ProHoster > Блог > Nchịkwa > Snort ma ọ bụ Suricata. Nkebi nke 2: Nwụnye na mbido mbụ nke Suricata

Snort ma ọ bụ Suricata. Nkebi nke 2: Nwụnye na mbido mbụ nke Suricata

Dị ka ọnụ ọgụgụ si kwuo, olu nke okporo ụzọ netwọk na-abawanye ihe dịka 50% kwa afọ. Nke a na-eduga n'ịbawanye ibu na akụrụngwa na, karịsịa, na-eme ka ọrụ IDS/IPS dịkwuo elu. Ị nwere ike ịzụta ngwaike pụrụ iche dị oke ọnụ, mana enwere nhọrọ dị ọnụ ala - imejuputa otu n'ime sistemụ mepere emepe. Ọtụtụ ndị nchịkwa novice na-eche na ịwụnye na ịhazi IPS efu bụ ihe siri ike. N'ihe banyere Suricata, nke a abụghị eziokwu kpamkpam - ị nwere ike ịwụnye ya wee malite ịghachite ọgụ ọkọlọtọ site na iji usoro iwu efu n'ime nkeji ole na ole.

Snort ma ọ bụ Suricata. Nkebi nke 2: Nwụnye na mbido mbụ nke Suricata
Snort ma ọ bụ Suricata. Nkebi 1: Ịhọrọ IDS/IPS efu iji chedo netwọkụ ụlọọrụ gị

Kedu ihe kpatara anyị ji chọọ IPS ọzọ mepere emepe?

Ogologo oge a tụlere ọkọlọtọ, Snort anọwo na mmepe kemgbe ngwụcha nke nineties, yabụ na mbụ ọ bụ otu-threaded. N'ime afọ ndị gafeworonụ, ọ nwetala atụmatụ ọgbara ọhụrụ niile, dị ka nkwado IPv6, ikike inyocha ụkpụrụ ọkwa-ngwa, ma ọ bụ modul nweta data zuru ụwa ọnụ.

Igwe Snort 2.X bụ isi mụtara ịrụ ọrụ na ọtụtụ cores, mana ọ nọgidere na-enwe otu eriri, yabụ enweghị ike iji ohere dị na nyiwe ngwaike ọgbara ọhụrụ.

A doziri nsogbu ahụ na ụdị nke atọ nke usoro ahụ, ma ọ na-ewe ogologo oge iji kwadebe na Suricata, nke e dere site na mbụ, jisiri ike pụta n'ahịa. N'afọ 2009, a malitere ịmepụta ya kpọmkwem dị ka ihe mgbakwunye multi-threaded na Snort, nke nwere ọrụ IPS na igbe. A na-ekesa koodu ahụ n'okpuru ikikere GPLv2, mana ndị mmekọ ego nke ọrụ ahụ nwere ohere ịnweta ụdị injin ahụ mechiri emechi. Ụfọdụ nsogbu na scalability bilitere na nsụgharị mbụ nke usoro ahụ, ma edozi ha ngwa ngwa.

Gịnị mere Suricata?

Suricata nwere ọtụtụ modul (dị ka Snort): ijide, nweta, nhọpụta, nchọpụta na mmepụta. Site na ndabara, okporo ụzọ weghaara na-aga tupu ịmezi koodu n'otu eri, n'agbanyeghị na nke a na-ebu sistemu ahụ karịa. Ọ bụrụ na ọ dị mkpa, enwere ike kewaa eri na ntọala ma kesaa n'etiti ndị nhazi - Suricata kachasị mma maka ngwaike akọwapụtara, ọ bụ ezie na nke a abụghịzi ọkwa HOWTO maka ndị mbido. Ọ dịkwa mma ịmara na Suricata nwere ngwaọrụ nyocha HTTP dị elu dabere na ọba akwụkwọ HTP. Enwere ike iji ha abanye okporo ụzọ na-enweghị nchọpụta. Sistemu na-akwado ngbanwe IPv6, gụnyere IPv4-in-IPv6, IPv6-in-IPv6 tunnels na ndị ọzọ.

Enwere ike iji oghere dị iche iche na-egbochi okporo ụzọ (NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING), na na ọnọdụ Unix Socket ị nwere ike nyochaa faịlụ PCAP nke onye ọzọ sniffer weghaara na-akpaghị aka. Na mgbakwunye, ihe owuwu modular nke Suricata na-eme ka ọ dị mfe ijikọ ihe ọhụrụ iji weghara, decode, nyochaa na hazie ngwugwu netwọkụ. Ọ dịkwa mkpa iburu n'uche na na Suricata, a na-egbochi okporo ụzọ site na iji ihe nzacha sistemụ arụmọrụ. Na GNU/Linux, nhọrọ abụọ maka ọrụ IPS dị: site na NFQUEUE kwụ n'ahịrị (ọnọdụ NFQ) yana site na oyiri efu (ụdị AF_PACKET). N'okwu nke mbụ, a na-eziga ngwugwu na-abanye iptables na NFQUEUE kwụ n'ahịrị, ebe enwere ike ịhazi ya na ọkwa onye ọrụ. Suricata na-agba ya dịka iwu nke ya siri dị wee wepụta otu n'ime mkpebi atọ: NF_ACCEPT, NF_DROP na NF_REPEAT. Abụọ ndị mbụ na-akọwa onwe ha, mana nke ikpeazụ na-enye gị ohere akara ngwugwu ma ziga ha na mmalite nke tebụl iptables dị ugbu a. Ọnọdụ AF_PACKET na-agba ọsọ ọsọ, mana na-etinye ọtụtụ mmachi na sistemụ: ọ ga-enwerịrị oghere netwọkụ abụọ wee rụọ ọrụ dị ka ọnụ ụzọ. A naghị ebufe ngwugwu ahụ egbochiri gaa na interface nke abụọ.

Akụkụ dị mkpa nke Suricata bụ ikike iji mmepe maka Snort. Onye nchịkwa nwere ohere, ọkachasị, usoro iwu Sourcefire VRT na OpenSource Emerging Threats, yana azụmahịa Emerging Threats Pro. Enwere ike nyochaa mpụta ejikọtara ọnụ site na iji azụ azụ ama ama, a na-akwadokwa mmepụta na PCAP na Syslog. A na-echekwa ntọala sistemụ na iwu na faịlụ YAML, nke dị mfe ọgụgụ ma nwee ike ịhazi ya na-akpaghị aka. The Suricata engine na-amata ọtụtụ protocol, n'ihi ya, iwu adịghị mkpa ka ejikọta ọnụ ọdụ ụgbọ mmiri. Na mgbakwunye, echiche nke flowbits na-arụsi ọrụ ike na iwu Suricata. Iji soro mkpalite, a na-eji mgbanwe oge, nke na-enye gị ohere ịmepụta na itinye ọnụ ọgụgụ dị iche iche na ọkọlọtọ. Ọtụtụ IDS na-emeso njikọ TCP dị iche iche dị ka ụlọ ọrụ dị iche iche ma nwee ike ha agaghị ahụ njikọ dị n'etiti ha iji gosi mmalite nke mbuso agha. Suricata na-agba mbọ ịhụ foto niile na n'ọtụtụ ọnọdụ na-amata okporo ụzọ ọjọọ ekesara na njikọ dị iche iche. Anyị nwere ike ikwu banyere uru ya ruo ogologo oge; ọ ka mma ịga n'ihu na ntinye na nhazi.

Olee otú iji wụnye?

Anyị ga-etinye Suricata na sava mebere na-agba ọsọ Ubuntu 18.04 LTS. A ga-emerịrị iwu niile dị ka superuser (mgbọrọgwụ). Nhọrọ kacha echekwabara bụ ijikọ na ihe nkesa site na SSH dị ka onye ọrụ ọkọlọtọ, wee jiri sudo utility kwalite ikike. Mbụ anyị kwesịrị ịwụnye ngwugwu anyị chọrọ:

sudo apt -y install libpcre3 libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config libnetfilter-queue-dev geoip-bin geoip-database geoipupdate apt-transport-https

Na-ejikọta ebe nchekwa mpụga:

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update

Wụnye ụdị Suricata kwụsiri ike kachasị ọhụrụ:

sudo apt-get install suricata

Ọ bụrụ na ọ dị mkpa, dezie aha faịlụ nhazi, dochie eth0 ndabara na aha n'ezie nke mpụga interface nke ihe nkesa. A na-echekwa ntọala ndabara na faịlụ /etc/default/suricata, na-echekwa ntọala omenala na /etc/suricata/suricata.yaml. Nhazi IDS na-enwekarị oke na idezi faịlụ nhazi a. Ọ nwere ọtụtụ paramita nke, n'aha na ebumnuche, dabara na analogues ha sitere na Snort. The syntax bụ kpamkpam dị iche iche, ma faịlụ bụ nnọọ mfe ịgụ karịa Snort configs, na ọ na-ọma kwuru.

sudo nano /etc/default/suricata

Snort ma ọ bụ Suricata. Nkebi nke 2: Nwụnye na mbido mbụ nke Suricata

и

sudo nano /etc/suricata/suricata.yaml

Snort ma ọ bụ Suricata. Nkebi nke 2: Nwụnye na mbido mbụ nke Suricata

Ntị! Tupu ịmalite, ị kwesịrị ịlele ụkpụrụ nke mgbanwe site na ngalaba vars.

Iji mezue ntọlite ​​​​a, ị ga-achọ ịwụnye suricata-update iji melite na budata iwu. Ọ dị mfe ime nke a:

sudo apt install python-pip
sudo pip install pyyaml
sudo pip install <a href="https://github.com/OISF/suricata-update/archive/master.zip">https://github.com/OISF/suricata-update/archive/master.zip</a>
sudo pip install --pre --upgrade suricata-update

Ọzọ anyị kwesịrị ịgba ọsọ suricata-update iwu iji wụnye iwu na-emepe egwu egwu na-apụta:

sudo suricata-update

Snort ma ọ bụ Suricata. Nkebi nke 2: Nwụnye na mbido mbụ nke Suricata

Ka ilele ndepụta isi mmalite iwu, mee iwu a:

sudo suricata-update list-sources

Snort ma ọ bụ Suricata. Nkebi nke 2: Nwụnye na mbido mbụ nke Suricata

Melite isi mmalite iwu:

sudo suricata-update update-sources

Snort ma ọ bụ Suricata. Nkebi nke 2: Nwụnye na mbido mbụ nke Suricata

Anyị na-elekwa anya ọzọ na isi mmalite ndị emelitere:

sudo suricata-update list-sources

Ọ bụrụ na ọ dị mkpa, ịnwere ike ịgụnye isi mmalite efu dị:

sudo suricata-update enable-source ptresearch/attackdetection
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source sslbl/ssl-fp-blacklist

Mgbe nke a gasịrị, ịkwesịrị imelite iwu ọzọ:

sudo suricata-update

N'oge a, ntinye na nhazi mbụ nke Suricata na Ubuntu 18.04 LTS nwere ike iwere zuru oke. Mgbe ahụ ihe ọchị na-amalite: n'isiokwu na-esonụ, anyị ga-ejikọta ihe nkesa mebere na netwọk ụlọ ọrụ site na VPN wee malite nyochaa okporo ụzọ niile na-abata na nke na-apụ apụ. Anyị ga-etinye uche pụrụ iche na igbochi mwakpo DDoS, ọrụ malware, na mbọ iji nweta adịghị ike na ọrụ ndị sitere na netwọk ọha. Maka idoanya, a ga-eṅomi mwakpo nke ụdị ndị a na-ahụkarị.

Snort ma ọ bụ Suricata. Nkebi nke 2: Nwụnye na mbido mbụ nke Suricata

Snort ma ọ bụ Suricata. Nkebi nke 2: Nwụnye na mbido mbụ nke Suricata

isi: www.habr.com

Tinye a comment