ProHoster > Π‘Π»ΠΎΠ³ > interrete nuntium > Dimittis de Suricata 6.0 intrusionis deprehendendi systema

Dimittis de Suricata 6.0 intrusionis deprehendendi systema

ПослС Π³ΠΎΠ΄Π° Ρ€Π°Π·Ρ€Π°Π±ΠΎΡ‚ΠΊΠΈ организация OISF (Open Information Security Foundation) published release of network intrusionem deprehensio et praeventionis ratio 6.0 Meerkatquod instrumenta praebet ad varias negotiationis rationes inspiciendas. In Suricata configurationibus uti potest signature databases, evoluta Snort project, necnon regulae Emergentes Minae ΠΈ Minis emergentes Pro. Project fontes propagatio licentiatus sub GPLv2.

Major changes:

  • ΠΠ°Ρ‡Π°Π»ΡŒΠ½Π°Ρ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° HTTP/2.
  • ΠŸΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»ΠΎΠ² RFB ΠΈ MQTT, Π²ΠΊΠ»ΡŽΡ‡Π°Ρ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ опрСдСлСния ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Π° ΠΈ вСдСния Π»ΠΎΠ³Π°.
  • Π’ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ вСдСния Π»ΠΎΠ³Π° для ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Π° DCERPC.
  • Π—Π½Π°Ρ‡ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎΠ΅ ΠΏΠΎΠ²Ρ‹ΡˆΠ΅Π½ΠΈΠ΅ ΠΏΡ€ΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎΡΡ‚ΠΈ вСдСния Π»ΠΎΠ³Π° Ρ‡Π΅Ρ€Π΅Π· подсистСму EVE, ΠΎΠ±Π΅ΡΠΏΠ΅Ρ‡ΠΈΠ²Π°ΡŽΡ‰ΡƒΡŽ Π²Ρ‹Π²ΠΎΠ΄ событий Π² Ρ„ΠΎΡ€ΠΌΠ°Ρ‚Π΅ JSON. УскорСниС достигнуто благодаря Π·Π°Π΄Π΅ΠΉΡΡ‚Π²ΠΎΠ²Π°Π½ΠΈΡŽ Π½ΠΎΠ²ΠΎΠ³ΠΎ ΠΏΠΎΡΡ‚Ρ€ΠΎΠΈΡ‚Π΅Π»ΡŒ сток JSON, написанного Π½Π° языкС Rust.
  • ΠŸΠΎΠ²Ρ‹ΡˆΠ΅Π½Π° ΠΌΠ°ΡΡˆΡ‚Π°Π±ΠΈΡ€ΡƒΠ΅ΠΌΠΎΡΡ‚ΡŒ систСмы Π»ΠΎΠ³ΠΎΠ² EVE ΠΈ Ρ€Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ вСдСния ΠΎΡ‚Π΅Π»ΡŒΠ½ΠΎΠ³ΠΎ Π»ΠΎΠ³-Ρ„Π°ΠΉΠ»Π° Π½Π° ΠΊΠ°ΠΆΠ΄Ρ‹ΠΉ ΠΏΠΎΡ‚ΠΎΠΊ.
  • Π’ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ опрСдСлСния условий для сброса свСдСний Π² Π»ΠΎΠ³.
  • Π’ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ отраТСния MAC-адрСсов Π² Π»ΠΎΠ³Π΅ EVE ΠΈ ΠΏΠΎΠ²Ρ‹ΡˆΠ΅Π½ΠΈΠ΅ Π΄Π΅Ρ‚Π°Π»ΠΈΠ·Π°Ρ†ΠΈΠΈ Π»ΠΎΠ³Π° DNS.
  • ΠŸΠΎΠ²Ρ‹ΡˆΠ΅Π½ΠΈΠ΅ ΠΏΡ€ΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎΡΡ‚ΠΈ Π΄Π²ΠΈΠΆΠΊΠ° ΠΎΠ±Ρ€Π°Π±ΠΎΡ‚ΠΊΠΈ ΠΏΠΎΡ‚ΠΎΠΊΠΎΠ² (flow engine).
  • ΠŸΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° ΠΈΠ΄Π΅Π½Ρ‚ΠΈΡ„ΠΈΠΊΠ°Ρ†ΠΈΠΈ Ρ€Π΅Π°Π»ΠΈΠ·Π°Ρ†ΠΈΠΉ SSH (hassh).
  • РСализация Π΄Π΅ΠΊΠΎΠ΄ΠΈΡ€ΠΎΠ²Ρ‰ΠΈΠΊΠ° Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ GENEVE.
  • На языкС Rust пСрСписан ΠΊΠΎΠ΄ для ΠΎΠ±Ρ€Π°Π±ΠΎΡ‚ΠΊΠΈ ASN.1, DCERPC ΠΈ SSH. На Rust Ρ‚Π°ΠΊΠΆΠ΅ Ρ€Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π° ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° Π½ΠΎΠ²Ρ‹Ρ… ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»ΠΎΠ².
  • Π’ языкС опрСдСлСния ΠΏΡ€Π°Π²ΠΈΠ» Π² ΠΊΠ»ΡŽΡ‡Π΅Π²ΠΎΠΌ словС byte_jump Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Π° from_end, Π° Π² byte_test β€” ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Π° bitmask. Π Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½ΠΎ ΠΊΠ»ΡŽΡ‡Π΅Π²ΠΎΠ΅ слово pcrexform, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡŽΡ‰Π΅Π΅ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚ΡŒ рСгулярныС выраТСния (pcre) для Π·Π°Ρ…Π²Π°Ρ‚Π° подстроки. Π”ΠΎΠ±Π°Π²Π»Π΅Π½ΠΎ ΠΏΡ€Π΅ΠΎΠ±Ρ€Π°Π·ΠΎΠ²Π°Π½ΠΈΠ΅ urldecode. Π”ΠΎΠ±Π°Π²Π»Π΅Π½ΠΎ ΠΊΠ»ΡŽΡ‡Π΅Π²ΠΎΠ΅ слово byte_math.
  • ΠŸΡ€Π΅Π΄ΠΎΡΡ‚Π°Π²Π»Π΅Π½ΠΈΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ использования cbindgen для Π³Π΅Π½Π΅Ρ€Π°Ρ†ΠΈΠΈ привязок Π½Π° языках Rust ΠΈ C.
  • Π”ΠΎΠ±Π°Π²Π»Π΅Π½Π° Π½Π°Ρ‡Π°Π»ΡŒΠ½Π°Ρ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° ΠΏΠ»Π°Π³ΠΈΠ½ΠΎΠ².

Features Suricatae:

  • Una forma utendo ad ostentationem scan eventus Unified2, etiam usus est in project Snort , quod instrumenta analyseos normae uti permittit ut barnyard2. Possibilitas integrationis cum BASIS, Snorby, Sguil et SqueRT productis. PCAPA output support;
  • Sustentatio latae detectionis protocollarum (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, etc.), permittit te in regulis tantum per genus protocollum operari, sine numero portus (exempli gratia, angustos HTTP negotiatio in portum non-vexillum). Disponibilitas decodorum pro HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP et SSH protocolla;
  • Potens HTTP analyseos mercaturae ratio, quae speciali HTP bibliotheca utitur, ab authore de Mod_Securitatis project ad parse et normalize HTTP negotiationis utitur. Modulus est available servandi index transitus HTTP translationes singula: iniuriarum servata est in forma vexillum
    Apache. Receptum et iniecta lima per HTTP transmissa sustentatur. Support parsing compressi contentus. Facultas cognoscendi ab URI, Cookie, capitis, agentis usoris, petitio/responsionis corporis;

  • Firmamentum est variis interfaces negotiationis interceptionis, inter NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING. Exploratio imaginum servatarum iam in forma PCAP analysi fieri potest;
  • Princeps effectus, facultas processus fluit usque ad 10 gigabitas/sec in apparatu conventionali.
  • Summus-perficiendi larva adaptans mechanismum pro amplissimis mutationibus IP inscriptionibus. Firmamentum est eligendo contentus persona et expressionibus regularibus. Files ab negotiationis segregans, identificatio earum nominatim incluso, typus vel MD5 checksum.
  • Facultas variabilibus in regulis utendi: informationes ex rivo servare potes et in aliis regulis postea uti;
  • Utere YAML formato in imaginum figuratione, quae te permittit ut claritatem serves dum processus apparatus facilis est;
  • Plena IPv6 auxilio;
  • Instructo in machinam ad fracturam latae sententiae et reuocationem fasciculorum, permittens ad rectam processui fluminum, cuiuscumque ordinis in quo packets perueniunt;
  • Firmamentum effosso protocolla: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE;
  • Fasciculus decoding subsidii: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Aer, PPP, PPPoE, Raw, SLL, VLAN;
  • Modus claues colligandi ac testimoniales apparentes intra TLS/SSL nexus;
  • Facultas scribendi scripta in Lua ad analysin provectam et ad efficiendum facultates additionales necessarias ad cognoscendas rationes negotiationis, quibus normae regulae non sufficiunt.

Source: opennet.ru