Bisa kididdigar da aka yi, yawan zirga-zirgar hanyar sadarwa yana karuwa da kusan 50% kowace shekara. Wannan yana haifar da karuwa a cikin kaya akan kayan aiki kuma, musamman, yana ƙara abubuwan da ake buƙata na IDS/IPS. Kuna iya siyan kayan masarufi na musamman masu tsada, amma akwai zaɓi mai rahusa - aiwatar da ɗayan tsarin tushen buɗewa. Yawancin masu gudanar da novice suna tunanin cewa shigarwa da daidaita IPS kyauta abu ne mai wahala. A cikin yanayin Suricata, wannan ba gaskiya bane gaba ɗaya - zaku iya shigar dashi kuma ku fara tunkuɗe daidaitattun hare-hare tare da saitin ƙa'idodin kyauta a cikin 'yan mintuna kaɗan.
Me yasa muke buƙatar wani buɗaɗɗen IPS?
An dade ana la'akari da ma'auni, Snort yana ci gaba tun daga ƙarshen shekarun 6, don haka asalinsa mai zare ɗaya ne. A cikin shekaru da yawa, ta sami duk fasalulluka na zamani, kamar tallafin IPvXNUMX, ikon tantance ƙa'idodin matakin aikace-aikacen, ko tsarin samun damar bayanai na duniya.
Ainihin ingin Snort 2.X ya koyi aiki tare da muryoyi masu yawa, amma ya kasance mai zare ɗaya don haka ba zai iya yin amfani da dandamalin kayan masarufi na zamani da kyau ba.
An warware matsalar a cikin nau'i na uku na tsarin, amma ya ɗauki tsawon lokaci don shirya cewa Suricata, wanda aka rubuta daga karce, ya sami damar bayyana a kasuwa. A cikin 2009, an fara haɓaka shi daidai azaman madadin zaren Multi-threaded zuwa Snort, wanda ke da ayyukan IPS daga cikin akwatin. Ana rarraba lambar a ƙarƙashin lasisin GPLv2, amma abokan hulɗar kuɗin aikin suna da damar yin amfani da rufaffiyar sigar injin. Wasu matsaloli tare da scalability sun taso a cikin sifofin farko na tsarin, amma an warware su cikin sauri.
Me yasa Suricata?
Suricata yana da nau'o'i da yawa (kamar Snort): kamawa, saye, ƙaddamarwa, ganowa da fitarwa. Ta hanyar tsohuwa, zirga-zirgar zirga-zirgar zirga-zirgar ababen hawa tana tafiya kafin yanke hukunci a cikin zaren guda ɗaya, kodayake wannan yana ɗaukar ƙarin tsarin. Idan ya cancanta, za a iya raba zaren a cikin saitunan kuma a rarraba tsakanin masu sarrafawa - Suricata an inganta shi sosai don takamaiman kayan aiki, kodayake wannan ba matakin HOWTO bane ga masu farawa. Hakanan yana da kyau a lura cewa Suricata tana da kayan aikin binciken HTTP na ci gaba bisa laburaren HTP. Hakanan ana iya amfani da su don shiga cikin zirga-zirga ba tare da ganowa ba. Hakanan tsarin yana goyan bayan yanke hukunci na IPv6, gami da IPv4-in-IPv6, IPv6-in-IPv6 tunnels da sauransu.
Ana iya amfani da musaya daban-daban don tsallaka zirga-zirga (NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING), kuma a cikin yanayin Unix Socket zaka iya bincika fayilolin PCAP ta atomatik da wani maharbi ya kama. Bugu da kari, tsarin gine-ginen zamani na Suricata yana sauƙaƙa haɗa sabbin abubuwa don kamawa, yanke hukunci, tantancewa da sarrafa fakitin cibiyar sadarwa. Hakanan yana da mahimmanci a lura cewa a cikin Suricata, an toshe zirga-zirga ta hanyar amfani da daidaitaccen tsarin aiki. A cikin GNU/Linux, akwai zaɓuɓɓuka biyu don aikin IPS: ta hanyar layin NFQUEUE (yanayin NFQ) kuma ta hanyar kwafin sifili (yanayin AF_PACKET). A cikin yanayin farko, ana aika fakitin shiga iptables zuwa layin NFQUEUE, inda za'a iya sarrafa shi a matakin mai amfani. Suricata tana gudanar da shi bisa ga dokokinta kuma tana fitar da ɗayan hukunce-hukunce uku: NF_ACCEPT, NF_DROP da NF_REPEAT. Biyu na farko suna bayyana kansu, amma na ƙarshe yana ba ku damar yin alama kuma aika su zuwa farkon teburin iptables na yanzu. Yanayin AF_PACKET yana da sauri, amma yana sanya ƙuntatawa da yawa akan tsarin: dole ne ya sami hanyoyin sadarwa guda biyu kuma yana aiki azaman ƙofa. Ba a tura fakitin da aka katange kawai zuwa mahaɗa na biyu.
Wani muhimmin fasalin Suricata shine ikon yin amfani da ci gaba don Snort. Mai gudanarwa yana da damar yin amfani da shi, musamman, tsarin tushen tushen wuta VRT da OpenSource Emerging Threats ka'idojin, da kuma kasuwanci mai tasowa Pro. Ana iya bincikar abin da aka haɗa tare ta amfani da mashahuran bayanan baya, kuma ana tallafawa fitarwa zuwa PCAP da Syslog. Ana adana saitunan tsarin da dokoki a cikin fayilolin YAML, waɗanda suke da sauƙin karantawa kuma ana iya sarrafa su ta atomatik. Injin Suricata ya san ka'idoji da yawa, don haka dokokin ba sa buƙatar haɗa su zuwa lambar tashar jiragen ruwa. Bugu da ƙari, ana aiwatar da manufar flowbits a cikin ka'idodin Suricata. Don bin diddigin faɗakarwa, ana amfani da masu canjin zaman, waɗanda ke ba ku damar ƙirƙira da amfani da ƙididdiga da tutoci daban-daban. Yawancin IDS suna ɗaukar haɗin TCP daban-daban azaman ƙungiyoyi daban-daban kuma maiyuwa ba za su ga alaƙar da ke tsakanin su don nuna farkon harin ba. Suricata yayi ƙoƙarin ganin ɗaukacin hoton kuma a yawancin lokuta yana gane ƙeta zirga-zirgar da aka rarraba a cikin haɗin gwiwa daban-daban. Za mu iya magana game da fa'idodinsa na dogon lokaci; zai fi kyau mu ci gaba zuwa shigarwa da daidaitawa.
Yadda za a kafa?
Za mu shigar da Suricata akan uwar garken kama-da-wane da ke gudana Ubuntu 18.04 LTS. Dole ne a aiwatar da duk umarni azaman mai amfani (tushen). Mafi amintaccen zaɓi shine haɗi zuwa uwar garken ta hanyar SSH azaman daidaitaccen mai amfani, sannan amfani da utility sudo don haɓaka gata. Da farko muna buƙatar shigar da fakitin da muke buƙata:
sudo apt -y install libpcre3 libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config libnetfilter-queue-dev geoip-bin geoip-database geoipupdate apt-transport-httpsHaɗa wurin ajiyar waje:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get updateShigar da sabuwar sigar kwanciyar hankali ta Suricata:
sudo apt-get install suricataIdan ya cancanta, shirya sunan fayilolin sanyi, maye gurbin tsohuwar eth0 tare da ainihin sunan uwar garken waje. Ana adana saitunan tsoho a cikin /etc/default/suricata fayil, kuma ana adana saitunan al'ada a /etc/suricata/suricata.yaml. Tsarin IDS galibi yana iyakance ga gyara wannan fayil ɗin sanyi. Yana da sigogi da yawa waɗanda, a cikin suna da manufa, sun yi daidai da analogues daga Snort. Duk da haka tsarin haɗin gwiwar ya bambanta sosai, amma fayil ɗin ya fi sauƙin karantawa fiye da daidaitawar Snort, kuma ana yin sharhi sosai.
sudo nano /etc/default/suricata
и
sudo nano /etc/suricata/suricata.yaml
Hankali! Kafin farawa, yakamata ku bincika ƙimar masu canji daga sashin vars.
Don kammala saitin, kuna buƙatar shigar da suricata-update don sabuntawa da zazzage ƙa'idodin. Yana da sauƙin yin wannan:
sudo apt install python-pip
sudo pip install pyyaml
sudo pip install <a href="https://github.com/OISF/suricata-update/archive/master.zip">https://github.com/OISF/suricata-update/archive/master.zip</a>
sudo pip install --pre --upgrade suricata-updateNa gaba muna buƙatar gudanar da umarnin suricata-update don shigar da buɗaɗɗen ƙa'idodin barazanar Barazana:
sudo suricata-update
Don duba jerin tushen doka, gudanar da umarni mai zuwa:
sudo suricata-update list-sources
Sabunta tushen ƙa'ida:
sudo suricata-update update-sources
Muna sake duba sabbin kafofin:
sudo suricata-update list-sourcesIdan ya cancanta, kuna iya haɗawa da samuwan hanyoyin kyauta:
sudo suricata-update enable-source ptresearch/attackdetection
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source sslbl/ssl-fp-blacklistBayan wannan, kuna buƙatar sake sabunta dokoki:
sudo suricata-updateA wannan gaba, shigarwa da saitin farko na Suricata a cikin Ubuntu 18.04 LTS ana iya ɗauka cikakke. Sa'an nan jin daɗi ya fara: a cikin labarin na gaba za mu haɗa uwar garken kama-da-wane zuwa cibiyar sadarwar ofis ta VPN kuma mu fara nazarin duk zirga-zirgar zirga-zirgar da ke shigowa da masu fita. Za mu ba da kulawa ta musamman don toshe hare-haren DDoS, ayyukan malware, da yunƙurin yin amfani da lahani a cikin ayyukan da ake samu daga cibiyoyin sadarwar jama'a. Don bayyanawa, za a kwaikwayi hare-haren da aka fi sani.
source: www.habr.com