Malinga ndi ziwerengero, kuchuluka kwa magalimoto pamaneti kumawonjezeka pafupifupi 50% chaka chilichonse. Izi zimabweretsa kuwonjezeka kwa katundu pazida ndipo, makamaka, kumawonjezera zofunikira za IDS/IPS. Mutha kugula zida zapadera zamtengo wapatali, koma pali njira yotsika mtengo - kukhazikitsa imodzi mwazinthu zotseguka. Oyang'anira ambiri a novice amaganiza kuti kukhazikitsa ndi kukonza IPS yaulere ndikovuta. Pankhani ya Suricata, izi sizowona kwathunthu - mutha kuziyika ndikuyamba kubweza kuukira kwanthawi zonse ndi malamulo aulere mumphindi zochepa.
Chifukwa chiyani tikufuna IPS ina yotseguka?
Kwa nthawi yayitali, Snort yakhala ikukula kuyambira chakumapeto kwa zaka za m'ma nineties, kotero idakhala yopangidwa ndi ulusi umodzi. Kwa zaka zambiri, yapeza zonse zamakono, monga chithandizo cha IPv6, kuthekera kosanthula ma protocol apulogalamu, kapena gawo lofikira pa data lonse.
Injini yoyambira ya Snort 2.X idaphunzira kugwira ntchito ndi ma cores angapo, koma idakhalabe yokhala ndi ulusi umodzi ndipo chifukwa chake sichingatengere mwayi pamapulatifomu amakono.
Vutoli linathetsedwa mu mtundu wachitatu wa dongosolo, koma zinatenga nthawi yaitali kukonzekera kuti Suricata, yolembedwa kuyambira pachiyambi, inatha kuwonekera pamsika. Mu 2009, idayamba kupangidwa ndendende ngati njira yamitundu yambiri ya Snort, yomwe inali ndi ntchito za IPS kunja kwa bokosi. Khodiyo imagawidwa pansi pa layisensi ya GPLv2, koma ogwirizana nawo azachuma a polojekitiyi ali ndi mwayi wopeza injini yotsekedwa. Mavuto ena a scalability adabuka m'matembenuzidwe oyamba adongosolo, koma adathetsedwa mwachangu.
Chifukwa chiyani Suricata?
Suricata ili ndi ma module angapo (monga Snort): kujambula, kupeza, kujambula, kuzindikira ndi kutulutsa. Mwachikhazikitso, magalimoto ogwidwa amapita patsogolo pakupanga ulusi umodzi, ngakhale kuti izi zimadzaza dongosololi. Ngati ndi kotheka, ulusi ukhoza kugawidwa m'makonzedwe ndikugawidwa pakati pa mapurosesa - Suricata imakonzedwa bwino kwambiri pa hardware yeniyeni, ngakhale iyi siilinso mulingo wa HOWTO kwa oyamba kumene. Ndizoyeneranso kudziwa kuti Suricata ili ndi zida zowunikira za HTTP zotsogola ku laibulale ya HTP. Atha kugwiritsidwanso ntchito kulembetsa magalimoto popanda kuzindikira. Dongosololi limathandiziranso IPv6 decoding, kuphatikiza IPv4-in-IPv6, IPv6-in-IPv6 tunnel ndi ena.
Mawonekedwe osiyanasiyana angagwiritsidwe ntchito kutsekereza magalimoto (NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING), ndipo mu Unix Socket mode mutha kusanthula mafayilo a PCAP ogwidwa ndi sniffer wina. Kuphatikiza apo, mapangidwe a Suricata modular amapangitsa kuti zikhale zosavuta kulumikiza zinthu zatsopano kuti zigwire, kuzindikira, kusanthula ndi kukonza mapaketi a netiweki. Ndikofunikiranso kudziwa kuti ku Suricata, magalimoto amatsekedwa pogwiritsa ntchito fyuluta yanthawi zonse. Mu GNU/Linux, njira ziwiri zogwirira ntchito za IPS zilipo: kudzera pamzere wa NFQUEUE (NFQ mode) komanso kudzera paziro (AF_PACKET mode). Pachiyambi choyamba, paketi yolowera iptables imatumizidwa ku mzere wa NFQUEUE, kumene ukhoza kusinthidwa pa mlingo wa ogwiritsa ntchito. Suricata imayendetsa molingana ndi malamulo ake ndipo imapereka chimodzi mwa zigamulo zitatu: NF_ACCEPT, NF_DROP ndi NF_REPEAT. Awiri oyambirira amadzifotokozera okha, koma otsiriza amakulolani kuti muyike mapaketi ndikutumiza kumayambiriro kwa tebulo lamakono la iptables. Njira ya AF_PACKET ndiyofulumira, koma imayika zoletsa zingapo padongosolo: iyenera kukhala ndi maukonde awiri olumikizirana ndikugwira ntchito ngati chipata. Phukusi lotsekedwa silimatumizidwa ku mawonekedwe achiwiri.
Chofunikira cha Suricata ndikutha kugwiritsa ntchito chitukuko cha Snort. Woyang'anira ali ndi mwayi, makamaka, malamulo a Sourcefire VRT ndi OpenSource Emerging Threats, komanso malonda a Emerging Threats Pro. Kutulutsa kogwirizana kumatha kuyesedwa pogwiritsa ntchito ma backends otchuka, ndipo zotuluka ku PCAP ndi Syslog zimathandizidwanso. Zokonda pamakina ndi malamulo amasungidwa mumafayilo a YAML, omwe ndi osavuta kuwerenga ndipo amatha kusinthidwa zokha. Injini ya Suricata imazindikira ma protocol ambiri, kotero kuti malamulowo safunikira kumangirizidwa ku nambala ya doko. Kuonjezera apo, lingaliro la flowbits likugwiritsidwa ntchito mwakhama mu malamulo a Suricata. Kuti muwone zoyambitsa, zosintha zagawo zimagwiritsidwa ntchito, zomwe zimakulolani kupanga ndikugwiritsa ntchito zowerengera zosiyanasiyana ndi mbendera. Ma IDS ambiri amatengera kulumikizana kosiyana kwa TCP ngati magulu osiyana ndipo mwina sangawone kulumikizana pakati pawo kuwonetsa kuyambika kwa kuwukira. Suricata amayesa kuwona chithunzi chonse ndipo nthawi zambiri amazindikira magalimoto oyipa omwe amagawidwa pamalumikizidwe osiyanasiyana. Titha kulankhula za zabwino zake kwa nthawi yayitali; titha kupitiliza kuyika ndikusintha.
Mukhazikitsa?
Tikhala tikuyika Suricata pa seva yeniyeni yomwe ikuyenda Ubuntu 18.04 LTS. Malamulo onse ayenera kuchitidwa ngati superuser (muzu). Njira yotetezeka kwambiri ndikulumikizana ndi seva kudzera pa SSH ngati wogwiritsa ntchito, kenako gwiritsani ntchito sudo kuti muwonjezere mwayi. Choyamba tiyenera kukhazikitsa phukusi tikufuna:
sudo apt -y install libpcre3 libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config libnetfilter-queue-dev geoip-bin geoip-database geoipupdate apt-transport-httpsKulumikiza nkhokwe yakunja:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get updateIkani mtundu waposachedwa wa Suricata:
sudo apt-get install suricataNgati kuli kofunikira, sinthani dzina la mafayilo osinthika, m'malo mwa eth0 yosasinthika ndi dzina lenileni la mawonekedwe akunja a seva. Zosintha zokhazikika zimasungidwa mu fayilo /etc/default/suricata, ndipo zokonda zokhazikika zimasungidwa mu /etc/suricata/suricata.yaml. Kusintha kwa IDS kumangokhala kokha pakukonza fayilo iyi. Ili ndi magawo ambiri omwe, mwa dzina ndi cholinga, amagwirizana ndi ma analogue awo ochokera ku Snort. Syntax ndi yosiyana kwambiri, koma fayiloyo ndiyosavuta kuwerenga kuposa masinthidwe a Snort, ndipo imayankhulidwanso bwino.
sudo nano /etc/default/suricata
ΠΈ
sudo nano /etc/suricata/suricata.yaml
Chenjerani! Musanayambe, muyenera kuyang'ana zamitundu yosiyanasiyana kuchokera ku gawo la vars.
Kuti mumalize kukhazikitsa, muyenera kukhazikitsa suricata-update kuti musinthe ndikutsitsa malamulowo. Ndikosavuta kuchita izi:
sudo apt install python-pip
sudo pip install pyyaml
sudo pip install <a href="https://github.com/OISF/suricata-update/archive/master.zip">https://github.com/OISF/suricata-update/archive/master.zip</a>
sudo pip install --pre --upgrade suricata-updateKenako tiyenera kuyendetsa suricata-update lamulo kukhazikitsa Emerging Threats Open ruleset:
sudo suricata-update
Kuti muwone mndandanda wa magwero a malamulo, yesani lamulo ili:
sudo suricata-update list-sources
Sinthani kochokera malamulo:
sudo suricata-update update-sources
Timayang'ananso zosinthidwa zomwe zasinthidwa:
sudo suricata-update list-sourcesNgati ndi kotheka, mutha kuphatikiza zopezeka zaulere:
sudo suricata-update enable-source ptresearch/attackdetection
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source sslbl/ssl-fp-blacklistPambuyo pake, muyenera kusinthanso malamulowo:
sudo suricata-updatePakadali pano, kukhazikitsa ndikusintha koyambirira kwa Suricata ku Ubuntu 18.04 LTS kumatha kuonedwa kuti ndi kokwanira. Kenako zosangalatsa zimayamba: m'nkhani yotsatira tidzalumikiza seva yeniyeni ku maukonde aofesi kudzera pa VPN ndikuyamba kusanthula magalimoto onse obwera ndi otuluka. Tidzapereka chidwi chapadera pakuletsa kuukira kwa DDoS, pulogalamu yaumbanda, komanso kuyesa kugwiritsa ntchito ziwopsezo pazantchito zopezeka pamanetiweki a anthu. Kuti zimveke bwino, zowukira zamitundu yodziwika bwino zidzayerekezeredwa.
Source: www.habr.com