ProHoster > Блог > ozi ịntanetị > Sistemụ nchọpụta mwakpo Suricata 5.0 dị

Sistemụ nchọpụta mwakpo Suricata 5.0 dị

Òtù OISF (Open Information Security Foundation) bipụtara ntọhapụ nke nchọpụta ntinye netwọkụ na usoro mgbochi Meerkat 5.0, nke na-enye ngwá ọrụ iji nyochaa ụdị okporo ụzọ dị iche iche. Na nhazi nke Suricata ọ ga-ekwe omume iji ọdụ data mbinye aka, mepụtara site na ọrụ Snort, yana usoro iwu Ihe iyi egwu na-apụta и Egwu Egwu Pro. Isi mmalite nke oru ngo kesaa ikike n'okpuru GPLv2.

Isi mgbanwe:

  • Ewebatala modul ọhụrụ maka ntule na ịde osisi
    RDP, SNMP na SIP dere na Rust. E tinyewo ikike ịbanye site na EVE subsystem na FTP parsing modul, na-enye mmepụta ihe omume na usoro JSON;

  • Na mgbakwunye na nkwado maka usoro njirimara ndị ahịa JA3 TLS pụtara na mwepụta ikpeazụ, nkwado maka usoro ahụ. JA3S, ikwe Dabere na njirimara mkparita uka njikọ yana paramita akọwapụtara, chọpụta ihe ngwanrọ eji eme njikọ (dịka ọmụmaatụ, ọ na-enye gị ohere ikpebi iji Tor na ngwa ọkọlọtọ ndị ọzọ). JA3 na-enye gị ohere ịkọwapụta ndị ahịa, na JA3S na-enye gị ohere ịkọwa sava. Enwere ike iji nsonaazụ nke mkpebi ahụ na asụsụ ntọala iwu yana na ndekọ;
  • Ike nnwale agbakwunyere iji dakọtara n'omume sitere na nnukwu data, etinyere ya site na iji arụmọrụ ọhụrụ dataset na datarep. Dịka ọmụmaatụ, njirimara ahụ dị maka ịchọ ihe mkpuchi na nnukwu ndenye ojii nwere ndenye ndenye;
  • Ụdị nyocha HTTP na-enye mkpuchi zuru oke nke ọnọdụ niile akọwara na ụlọ nyocha HTTP Evader (dịka ọmụmaatụ, na-ekpuchi usoro eji ezobe omume ọjọọ na okporo ụzọ);
  • Ebufeela ngwa ọrụ maka imepụta modul n'asụsụ Rust site na nhọrọ gaa na ikike ọkọlọtọ amanyere iwu. N'ọdịnihu, a na-eme atụmatụ ịgbasa ojiji nke Rust na ntọala koodu ọrụ ma jiri nwayọọ nwayọọ dochie modul na analogues mepụtara na Rust;
  • Emeziwanye injin nkọwa protocol iji kwalite izi ezi na ijikwa usoro okporo ụzọ asynchronous;
  • E tinyela nkwado maka ụdị ntinye "anomaly" ọhụrụ na ndekọ EVE, nke na-echekwa ihe omume ndị a na-ahụkarị mgbe a na-edozi ngwugwu. EVE agbasawanyewokwa ngosi nke ozi gbasara VLANs na nhụta njide okporo ụzọ. Nhọrọ agbakwunyere iji chekwaa isi HTTP niile na ntinye ederede EVE http;
  • Ndị na-ahụ maka eBPF na-enye nkwado maka usoro ngwaike maka ịgbasa ngwa ngwa ijide ngwugwu. Ngwa ngwa ngwa ngwa ugbu a bụ naanị ihe nkwụnye netwọkụ Netronome, mana ọ ga-adị maka ngwa ndị ọzọ n'oge na-adịghị anya;
  • Edegharịrị koodu maka ijide okporo ụzọ site na iji usoro Netmap. Agbakwunyere ike iji atụmatụ Netmap dị elu dị ka mgba ọkụ mebere Vale;
  • agbakwunyere nkwado maka atụmatụ nkọwa okwu ọhụrụ maka Sticky Buffers. A kọwapụtara atụmatụ ọhụrụ ahụ na usoro "protocol.buffer", dịka ọmụmaatụ, maka ịlele URI, isiokwu ahụ ga-ewere ụdị "http.uri" kama "http_uri";
  • A na-anwale koodu Python niile ejiri maka ndakọrịta
    Python3;

  • Nkwado maka ụlọ ọrụ Tilera, ederede log dns.log na faịlụ ndekọ ochie-json.log akwụsịla.

Njirimara nke Suricata:

  • Iji usoro ejikọtara ọnụ iji gosipụta nsonaazụ nyocha Ejikọtara ọnụ2, na-ejikwa ọrụ Snort, nke na-enye ohere iji ngwaọrụ nyocha ọkọlọtọ dịka barnyard2. Enwere ike ijikọ na ngwaahịa BASE, Snorby, Sguil na SQueRT. Nkwado mmepụta PCAP;
  • Nkwado maka nchọpụta akpaka nke ụkpụrụ (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, wdg), na-enye gị ohere ịrụ ọrụ na iwu naanị site na ụdị protocol, na-enweghị nrụtụ aka na nọmba ọdụ ụgbọ mmiri (dịka ọmụmaatụ, igbochi HTTP). okporo ụzọ na ọdụ ụgbọ mmiri na-abụghị ọkọlọtọ). Nnweta nke decoders maka HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP na protocol SSH;
  • Sistemụ nyocha okporo ụzọ HTTP siri ike nke na-eji ọbá akwụkwọ HTP pụrụ iche nke onye ode akwụkwọ nke Mod_Security mebere iji tụgharị ma mezie okporo ụzọ HTTP. Modul dị maka idowe ndekọ zuru ezu nke mbufe HTTP; echekwara ndekọ ahụ n'ụdị ọkọlọtọ
    Apache. A na-akwado iweghachite na ịlele faịlụ ebufere site na HTTP. Nkwado maka ịkọwa ọdịnaya abịakọrọ. Ikike ịmata site na URI, kuki, nkụnye eji isi mee, onye ọrụ-onye ọrụ, arịrịọ / nzaghachi ahụ;

  • Nkwado maka ụzọ dị iche iche maka nkwụsị okporo ụzọ, gụnyere NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING. Ọ ga-ekwe omume inyocha faịlụ echekwara na usoro PCAP;
  • Ịrụ ọrụ dị elu, ike ịhazi na-asọba ruo 10 gigabits / sk na ngwa ngwa.
  • Usoro dakọtara nkpuchi dị elu maka ọtụtụ adreesị IP. Nkwado maka ịhọrọ ọdịnaya site na nkpuchi na okwu mgbe niile. Kewapụ faịlụ na okporo ụzọ, gụnyere njirimara ha site na aha, ụdị ma ọ bụ MD5 checksum.
  • Ikike iji mgbanwe na iwu: ị nwere ike ịchekwa ozi site na iyi ma emesịa jiri ya na iwu ndị ọzọ;
  • Iji usoro YAML na faịlụ nhazi, nke na-enye gị ohere idobe ido anya mgbe ị na-adị mfe nhazi igwe;
  • Nkwado IPv6 zuru oke;
  • Igwe eji arụ ọrụ maka mmebi akpaka na nchịkọta nke ngwugwu, na-enye ohere maka nhazi nke ọma nke iyi, n'agbanyeghị usoro nke ngwugwu rutere;
  • Nkwado maka usoro iwu tunneling: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE;
  • Nkwado ngbanwe nke ngwugwu: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN;
  • Ụdị maka igodo ndekọ na asambodo pụtara n'ime njikọ TLS/SSL;
  • Ikike ide edemede na Lua iji nye nyocha dị elu yana mejuputa ike ndị ọzọ achọrọ iji chọpụta ụdị okporo ụzọ nke iwu ọkọlọtọ ezughị oke.

    • isi: opennet.ru

Tinye a comment