Mushure megore rekuvandudza, iyo Vhura Ruzivo Kuchengetedza Nheyo (OISF) kuziviswa kuburikidza chinyorwa che blog, kusunungurwa kweshanduro nyowani yeSuricata 6.0, inova network yekucherechedzwa kupindirana uye yekudzivirira system iyo inopa nzira yekuongorora mhando dzakasiyana dzetraffic.
Muchinyorwa chitsva ichi dzinoverengeka dzinonakidza kuvandudzwa zvinoratidzwa, senge rutsigiro rweHTTP / 2, kuvandudzwa kwezvirongwa zvakasiyana, kugadzirisa mashandiro, pakati pezvimwe shanduko.
Kune avo vasingazive nezve meerkat, iwe unofanirwa kuziva kuti iyi software eIyo yakavakirwa pane seti yemitemo kunze kwakagadzirwa kuongorora network traffic uye kupa yambiro kune system manejimendi kana zviitiko zvekufungidzira zvikaitika.
Mukugadziriswa kweSuricata, inobvumidzwa kushandisa iyo siginicha dhatabhesi yakagadzirwa neiyo Snort projekiti, pamwe neIri Kumukira Kutyisidzira uye Kumuka Kwekutyisidzira Pro mutemo unoisa.
Iyo sosi kodhi yeprojekti inogoverwa pasi peGPLv2 rezinesi.
Main nhau dzeSuricata 6.0
Mune iyi vhezheni itsva yeSuricata 6.0 tinogona kuwana iyo kutanga rutsigiro rweHTTP / 2 nemabatiro asingaverengeki anounzwa senge kushandiswa kweyechete kubatana, kumanikidzwa kwemisoro, pakati pezvimwe zvinhu.
kunze kwaizvozvo Tsigiro yeRFB neMQTT maprotocol akabatanidzwa, kusanganisira protocol kududzira uye kugona matanda.
Uyewo kunyoresa kuita kwakanyatsogadziriswa kuburikidza neEVE injini, iyo inopa JSON kuburitsa kubva kuzviitiko. Iko kumhanyisa kunowanikwa nekuda kwekushandisa kweiyo nyowani yekushambidza jSON jenareta, yakanyorwa mumutauro weRust.
EVE kunyoresa system scalability yakawedzera uye ikashandiswa kugona kuchengetedza hotera log faira kune yega nhepfenyuro.
Uyewo, Suricata 6.0 inosvitsa mutsva mutemo dudziro mutauro iyo inowedzera kutsigira kwe from_end paramende mune byte_jump kiyi kiyi uye iyo bitmask paramende mu byte_test. Uye zvakare, iyo pcrexform kiyi yakagadziriswa kuitisa zvirevo kutaura (pcre) kutora substring.
Iko kugona kuratidza MAC kero mune yeEVE rekodhi uye kuwedzera iwo ruzivo rweiyo DNS rekodhi.
Of the dzimwe shanduko dzinomira pachena yeiyi vhezheni itsva:
- Wakawedzera urldecode kutendeuka. Yakawedzerwa byte_math keyword.
- Kugadzira kugona kweiyo DCERPC protocol Kukwanisa kutsanangura mamiriro ekurasa ruzivo mudanda.
- Yakagadziridzwa kuyerera mota kuita.
- Tsigiro yekuona mashandiro eSSH (HASSH).
- Kuteedzerwa kweiyo GENEVE tunnel decoder.
- Rust kodhi yakanyorwa zvekare kubata ASN.1, DCERPC, uye SSH. Ngura inotsigirawo zvirevo zvitsva.
- Ipa kugona kushandisa cbindgen kuburitsa zvinongedzo muRust naC.
- Yakawedzera yekutanga plugin rutsigiro.
Finalmente kana iwe uchida kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo nekuenda kune inotevera chinongedzo.
Maitiro ekuisa Suricata paUbuntu?
Kuisa ichi chinoshandiswa, tinogona kuzviita nekuwedzera inotevera repository kune yedu system. Kuti uite izvi, ingo nyora inotevera mirairo:
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update sudo apt-get install suricata
Kana uine Ubuntu 16.04 kana uine matambudziko nekuvimbika, nemirairo inotevera inogadziriswa:
sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libmagic-dev libjansson-dev libjansson4
Kuiswa kwaitwa, zvinokurudzirwa kudzima chero offloead ficha pack paNIC iyo Suricata iri kuteerera.
Vanogona kudzima LRO / GRO pane eth0 network interface vachishandisa unotevera kuraira:
sudo ethtool -K eth0 gro off lro off
Meerkat inotsigira akati wandei enzira dzekushanda. Isu tinogona kuona iyo rondedzero yedzese nzira dzekuuraya nemirairo inotevera:
sudo /usr/bin/suricata --list-runmodes
Iyo yekumhanya mhanya nzira inoshandiswa ndeye autofp inomiririra "otomatiki yakatarwa kuyerera mutoro kuenzanisa". Mune ino modhi, mapaketi kubva kune yega yega rwizi anogoverwa kune imwechete yekuona tambo. Iko kuyerera kunopihwa kune tambo ine yakaderera nhamba yemapakeji asina kugadziriswa.
Iye zvino tinogona kuenderera mberi tanga Suricata mu pcap live mode, uchishandisa rairo inotevera:
sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens160 --init-errors-fatal