, but i bet some do.
It’s more secure then windows though!

ppc · December 30, 2021, 12:57pm

might (for encrypted connection, it better for a dedicated qubes unless you want to see encrypted connection)

i don’t use wireshark for normal traffic monitoring, it very time consuming, so i don’t know

you can do a lot (not antivirus, all av are scam)

there more

that can’t be avoided

anon42456682 · December 30, 2021, 1:03pm

Thanks, but i’m still looking for a detailed guide or advice on how to install tripwire and/or snort in qubes.
If anyone has experience, please do help out.

anon42456682 · December 31, 2021, 3:51pm

Can anyone here help me with links or a guide on how to install tripwire and snort in Qubes please? That would be great! Please link all you got.