Ngemuva konyaka wentuthuko, i- I-Open Information Security Foundation (OISF) kwenziwa kwaziwa ngalo okuthunyelwe kwebhulogi, ukukhishwa kwenguqulo entsha yeSuricata 6.0, okuyi-network intrusion detection and prevent system enikeza izindlela zokuhlola izinhlobo ezahlukene zethrafikhi.
Kulolu hlelo olusha kuthuthukiswa okuningana okuthakazelisa kakhulu, njengokusekelwa kwe-HTTP / 2, ukuthuthuka kwamaphrothokholi ahlukahlukene, ukuthuthukiswa kokusebenza, phakathi kwezinye izinguquko.
Kulabo abangazi nge-meerkat, kufanele wazi ukuthi le software futhiKususelwa kusethi yemithetho ithuthukiswe ngaphandle ukuqapha ithrafikhi yenethiwekhi futhi unikeze izexwayiso kumlawuli wesistimu lapho kwenzeka izehlakalo ezisolisayo.
Ekucushweni kweSuricata, kuvunyelwe ukusebenzisa i-database yesiginesha eyenziwe yiphrojekthi ye-Snort, kanye nezinsolo zomthetho ze-Emerging Threats kanye ne-Emerging Threats Pro.
Ikhodi yomthombo yephrojekthi isatshalaliswa ngaphansi kwelayisense ye-GPLv2.
Izindaba eziyinhloko zeSuricata 6.0
Kule nguqulo entsha yeSuricata 6.0 singathola ifayela le- ukusekelwa kokuqala kwe-HTTP / 2 okwethulwa ngayo ukuthuthuka okungenakubalwa njengokusebenzisa ukuxhumana okukodwa, ukuminyaniswa kwamaheda, phakathi kwezinye izinto.
Ngaphandle kwalokho ukusekelwa kwezivumelwano zeRFB neMQTT kwafakwa, kufaka phakathi amandla wephrothokholi namandla okungena ngemvume.
Futhi ukusebenza kokubhalisa kwenziwe ngcono kakhulu ngenjini ye-EVE, enikezela ngokukhishwa kwe-JSON kusuka kumicimbi. Ukushesha kufinyelelwa ngenxa yokusetshenziswa kwejeneretha yokucwilisa entsha yeJSON, ebhalwe ngolimi lweRust.
Ukwehla kwesistimu yokubhalisa kwe-EVE kukhuphukile futhi ngasebenzisa ikhono lokugcina ifayela lokungena ehhotela ekusakazeni ngakunye.
Futhi, ISuricata 6.0 yethula ulimi oluchaza imithetho emisha engeza ukusekelwa kwepharamitha from_end egameni elingukhiye le-byte_jump nepharamitha ye-bitmask ku-byte_test. Ngaphezu kwalokho, igama elingukhiye le-pcrexform selisetshenzisiwe ukuvumela izinkulumo ezijwayelekile (i-pcre) ukuthi zibambe umucu ongaphansi.
Ikhono lokukhombisa amakheli e-MAC kwirekhodi le-EVE nokukhulisa imininingwane yerekhodi le-DNS.
Of ezinye izinguquko ezigqamile yale nguqulo entsha:
- Kungezwe ukuguqulwa kwe-urldecode. Kungezwe igama elingukhiye le-byte_math.
- Amandla wokungena wephrothokholi ye-DCERPC. Amandla okuchaza izimo zokulahla imininingwane ku-log.
- Ukusebenza kokuthuthuka kokuthuthuka kwemoto.
- Ukusekela ukukhomba ukusetshenziswa kwe-SSH (HASSH).
- Ukusetshenziswa kwe-GENEVE tunnel decoder.
- Ikhodi yokugqwala ibhalwe kabusha ukuphatha i-ASN.1, DCERPC, ne-SSH. Ukugqwala futhi kusekela izivumelwano ezintsha.
- Nikeza amandla wokusebenzisa i-cbindgen ukukhiqiza izixhumanisi kuRust nakuC.
- Kungezwe ukwesekwa kokuqala kwe-plugin.
Okokugcina uma ufuna ukwazi kabanzi ngayo, ungabheka imininingwane ngokuya kusixhumanisi esilandelayo.
Ungayifaka kanjani iSuricata ku-Ubuntu?
Ukufaka lolu hlelo, singakwenza ngokungeza okugciniwe okulandelayo ohlelweni lwethu. Ukuze wenze lokhu, mane uthayiphe imiyalo elandelayo:
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update sudo apt-get install suricata
Uma kwenzeka une-Ubuntu 16.04 noma unezinkinga zokuncika, ngomyalo olandelayo uxazululwa:
sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libmagic-dev libjansson-dev libjansson4
Ukufakwa kwenziwe, Kunconywa ukukhubaza noma iyiphi iphakethe lesici se-offloead ku-NIC uSuricata ayilalelayo.
Bangakhubaza i-LRO / GRO kusixhumi esibonakalayo senethiwekhi besebenzisa umyalo olandelayo:
sudo ethtool -K eth0 gro off lro off
IMeerkat isekela izindlela eziningi zokusebenza. Singabona uhlu lwazo zonke izindlela zokwenza ngomyalo olandelayo:
sudo /usr/bin/suricata --list-runmodes
Imodi yokugijima ezenzakalelayo esetshenzisiwe i-autofp imele "ukulinganisela kokulayisha kokulinganisa okuzenzakalelayo". Kule modi, amaphakethe avela ekusakazeni ngakunye okwehlukile anikezwa ngentambo eyodwa yokuthola. Ukugeleza kunikezwa imicu enenombolo ephansi kakhulu yamaphakethe angahlelwanga.
Manje singaqhubeka siye ku- qala iSuricata kumodi ebukhoma ye-pcap, usebenzisa umyalo olandelayo:
sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens160 --init-errors-fatal