Zvinoenderana nenhamba, huwandu hwetraffic network hunowedzera ne50% gore rega rega. Izvi zvinotungamira mukuwedzera kwemutoro pamidziyo uye, kunyanya, inowedzera kuita zvinodiwa zveIDS/IPS. Iwe unogona kutenga inodhura yakasarudzika hardware, asi pane yakachipa sarudzo - kuita imwe yeakavhurika sosi masisitimu. Vazhinji vatariri vekutanga vanofunga kuti kuisa uye kugadzirisa yemahara IPS kwakaoma. Panyaya yeSuricata, ichi hachisi chokwadi chakazara - unogona kuchiisa uye wotanga kudzoreredza kurwiswa kwakajairwa neseti yemitemo yemahara mumaminetsi mashoma.
Sei tichida imwe IPS yakazaruka?
Yakareba yakatariswa chiyero, Snort yanga iri mukusimudzira kubva mukupera kwemakumi mapfumbamwe, saka yaive yekutanga-yakapetwa tambo. Kwemakore, yakawana ese emazuvano maficha, akadai seIPv6 rutsigiro, kugona kuongorora application-level protocol, kana yepasirese data yekuwana module.
Iyo yakakosha Snort 2.X injini yakadzidza kushanda neakawanda cores, asi yakaramba ine shinda imwe uye saka haigone kutora mukana wemapuratifomu emazuva ano.
Dambudziko rakagadziriswa mushanduro yechitatu yehurongwa, asi zvakatora nguva yakareba kugadzirira kuti Suricata, yakanyorwa kubva pakutanga, yakakwanisa kuoneka pamusika. Muna 2009, yakatanga kuvandudzwa chaizvo seimwe nzira ine tambo dzakawanda kuSnort, yaive ne IPS mabasa kunze kwebhokisi. Iyo kodhi inogoverwa pasi peGPLv2 rezinesi, asi vanodyidzana nemari yepurojekiti vanogona kuwana iyo yakavharwa vhezheni yeinjini. Mamwe matambudziko ane scalability akamuka mumavhezheni ekutanga ehurongwa, asi akagadziriswa nekukurumidza.
Sei Suricata?
Suricata ine akati wandei mamodule (seSnort): kubata, kutora, decoding, kuona uye kubuda. Nekumisikidza, traffic yakatorwa inoenda isati yadhirodha mune imwe tambo, kunyangwe izvi zvinoremedza sisitimu zvakanyanya. Kana zvichidikanwa, tambo dzinogona kukamurwa muzvirongwa uye kugoverwa pakati pema processor - Suricata yakanyatso gadziridzwa kune chaiyo hardware, kunyangwe iyi isisiri iyo HOWTO nhanho yevanotanga. Izvo zvakakoshawo kuziva kuti Suricata ine advanced HTTP yekuongorora maturusi akavakirwa paHTP raibhurari. Iwo anogona zvakare kushandiswa kurodha traffic pasina kuonekwa. Iyo sisitimu zvakare inotsigira IPv6 decoding, kusanganisira IPv4-in-IPv6, IPv6-in-IPv6 tunnels uye mamwe.
Nzvimbo dzakasiyana-siyana dzinogona kushandiswa kubata traffic (NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING), uye muUnix Socket mode unogona kuongorora mafaera ePCAP otomatiki akabatwa nemumwe mufesi. Uye zvakare, Suricata's modular architecture inoita kuti zvive nyore kubatanidza zvinhu zvitsva kutora, decode, kuongorora uye kugadzirisa network mapaketi. Izvo zvakakoshawo kuziva kuti muSuricata, traffic yakavharwa uchishandisa yakajairwa system yekushandisa sefa. MuGNU/Linux, sarudzo mbiri dzeIPS oparesheni dziripo: kuburikidza neNFQUEUE queue (NFQ modhi) uye kuburikidza ne zero kopi (AF_PACKET modhi). Muchiitiko chekutanga, pakiti inopinda iptables inotumirwa kuNFQUEUE mutsara, iyo inogona kugadziriswa pamwero wevashandisi. Suricata inoimhanyisa zvinoenderana nemitemo yayo uye inopa mumwe wemitongo mitatu: NF_ACCEPT, NF_DROP uye NF_REPEAT. Iwo maviri ekutanga anozvitsanangura, asi yekupedzisira inokubvumira kuti utarise mapaketi uye utumire iwo pakutanga kweiyo ikozvino iptables tafura. Iyo AF_PACKET modhi inokurumidza, asi inoisa huwandu hwezvirambidzo pahurongwa: inofanirwa kunge iine maviri network interface uye kushanda segedhi. Iyo yakavharwa pakiti haina kungoendeswa kune yechipiri interface.
Chinhu chakakosha cheSuricata kugona kushandisa budiriro yeSnort. Iye maneja anokwanisa kuwana, kunyanya, iyo Sourcefire VRT uye OpenSource Emerging Threats seti yemitemo, pamwe neyekutengesa Emerging Threats Pro. Iyo yakabatana inoburitsa inogona kuongororwa uchishandisa yakakurumbira backends, uye inobuda kuPCAP uye Syslog inotsigirwa zvakare. Zvirongwa zveSisitimu nemitemo zvinochengetwa mumafaira eYAML, ari nyore kuverenga uye anogona kugadziriswa otomatiki. Iyo Suricata injini inoziva akawanda maprotocol, saka mitemo haidi kusungirirwa kune nhamba yechiteshi. Mukuwedzera, iyo pfungwa yekuyerera inoitwa nesimba mumitemo yeSuricata. Kuteedzera kukonzeresa, zvikamu zvesesheni zvinoshandiswa, izvo zvinokutendera iwe kugadzira uye kushandisa akasiyana macounter uye mireza. MaIDS mazhinji anobata akasiyana TCP kubatana sezvikamu zvakasiyana uye anogona kusaona kubatana pakati pawo kuratidza kutanga kwekurwiswa. Suricata inoedza kuona mufananidzo wacho wese uye muzviitiko zvakawanda inoziva traffic ine hutsinye yakagoverwa pakubatana kwakasiyana. Tinogona kutaura nezve mabhenefiti ayo kwenguva yakareba; isu zviri nani tienderere mberi kune yekumisikidza nekugadzirisa.
Maitiro ekuisa?
Tichange tichiisa Suricata pane sevha inomhanya Ubuntu 18.04 LTS. Mirairo yese inofanirwa kuitwa se superuser (mudzi). Iyo yakanyanya kuchengetedzeka sarudzo ndeyekubatanidza kune sevha kuburikidza neSSH seyakajairwa mushandisi, uye wobva washandisa sudo utility kuwedzera maropafadzo. Kutanga tinoda kuisa mapakeji atinoda:
sudo apt -y install libpcre3 libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config libnetfilter-queue-dev geoip-bin geoip-database geoipupdate apt-transport-httpsKubatanidza repository yekunze:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get updateIsa yazvino yakagadzikana vhezheni yeSuricata:
sudo apt-get install suricataKana zvichidikanwa, gadzirisa zita remafaira ekugadzirisa, uchitsiva iyo default eth0 nezita chairo rekunze interface yeserver. Default marongero anochengetwa mu /etc/default/suricata faira, uye zvimiro zvetsika zvakachengetwa mukati /etc/suricata/suricata.yaml. Kugadziriswa kweIDS kunongogumira pakugadzirisa iyi faira yekumisikidza. Iyo ine akawanda ma paramita ayo, muzita uye nechinangwa, anopindirana neanalogues kubva kuSnort. Iyo syntax yakatosiyana zvachose, asi iyo faira iri nyore kuverenga kupfuura Snort configs, uye zvakare inotsanangurwa zvakanaka.
sudo nano /etc/default/suricata
ΠΈ
sudo nano /etc/suricata/suricata.yaml
Attention! Usati watanga, iwe unofanirwa kutarisa kukosha kwezvakasiyana kubva kuchikamu chevars.
Kuti upedze kuseta, iwe uchafanirwa kuisa suricata-update kuti uvandudze uye kurodha iyo mitemo. Zviri nyore kuita izvi:
sudo apt install python-pip
sudo pip install pyyaml
sudo pip install <a href="https://github.com/OISF/suricata-update/archive/master.zip">https://github.com/OISF/suricata-update/archive/master.zip</a>
sudo pip install --pre --upgrade suricata-updateTevere isu tinoda kumhanya iyo suricata-update command yekuisa iyo Emerging Threats Open ruleset:
sudo suricata-update
Kuti uone rondedzero yemitemo masosi, mhanya unotevera kuraira:
sudo suricata-update list-sources
Gadziridza mitemo inowanika:
sudo suricata-update update-sources
Isu tinotarisa zvakare kune yakagadziridzwa masosi:
sudo suricata-update list-sourcesKana zvichidikanwa, unogona kusanganisira zviripo zvemahara:
sudo suricata-update enable-source ptresearch/attackdetection
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source sslbl/ssl-fp-blacklistMushure meizvi, unofanirwa kuvandudza mitemo zvakare:
sudo suricata-updatePanguva ino, kumisikidzwa uye yekutanga kumisikidzwa kweSuricata muUbuntu 18.04 LTS inogona kunzi yakakwana. Ipapo mafaro anotanga: muchinyorwa chinotevera tichabatanidza sevha chaiyo kune network yehofisi kuburikidza neVPN uye tanga kuongorora ese anouya uye anobuda traffic. Isu tichabhadhara zvakanyanya kuvharira DDoS kurwiswa, malware chiitiko, uye kuyedza kushandisa kusazvibata mumasevhisi anowanikwa kubva kune veruzhinji network. Kuti zvive pachena, kurwiswa kwemhando dzakawanda kunofananidzwa.
Source: www.habr.com