ProHoster > Блог > labaran intanet > Sakin tsarin gano kutse na Suricata 6.0

Sakin tsarin gano kutse na Suricata 6.0

Bayan shekara guda na ci gaba, kungiyar OISF (Open Information Security Foundation). aka buga saki na gano kutse na hanyar sadarwa da tsarin rigakafi Meerkat 6.0, wanda ke ba da hanyar bincika nau'ikan zirga-zirgar ababen hawa. A cikin daidaitawar Suricata, yana halatta a yi amfani da shi sansanonin sa hannu, wanda aikin Snort ya haɓaka, da kuma tsarin dokoki Barazana masu tasowa и Barazana Mai tasowa Pro. Lambar tushen aikin yada mai lasisi a ƙarƙashin GPLv2.

Babban canje-canje:

  • Taimakon farko don HTTP/2.
  • Taimakawa ga ka'idojin RFB da MQTT, gami da ikon ayyana yarjejeniya da kula da log.
  • Yiwuwar shiga don ka'idar DCERPC.
  • Babban ci gaba a cikin aikin shiga ta hanyar tsarin EVE, wanda ke ba da fitowar taron a cikin tsarin JSON. An sami haɓakar haɓakar godiya ga amfani da sabon maginin hannun jari na JSON da aka rubuta cikin yaren Rust.
  • An haɓaka haɓakar tsarin log ɗin EVE kuma an aiwatar da ikon kiyaye fayil ɗin log ɗin daban don kowane zaren.
  • Ikon ayyana yanayi don sake saitin bayanai zuwa log ɗin.
  • Yiwuwar nuna adiresoshin MAC a cikin log ɗin EVE da haɓaka dalla-dalla na log ɗin DNS.
  • Inganta aikin injin mai gudana.
  • Taimako don gano ayyukan SSH (HASSH).
  • Aiwatar da GENEVE tunnel decoder.
  • An sake rubuta lambar don sarrafawa a cikin harshen Rust ASN.1, DCERPC da SSH. Tsatsa kuma tana goyan bayan sabbin ka'idoji.
  • A cikin harshen ma'anar ƙa'ida, an ƙara goyan bayan siga daga_end zuwa maƙallin byte_jump, kuma an ƙara goyan bayan sigar bitmask zuwa byte_test. An aiwatar da kalmar pcrexform don ba da damar yin amfani da maganganu na yau da kullun (pcre) don ɗaukar ƙaramin kirtani. Ƙara canjin urldecode. Ƙara byte_math keyword.
  • Yana ba da ikon amfani da cbindgen don samar da ɗauri a cikin Rust da C harsuna.
  • Ƙara goyon bayan plugin na farko.

Siffofin Suricata:

  • Amfani da Haɗin Haɗin don Nuna Sakamakon Tabbatarwa hade2, Har ila yau yana amfani da aikin Snort, yana ba da damar yin amfani da kayan aikin bincike na yau da kullum kamar barnar 2. Ability don haɗawa tare da samfuran BASE, Snorby, Sguil da SQueRT. Taimako don fitarwa a tsarin PCAP;
  • Taimako don gano ƙa'idodi ta atomatik (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, da sauransu), wanda ke ba ku damar yin aiki a cikin ƙa'idodin kawai ta nau'in yarjejeniya, ba tare da la'akari da lambar tashar jiragen ruwa ba (misali. , don toshe zirga-zirgar HTTP akan tashar tashar da ba ta dace ba). Decoders don HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP da ka'idojin SSH;
  • Tsarin nazarin zirga-zirgar HTTP mai ƙarfi wanda ke amfani da ɗakin karatu na musamman na HTP wanda marubucin Mod_Security ya ƙirƙira don daidaitawa da daidaita zirga-zirgar HTTP. Akwai ƙirar ƙira don kiyaye cikakken bayanan canja wurin HTTP, an adana log ɗin a daidaitaccen tsari
    Apache. Ana tallafawa cirewa da tabbatar da fayilolin da aka canjawa wuri ta hanyar ka'idar HTTP. Taimako don tantance abubuwan da aka matsa. Ƙarfin ganewa ta URI, Kuki, masu kai, wakilin mai amfani, buƙatar / jikin amsawa;

  • Taimako don musaya daban-daban don hana zirga-zirga, gami da NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING. Yana yiwuwa a bincika fayilolin da aka rigaya aka ajiye a cikin tsarin PCAP;
  • Babban aiki, ikon aiwatar da rafukan har zuwa 10 gigabits / sec akan kayan aiki na al'ada.
  • Babban aikin abin rufe fuska daidai injin tare da manyan adiresoshin IP. Taimako don zaɓin abun ciki ta hanyar abin rufe fuska da maganganu na yau da kullun. Rarraba fayiloli daga zirga-zirga, gami da tantance su ta suna, nau'in ko MD5 checksum.
  • Ability don amfani da masu canji a cikin dokoki: zaka iya ajiye bayanai daga rafi kuma daga baya amfani da shi a wasu dokoki;
  • Yin amfani da tsarin YAML a cikin fayilolin sanyi, wanda ke ba ku damar kula da gani tare da sauƙin sarrafa na'ura;
  • Cikakken goyon bayan IPv6;
  • Ingin da aka gina don ɓarna ta atomatik da sake haɗa fakiti, wanda ke ba da damar tabbatar da sarrafa magudanan ruwa daidai, ba tare da la'akari da tsarin da fakitin ya zo ba;
  • Taimako don ƙa'idodin tunneling: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE;
  • Taimakon ƙaddamar da fakiti: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN;
  • Yanayin shiga don maɓalli da takaddun shaida waɗanda suka bayyana a cikin haɗin TLS/SSL;
  • Ikon rubuta rubutun Lua don samar da bincike mai zurfi da aiwatar da ƙarin fasalulluka da ake buƙata don gano nau'ikan zirga-zirga waɗanda ƙa'idodin ƙa'idodi ba su isa ba.

source: budenet.ru

Add a comment