Emva konyaka wophuhliso, i Vula iSiseko soKhuseleko loLwazi (OISF) yaziswa nge iposti yebhlog, ukukhutshwa kwenguqulelo entsha yeSuricata 6.0, eyindlela yokufumanisa ukungenelela kwenethiwekhi kunye nenkqubo yokuthintela ebonelela ngeendlela zokuhlola iintlobo ezahlukeneyo zezithuthi.
Kolu hlelo lutsha Zininzi izinto ezinomdla eziphuculweyo ezibonisiweyo, ezinje ngenkxaso ye-HTTP / 2, uphuculo kwiiprotocol ezahlukeneyo, ukuphucula ukusebenza, phakathi kolunye utshintsho.
Kulabo abangaqhelekanga ngemerkat, kuya kufuneka uyazi ukuba le software kwayeIsekwe kuseto lwemigaqo kuphuhliswe ngaphandle Ukujonga ukugcwala kwenethiwekhi kwaye unikeze izilumkiso kumlawuli wenkqubo xa kukho iziganeko ezikrokrisayo.
Kuqwalaselo lweSuricata, kuvunyelwe ukusebenzisa indawo yogcino lwedatha etyikitywe yiprojekthi ye-Snort, kunye nezoSongelo eziHlumayo kunye nezoSongelo eziPhakamileyo zePro.
Ikhowudi yemvelaphi yeprojekthi ihanjiswa phantsi kwelayisensi ye-GPLv2.
Iindaba eziphambili zeSuricata 6.0
Kule nguqulo intsha yeSuricata 6.0 sinokufumana ifayile ye- Inkxaso yokuqala ye-HTTP / 2 apho kuphuculwe inani elingenakubalwa njengokusetyenziswa konxibelelwano olunye, uxinzelelo lwentloko, phakathi kwezinye izinto.
ngaphandle koko Inkxaso yeRFB kunye neMQTT protocols ibandakanyiwe, kubandakanya inkcazo yomgaqo-nkqubo kunye namandla okungena.
Kwakhona ukusebenza kobhaliso kwaphuculwa kakhulu Ngenjini ye-EVE, ebonelela ngemveliso yeJSON kwimicimbi. Unikezelo lufezekiswa enkosi ekusebenziseni iJSON generator engenanto, ebhalwe ngolwimi lweRust.
Inkqubo yokubhalisa ye-EVE inyukile kwaye yaphumeza amandla okugcina ifayile yelog yehotele kusasazo ngalunye.
Kwakhona, I-Suricata 6.0 yazisa ngomgaqo omtsha wolwimi eyongeza inkxaso kwi_end parameter ngegama byte_jump kunye neparamask parameter byte_test. Ukongeza, igama eliphambili le-pcrexform limiliselwe ukuvumela intetho eqhelekileyo (pcre) ukubamba umtya.
Ukukwazi ukubonisa iidilesi zeMAC kwirekhodi ye-EVE kunye nokwandisa iinkcukacha zerekhodi ye-DNS.
Ye- Olunye utshintsho olwahlukileyo yale nguqulo intsha:
- Yongezwe ukuguqulwa kwe-urldecode. Yongezwe byte_math igama eliphambili.
- Amandla okuloba kumgaqo olandelwayo weDCERPC.Ukukwazi ukuchaza iimeko zokulahla ulwazi kwilog.
- Ukuphucula ukusebenza kweemoto.
- Inkxaso yokuchonga ukuphunyezwa kwe-SSH (HASSH).
- Ukuphunyezwa kwe-GENEVE i-tuner decoder.
- Ikhowudi yokubhala ibhalwe kwakhona ukuphatha i-ASN.1, DCERPC, kunye ne-SSH. Umhlwa uxhasa iiprotocol ezintsha.
- Ukubonelela ngesakhono sokusebenzisa i-cbindgen ukuvelisa amakhonkco eRust kunye noC.
- Yongeze inkxaso yokuqala ye-plugin.
Gqibela ukuba ufuna ukwazi ngakumbi ngayo, ungajonga iinkcukacha ngokuhamba kule khonkco ilandelayo.
Uyifaka njani iSuricata kwi-Ubuntu?
Ukufakela oku kuluncedo, sinokuyenza ngokongeza indawo yokugcina kwinkqubo yethu. Ukwenza oku, chwetheza le miyalelo ilandelayo:
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update sudo apt-get install suricata
Kwimeko yokuba noBuntu 16.04 okanye unengxaki zokuxhomekeka, ngalo myalelo ulandelayo usonjululwe:
sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libmagic-dev libjansson-dev libjansson4
Ufakelo lwenziwe, Kuyacetyiswa ukuba ukhubaze nayiphi na ipakethi yento engekhoyo kwi-NIC ethi uSuricata ayimamele.
Banokukhubaza i-LRO / GRO kunxibelelwano lwe-eth0 yenethiwekhi besebenzisa lo myalelo ulandelayo:
sudo ethtool -K eth0 gro off lro off
IMeerkat ixhasa iindlela ezininzi zokusebenza. Sibona uluhlu lwazo zonke iindlela zokuphumeza ngalo myalelo ulandelayo:
sudo /usr/bin/suricata --list-runmodes
Imowudi yokusebenza engagqibekanga esetyenzisiweyo yi-autofp imele "ulungelelwaniso oluzenzekelayo lokuhamba komthwalo" Kule ndlela, iipakethi ezivela kumjelo ngamnye owahlukileyo zabelwe intambo enye yokufumanisa. Ukuhamba kunikezelwe kwimisonto kunye nelona nani lisezantsi leepakethe ezingasetyenziswanga.
Ngoku sinokuqhubeka ukuya qala iSuricata kwimodi ephilayo ye-pcap, usebenzisa lo mthetho ulandelayo:
sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens160 --init-errors-fatal