çµ±èšã«ãããšããããã¯ãŒã¯ ãã©ãã£ãã¯ã®éã¯æ¯å¹ŽçŽ 50% å¢å ããŠããŸãã ããã¯æ©åšã®è² è·ã®å¢å ã«ã€ãªãããç¹ã« IDS / IPS ã®ããã©ãŒãã³ã¹èŠä»¶ãå¢å ããŸãã é«äŸ¡ãªå°çšããŒããŠã§ã¢ãè³Œå ¥ããããšãã§ããŸããããªãŒãã³ãœãŒã¹ ã·ã¹ãã ã® XNUMX ã€ãå°å ¥ãããšãããããå®äŸ¡ãªãªãã·ã§ã³ããããŸãã åå¿è ã®ç®¡çè ã®å€ãã¯ãç¡æã® IPS ãã€ã³ã¹ããŒã«ããŠæ§æããã®ãé£ãããšæããŠããŸãã Suricata ã®å Žåãããã¯å®å šã«çå®ã§ã¯ãããŸãããã€ã³ã¹ããŒã«ãããšãæ°åã§äžé£ã®ç¡æã«ãŒã«ã䜿çšããŠå žåçãªæ»æã®æéãéå§ã§ããŸãã
ãªãå¥ã®ãªãŒãã³ IPS ãå¿ èŠãªã®ã§ãããã?
Snort ã¯é·ãéæšæºãšèããããŠããŸãããã6 幎代åŸåããéçºãããŠãããããåœåã¯ã·ã³ã°ã«ã¹ã¬ããã§ããã é·å¹Žã«ããããIPvXNUMX ãµããŒããã¢ããªã±ãŒã·ã§ã³ ã¬ãã«ã®ãããã³ã«ãåæããæ©èœããŠãããŒãµã« ããŒã¿ ã¢ã¯ã»ã¹ ã¢ãžã¥ãŒã«ãªã©ã®ææ°ã®æ©èœããã¹ãŠç»å ŽããŠããŸããã
ã³ã¢ã® Snort 2.X ãšã³ãžã³ã¯ãè€æ°ã®ã³ã¢ã§åäœããããšãåŠç¿ããŸããããã·ã³ã°ã«ã¹ã¬ããã®ãŸãŸã§ãããããææ°ã®ããŒããŠã§ã¢ ãã©ãããã©ãŒã ãæé©ã«æŽ»çšã§ããŸããã
ãã®åé¡ã¯ã·ã¹ãã ã® 2009 çªç®ã®ããŒãžã§ã³ã§è§£æ±ºãããŸããããæºåã«éåžžã«æéãããããæåããäœæããã Suricata ããªããšãåžå Žã«ç»å Žããããšãã§ããŸããã 2 幎ã«ãããã«äœ¿ãã IPS æ©èœãåãã Snort ã®ãã«ãã¹ã¬ãã代æ¿æ段ãšããŠéçºãå§ãŸããŸããã ã³ãŒã㯠GPLvXNUMX ã©ã€ã»ã³ã¹ã«åºã¥ããŠé åžãããŸããããããžã§ã¯ãã®è²¡åããŒãããŒã¯ãšã³ãžã³ã®ã¯ããŒãºã ããŒãžã§ã³ã«ã¢ã¯ã»ã¹ã§ããŸãã ã·ã¹ãã ã®æåã®ããŒãžã§ã³ã§ã¯ã¹ã±ãŒã©ããªãã£ã®åé¡ãããã€ãçºçããŸããããããã«è§£æ±ºãããŸããã
ãªãã¹ãªã«ãªã®ãïŒ
Suricata ã«ã¯ããã£ããã£ããã£ããã£ããã³ãŒããæ€åºãåºåãšããããã€ãã®ã¢ãžã¥ãŒã« (Snort ãšåæ§) ããããŸãã ããã©ã«ãã§ã¯ããã£ããã£ããããã©ãã£ãã¯ã¯ 6 ã€ã®ã¹ããªãŒã ã§ãã³ãŒããããåã«åŠçãããŸãããããã«ããã·ã¹ãã ã®è² è·ãå¢å ããŸãã å¿ èŠã«å¿ããŠãèšå®ã§ã¹ã¬ãããåå²ããããã»ããµéã§åæ£ããããšãã§ããŸããSuricata ã¯ç¹å®ã®ããŒããŠã§ã¢ã«å¯ŸããŠéåžžã«ããæé©åãããŠããŸãããããã¯ãã¯ãåå¿è åãã® HOWTO ã¬ãã«ã§ã¯ãããŸããã Suricata ã«ã¯ãHTP ã©ã€ãã©ãªã«åºã¥ããé«åºŠãª HTTP æ€æ»ããŒã«ãããããšã泚ç®ã«å€ããŸãã ãŸããæ€åºããã«ãã©ãã£ãã¯ããã°ã«èšé²ããããã«äœ¿çšããããšãã§ããŸãã ãã®ã·ã¹ãã ã¯ãIPv4-in-IPv6 ãã³ãã«ãIPv6-in-IPv6 ãã³ãã«ãªã©ãå«ã IPvXNUMX ãã³ãŒãããµããŒãããŠããŸãã
ããŸããŸãªã€ã³ã¿ãŒãã§ã€ã¹ (NFQueueãIPFRingãLibPcapãIPFWãAF_PACKETãPF_RING) ãã€ã³ã¿ãŒã»ããããããã«äœ¿çšã§ããUnix ãœã±ãã ã¢ãŒãã§ã¯ãå¥ã®ã¹ããã¡ãŒã«ãã£ãŠãã£ããã£ããã PCAP ãã¡ã€ã«ãèªåçã«åæã§ããŸãã ããã«ãSuricata ã®ã¢ãžã¥ã©ãŒ ã¢ãŒããã¯ãã£ã«ããããããã¯ãŒã¯ ãã±ããããã£ããã£ããã³ãŒãã解æãåŠçããããã®æ°ããèŠçŽ ãç°¡åã«ãã©ã°ã€ã³ã§ããŸãã Suricata ã§ã¯ããã©ãã£ãã¯ã¯ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã®éåžžã®ãã£ã«ã¿ãŒã«ãã£ãŠãããã¯ãããããšã«æ³šæããããšãéèŠã§ãã GNU/Linux ã«ã¯ãIPS ã®åäœæ¹æ³ãšããŠãNFQUEUE ãã¥ãŒçµç± (NFQ ã¢ãŒã) ãšãŒã ã³ããŒçµç± (AF_PACKET ã¢ãŒã) ã® XNUMX ã€ã®ãªãã·ã§ã³ããããŸãã æåã®ã±ãŒã¹ã§ã¯ãiptables ã«å ¥ããã±ãã㯠NFQUEUE ãã¥ãŒã«éä¿¡ãããããã§ãŠãŒã¶ãŒ ã¬ãã«ã§åŠçã§ããŸãã Suricata ã¯ç¬èªã®ã«ãŒã«ã«åŸã£ãŠå®è¡ããNF_ACCEPTãNF_DROPãNF_REPEAT ã® XNUMX ã€ã®å€å®ã®ãããããçºè¡ããŸãã æåã® XNUMX ã€ã¯äžç®çç¶ã§ãããæåŸã®ãã®ã§ã¯ãã±ããã«ã¿ã°ãä»ããŠçŸåšã® iptables ããŒãã«ã®å é ã«éä¿¡ã§ããŸãã AF_PACKET ã¢ãŒãã¯é«éã§ãããã·ã¹ãã ã«å€ãã®å¶éã課ããããŸããã€ãŸããXNUMX ã€ã®ãããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹ãå¿ èŠã§ãã²ãŒããŠã§ã€ãšããŠæ©èœããå¿ èŠããããŸãã ãããã¯ããããã±ããã¯ãåã« XNUMX çªç®ã®ã€ã³ã¿ãŒãã§ã€ã¹ã«è»¢éãããŸããã
Suricata ã®éèŠãªæ©èœã¯ãSnort çšã«éçºããããã®ã䜿çšã§ããããšã§ãã 管çè ã¯ãç¹ã«ãSourcefire VRT ããã³ OpenSource Emerging Threats ã«ãŒã« ã»ãããããã³åçš Emerging Threats Pro ã«ã¢ã¯ã»ã¹ã§ããŸãã çµ±åãããåºåã¯äžè¬çãªããã¯ãšã³ãã䜿çšããŠè§£æã§ããPCAP ããã³ Syslog åºåããµããŒããããŠããŸãã ã·ã¹ãã èšå®ãšã«ãŒã«ã¯ YAML ãã¡ã€ã«ã«ä¿åãããèªã¿ããããèªåçã«åŠçã§ããŸãã Suricata ãšã³ãžã³ã¯å€ãã®ãããã³ã«ãèªèãããããã«ãŒã«ãããŒãçªå·ã«çµã³ä»ããå¿ èŠã¯ãããŸããã ããã«ããããŒãããã®æŠå¿µã¯ Suricata ã®ã«ãŒã«ã§ç©æ¥µçã«å®è·µãããŠããŸãã ããªã¬ãŒã远跡ããã«ã¯ãã»ãã·ã§ã³å€æ°ã䜿çšããŠããŸããŸãªã«ãŠã³ã¿ãŒãšãã©ã°ãäœæããã³é©çšããŸãã å€ãã® IDS ã¯ãç°ãªã TCP æ¥ç¶ãå¥åã®ãšã³ãã£ãã£ãšããŠæ±ããæ»æã®éå§ã瀺ããããã®éã®æ¥ç¶ãèªèã§ããªãå ŽåããããŸãã Suricata ã¯å šäœåãææ¡ããããšããå€ãã®å ŽåãããŸããŸãªæ¥ç¶ã«åæ£ãããæªæã®ãããã©ãã£ãã¯ãèªèããŸãã ãã®å©ç¹ã«ã€ããŠã¯é·ã話ãããšãã§ããŸãããã€ã³ã¹ããŒã«ãšæ§æã«ç§»ã£ãã»ããããã§ãããã
ã€ã³ã¹ããŒã«ããã«ã¯ïŒ
Ubuntu 18.04 LTS ãå®è¡ããŠããä»®æ³ãµãŒããŒã« Suricata ãã€ã³ã¹ããŒã«ããŸãã ãã¹ãŠã®ã³ãã³ãã¯ã¹ãŒããŒãŠãŒã¶ãŒ (root) ã®ä»£ããã«å®è¡ããå¿ èŠããããŸãã æãå®å šãªãªãã·ã§ã³ã¯ãéåžžã®ãŠãŒã¶ãŒãšããŠãµãŒããŒã« SSH æ¥ç¶ããsudo ãŠãŒãã£ãªãã£ã䜿çšããŠæš©éãææ Œããããšã§ãã ãŸããå¿ èŠãªããã±ãŒãžãã€ã³ã¹ããŒã«ããå¿ èŠããããŸãã
sudo apt -y install libpcre3 libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config libnetfilter-queue-dev geoip-bin geoip-database geoipupdate apt-transport-https
å€éšãªããžããªã«æ¥ç¶ãã:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
Suricata ã®ææ°ã®å®å®ããŒãžã§ã³ãã€ã³ã¹ããŒã«ããŸãã
sudo apt-get install suricata
å¿ èŠã«å¿ããŠãèšå®ãã¡ã€ã«åãç·šéããããã©ã«ãã® eth0 ããµãŒããŒã®å€éšã€ã³ã¿ãŒãã§ã€ã¹ã®å®éã®ååã«çœ®ãæããŸãã ããã©ã«ãèšå®ã¯ /etc/default/suricata ãã¡ã€ã«ã«ä¿åãããã«ã¹ã¿ã èšå®ã¯ /etc/suricata/suricata.yaml ã«ä¿åãããŸãã IDS ã®æ§æã¯ãã»ãšãã©ããã®æ§æãã¡ã€ã«ã®ç·šéã«éå®ãããŸãã ããã«ã¯ãååãšç®çã Snort ã®é¡äŒŒç©ãšäžèŽããå€ãã®ãã©ã¡ãŒã¿ããããŸãã ãã ããæ§æã¯ãŸã£ããç°ãªããŸããããã®ãã¡ã€ã«ã¯ Snort æ§æãããã¯ããã«èªã¿ããããã³ã¡ã³ããå å®ããŠããŸãã
sudo nano /etc/default/suricata
О
sudo nano /etc/suricata/suricata.yaml
泚æïŒ éå§ããåã«ãvars ã»ã¯ã·ã§ã³ã®å€æ°ã®å€ã確èªãã䟡å€ããããŸãã
ã»ããã¢ãããå®äºããã«ã¯ãsuricata-update ãã€ã³ã¹ããŒã«ããŠã«ãŒã«ãæŽæ°ããŠããŒãããå¿ èŠããããŸãã ãããè¡ãã®ã¯éåžžã«ç°¡åã§ãã
sudo apt install python-pip
sudo pip install pyyaml
sudo pip install <a href="https://github.com/OISF/suricata-update/archive/master.zip">https://github.com/OISF/suricata-update/archive/master.zip</a>
sudo pip install --pre --upgrade suricata-update
次ã«ãsuricata-update ã³ãã³ããå®è¡ããŠãEmerging Threats Open ã«ãŒã« ã»ãããã€ã³ã¹ããŒã«ããå¿ èŠããããŸãã
sudo suricata-update
ã«ãŒã« ãœãŒã¹ã®ãªã¹ãã衚瀺ããã«ã¯ã次ã®ã³ãã³ããå®è¡ããŸãã
sudo suricata-update list-sources
ã«ãŒã«ãœãŒã¹ãæŽæ°ããŸãã
sudo suricata-update update-sources
æŽæ°ããããœãŒã¹ãå確èªããŸãã
sudo suricata-update list-sources
å¿ èŠã«å¿ããŠãå©çšå¯èœãªç¡æã®ãœãŒã¹ãå«ããããšãã§ããŸãã
sudo suricata-update enable-source ptresearch/attackdetection
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source sslbl/ssl-fp-blacklist
ãã®åŸãã«ãŒã«ãå床æŽæ°ããå¿ èŠããããŸãã
sudo suricata-update
ããã§ãUbuntu 18.04 LTS ã§ã® Suricata ã®ã€ã³ã¹ããŒã«ãšåæèšå®ãå®äºããŸããã ãããã楜ããããšãå§ãŸããŸãã次ã®èšäºã§ã¯ãVPN çµç±ã§ä»®æ³ãµãŒããŒããªãã£ã¹ ãããã¯ãŒã¯ã«æ¥ç¶ãããã¹ãŠã®éåä¿¡ãã©ãã£ãã¯ã®åæãéå§ããŸãã åœç€Ÿã¯ãDDoS æ»æããã«ãŠã§ã¢æŽ»åãããã³ãããªã㯠ãããã¯ãŒã¯ããã¢ã¯ã»ã¹å¯èœãªãµãŒãã¹ã®è匱æ§ãæªçšããè©Šã¿ã®ãããã¯ã«ç¹ã«æ³šæãæããŸãã æ確ã«ããããã«ãæãäžè¬çãªã¿ã€ãã®æ»æãã·ãã¥ã¬ãŒããããŸãã
åºæïŒ habr.com