Ukuqhuba kweMeerkat
La Ulwazi oluvulekileyo loKhuseleko loLwazi lupapashe ukukhutshwa kweSuricata 5.0, oko ikukuthi Inkqubo yokufumanisa ukungena ngenethiwekhi kunye nenkqubo yothintelo ebonelela ngezixhobo zokuhlola zeentlobo ezahlukeneyo zezithuthi.
Isekwe kuseto lwemigaqo kuphuhliswe ngaphandle Ukujonga ukugcwala kwenethiwekhi kwaye unikeze izilumkiso kumlawuli wenkqubo xa kukho iziganeko ezikrokrisayo. Kuqwalaselo lweSuricata kuvunyelwe ukuba kusetyenziswe isiseko sedatha esayinwe yiprojekhthi ye-Snort, kunye nezoSongelo eziHlumayo kunye nezoSongelo eziPhakamileyo zePro. Ikhowudi yemvelaphi yeprojekthi ihanjiswa phantsi kwelayisensi ye-GPLv2.
Iindaba eziphambili zeSuricata 5.0
Kule nguqulo intsha uhlalutyo olutsha kunye neemodyuli zobhaliso zinikezelwe iiprotocol I-RDP, iSNMP kunye ne-SIP kubhalwe eRust. Imodyuli yohlalutyo lwe-FTP inamandla okungena kwi-EVE subsystem, ebonelela ngesiphumo somsitho kwifomathi yeJSON.
Ukongeza kwinkxaso ye-TLS JA3 indlela yokuqinisekisa umxhasi evele kuhlobo oludlulileyo, inkxaso yongezwa kwindlela ye-JA3S, ekuvumela ukuba ubone ukuba yeyiphi na isoftware esetyenziselwa ukumisela uqhagamshelo ngokusekwe kwiimpawu kunye neeparameter zothethathethwano zonxibelelwano esekwe (umzekelo, ikuvumela ukuba ubone ukusetyenziswa Tor kunye nezinye izicelo eziqhelekileyo).
I-JA3 ibonelela ngesakhono sokuchaza abathengi kunye neJA3S - iiseva. Iziphumo zenkcazo zinokusetyenziswa kwimithetho yolwimi nakwiirejista.
Yongezwe Amandla okulinga ukuthelekisa nokukhetha iiseti zeedatha ezinkulus, iphunyezwe kusetyenziswa idathasethi entsha kunye nokusebenza kwedatha. Umzekelo, umsebenzi usebenza ekukhangeleni iimaski kuludwe olukhulu oluluhlu olungenisiweyo.
Kwimowudi yokuhlola ye-HTTP, zonke iimeko ezichazwe kwi-suite yovavanyo lwe-HTTP Evader zigutyungelwe ngokupheleleyo (umzekelo, igubungela iindlela ezisetyenziselwa ukufihla isenzo esibi kutrafikhi).
Izixhobo zophuhliso lweemodyuli kulwimi lweRust zigqithiselwa ukusuka kukhetho ukuya kudidi lwezakhono zabasebenzi ezinyanzelekileyo. Kwixesha elizayo, kucetywayo ukwandisa ukusetyenziswa kweRust kwisiseko sekhowudi yeprojekthi kwaye ngokuthe ngcembe endaweni yeemodyuli kunye nee-analogs ezenziwe kwiRust.
Injini yenkcazo yomgaqo-nkqubo iphuculwe kwicandelo lokwandisa ukuchaneka kunye nokulungiswa kokuhamba kwe-asynchronous traffic.
Inkxaso eyongeziweyo yohlobo olutsha lweelog 'anomaly' kwirejista ye-EVE, apho kugcinwa khona abathengisi bangaphandle ngexesha lokumiswa kwepakethi. I-EVE ikwandisa kwii-VLAN kunye nokuhlangana kokubanjwa kwetrafikhi. Ukongezwa kokhetho lokugcina zonke iintloko ze-HTTP kwi-http EVE log entries;
Ikhowudi ibhalwe ngokutsha ukubamba ukugcwala kwabantu kusetyenziswa isikhokelo seNetmap. Yongeze amandla okusebenzisa izinto eziphambili zeNetmap ezinje ngotshintsho olubonakalayo lwe-VALE.
Yonke ikhowudi yePython esetyenzisiweyo ivavanyelwa ukuhambelana nePython 3.
Uyifaka njani iSuricata kwi-Ubuntu?
Ukufakela oku kuluncedo, sinokuyenza ngokongeza indawo yokugcina kwinkqubo yethu. Ukwenza oku, chwetheza le miyalelo ilandelayo:
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update sudo apt-get install suricata
Kwimeko yokuba noBuntu 16.04 okanye unengxaki zokuxhomekeka, ngalo myalelo ulandelayo usonjululwe:
sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libmagic-dev libjansson-dev libjansson4
Ufakelo lwenziwe, Kuyacetyiswa ukuba ukhubaze nayiphi na ipakethi yento engekhoyo kwi-NIC ethi uSuricata ayimamele.
Banokukhubaza i-LRO / GRO kunxibelelwano lwe-eth0 yenethiwekhi besebenzisa lo myalelo ulandelayo:
sudo ethtool -K eth0 gro off lro off
IMeerkat ixhasa iindlela ezininzi zokusebenza. Sibona uluhlu lwazo zonke iindlela zokuphumeza ngalo myalelo ulandelayo:
sudo /usr/bin/suricata --list-runmodes
Imowudi yokusebenza engagqibekanga esetyenzisiweyo yi-autofp imele "ulungelelwaniso oluzenzekelayo lokuhamba komthwalo" Kule ndlela, iipakethi ezivela kumjelo ngamnye owahlukileyo zabelwe intambo enye yokufumanisa. Ukuhamba kunikezelwe kwimisonto kunye nelona nani lisezantsi leepakethe ezingasetyenziswanga.
Ngoku sinokuqhubeka ukuya qala iSuricata kwimodi ephilayo ye-pcap , usebenzisa lo mthetho ulandelayo:
sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens160 --init-errors-fatal