ProHoster > Блог > labaran intanet > Akwai tsarin gano harin Suricata 5.0

Akwai tsarin gano harin Suricata 5.0

Kungiyar OISF (Bude da Tsaron Tsaro Foundation) aka buga saki na gano kutse na hanyar sadarwa da tsarin rigakafi Meerkat 5.0, wanda ke ba da hanyar bincika nau'ikan zirga-zirgar ababen hawa. A cikin daidaitawar Suricata, yana halatta a yi amfani da shi sansanonin sa hannu, wanda aikin Snort ya haɓaka, da kuma tsarin dokoki Barazana masu tasowa и Barazana Mai tasowa Pro. Lambar tushen aikin yada mai lasisi a ƙarƙashin GPLv2.

Babban canje-canje:

  • An ƙaddamar da sabbin na'urorin bincike da shiga don ka'idoji
    RDP, SNMP da SIP an rubuta su cikin Rust. Ƙarfin shiga ta hanyar tsarin EVE, wanda ke samar da abubuwan da suka faru a cikin tsarin JSON, an ƙara su zuwa tsarin fassarar FTP;

  • Baya ga goyan bayan hanyar JA3 TLS abokin ciniki da aka gabatar a cikin sakin karshe, goyan bayan hanyar. JA3S, yarda dangane da ƙayyadaddun shawarwarin haɗin kai da ƙayyadaddun sigogi, ƙayyade wace software ake amfani da ita don kafa haɗin gwiwa (misali, yana ba ku damar ƙayyade amfani da Tor da sauran aikace-aikacen yau da kullun). JA3 ya sa ya yiwu a ayyana abokan ciniki, da JA3S - sabobin. Za a iya amfani da sakamakon ƙaddara a cikin harshe saitin ka'ida da kuma cikin rajistan ayyukan;
  • Ƙara ikon gwaji don daidaitawa tare da samfurin manyan bayanai, aiwatarwa ta amfani da sabbin ayyuka dataset and datarep. Misali, fasalin yana aiki ne don neman abin rufe fuska a cikin manyan jerin baƙaƙe tare da shigarwar miliyoyin;
  • Yanayin duba HTTP yana ba da cikakken ɗaukar hoto na duk yanayin da aka kwatanta a cikin ɗakin gwaji HTTP Evader (misali, yana rufe dabarun da ake amfani da su don ɓoye ayyukan mugunta a cikin zirga-zirga);
  • An matsar da kayan aikin haɓaka tsarin tsatsa daga zaɓuɓɓuka zuwa daidaitattun abubuwan da ake buƙata. A nan gaba, ana shirin fadada amfani da Rust a cikin tsarin lambar aikin kuma a hankali maye gurbin kayayyaki tare da analogues da aka haɓaka a cikin Rust;
  • An inganta injin gano yarjejeniya dangane da daidaito da kuma kula da zirga-zirgar ababen hawa asynchronous;
  • An ƙara goyan baya a cikin log ɗin EVE don sabon nau'in rikodin, "anomaly", wanda ke adana abubuwan da ba a taɓa gani ba waɗanda aka gano lokacin da aka yanke fakiti. EVE kuma ta faɗaɗa nunin bayanai game da VLANs da hanyoyin kama zirga-zirga. Ƙara wani zaɓi don adana duk rubutun HTTP a cikin EVE log http shigarwar;
  • Masu kula da tushen eBPF suna ba da tallafi don hanyoyin kayan masarufi don haɓaka kama fakiti. Haɓakar kayan aikin a halin yanzu yana iyakance ga adaftan cibiyar sadarwar Netronome, amma nan ba da jimawa ba zai bayyana don wasu kayan aiki;
  • Sake rubuta lambar don ɗaukar zirga-zirga ta amfani da tsarin Netmap. Ƙara ikon yin amfani da ci-gaban fasalulluka na Netmap kamar maɓalli mai kama-da-wane filayen kwaruruka;
  • Kara goyan bayan sabon tsarin ma'anar kalmar maɓalli don Sticky Buffers. An bayyana sabon tsarin a tsarin protocol.buffer, alal misali, don shigar da URI, mahimmin kalmar zai zama "http.uri" maimakon "http_uri";
  • Ana gwada duk lambar Python da aka yi amfani da ita don dacewa da su
    Python3;

  • Goyon baya ga tsarin gine-ginen Tilera, rubutun dns.log, da tsoffin fayilolin-json.log log an daina.

Siffofin Suricata:

  • Amfani da Haɗin Haɗin don Nuna Sakamakon Tabbatarwa hade2, Har ila yau yana amfani da aikin Snort, yana ba da damar yin amfani da kayan aikin bincike na yau da kullum kamar barnar 2. Ability don haɗawa tare da samfuran BASE, Snorby, Sguil da SQueRT. Taimako don fitarwa a tsarin PCAP;
  • Taimako don gano ƙa'idodi ta atomatik (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, da sauransu), wanda ke ba ku damar yin aiki a cikin ƙa'idodin kawai ta nau'in yarjejeniya, ba tare da la'akari da lambar tashar jiragen ruwa ba (misali. , don toshe zirga-zirgar HTTP akan tashar tashar da ba ta dace ba). Decoders don HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP da ka'idojin SSH;
  • Tsarin nazarin zirga-zirgar HTTP mai ƙarfi wanda ke amfani da ɗakin karatu na musamman na HTP wanda marubucin Mod_Security ya ƙirƙira don daidaitawa da daidaita zirga-zirgar HTTP. Akwai ƙirar ƙira don kiyaye cikakken bayanan canja wurin HTTP, an adana log ɗin a daidaitaccen tsari
    Apache. Ana tallafawa cirewa da tabbatar da fayilolin da aka canjawa wuri ta hanyar ka'idar HTTP. Taimako don tantance abubuwan da aka matsa. Ƙarfin ganewa ta URI, Kuki, masu kai, wakilin mai amfani, buƙatar / jikin amsawa;

  • Taimako don musaya daban-daban don hana zirga-zirga, gami da NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING. Yana yiwuwa a bincika fayilolin da aka rigaya aka ajiye a cikin tsarin PCAP;
  • Babban aiki, ikon aiwatar da rafukan har zuwa 10 gigabits / sec akan kayan aiki na al'ada.
  • Babban aikin abin rufe fuska daidai injin tare da manyan adiresoshin IP. Taimako don zaɓin abun ciki ta hanyar abin rufe fuska da maganganu na yau da kullun. Rarraba fayiloli daga zirga-zirga, gami da tantance su ta suna, nau'in ko MD5 checksum.
  • Ability don amfani da masu canji a cikin dokoki: zaka iya ajiye bayanai daga rafi kuma daga baya amfani da shi a wasu dokoki;
  • Yin amfani da tsarin YAML a cikin fayilolin sanyi, wanda ke ba ku damar kula da gani tare da sauƙin sarrafa na'ura;
  • Cikakken goyon bayan IPv6;
  • Ingin da aka gina don ɓarna ta atomatik da sake haɗa fakiti, wanda ke ba da damar tabbatar da sarrafa magudanan ruwa daidai, ba tare da la'akari da tsarin da fakitin ya zo ba;
  • Taimako don ƙa'idodin tunneling: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE;
  • Taimakon ƙaddamar da fakiti: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN;
  • Yanayin shiga don maɓalli da takaddun shaida waɗanda suka bayyana a cikin haɗin TLS/SSL;
  • Ikon rubuta rubutun Lua don samar da bincike mai zurfi da aiwatar da ƙarin fasalulluka da ake buƙata don gano nau'ikan zirga-zirga waɗanda ƙa'idodin ƙa'idodi ba su isa ba.

    • source: budenet.ru

Add a comment