Sangano OISF (Open Information Security Foundation) kuburitswa kwe network intrusion yekuona uye kudzivirira system , iyo inopa zvishandiso zvekuongorora marudzi akasiyana-siyana emotokari. MuSuricata zvigadziriso zvinogoneka kushandisa , yakagadziridzwa neSnort project, pamwe chete nemaseti emitemo ΠΈ . Project sources ane rezinesi pasi peGPLv2.
Shanduko huru:
- Mamodule matsva eparsing uye kutema matanda akaunzwa
RDP, SNMP uye SIP yakanyorwa muRust. Iko kugona kudhinda kuburikidza neiyo EVE subsystem yakawedzerwa kuFTP parsing module, ichipa chiitiko chinobuda muJSON fomati; - Pamusoro perutsigiro rweiyo JA3 TLS yekuzivisa mutengi nzira yakaonekwa mukuburitswa kwekupedzisira, rutsigiro rwenzira. , Zvichienderana nehunhu hwekutaurirana kutaurirana uye yakatarwa paramita, tarisa kuti ndeipi software inoshandiswa kumisikidza chinongedzo (semuenzaniso, inobvumidza iwe kuona mashandisiro eTor uye mamwe madhizaini maapplication). JA3 inobvumidza iwe kutsanangura vatengi, uye JA3S inobvumidza iwe kutsanangura maseva. Migumisiro yekutsunga inogona kushandiswa mumutauro wekugadzirisa mutemo uye mumatanda;
- Yakawedzera kugona kuyedza kuenzanisa masampuli kubva kuhombe data seti, inoshandiswa uchishandisa mashandiro matsva . Semuenzaniso, chimiro chinoshanda pakutsvaga masiki mune makuru mablacklist ane mamirioni ezvinyorwa;
- HTTP yekuongorora modhi inopa kufukidzwa kuzere kwemamiriro ese anotsanangurwa muyedzo suite (semuenzaniso, inovhara nzira dzinoshandiswa kuvanza zvakashata mumigwagwa);
- Zvishandiso zvekugadzira mamodule mumutauro weRust zvakatamiswa kubva pane zvingasarudzwa kuenda kune zvinosungirwa zvinogoneka. Mune ramangwana, zvakarongwa kuwedzera kushandiswa kweRust mupurojekiti kodhi base uye zvishoma nezvishoma kutsiva mamodule ane analogues akagadzirwa muRust;
- Iyo protocol tsanangudzo injini yakagadziridzwa kuvandudza kurongeka uye kubata asynchronous traffic inoyerera;
- Tsigiro yemhando nyowani ye "anomaly" yekupinda yakawedzerwa kune EVE log, iyo inochengeta atypical zviitiko zvinoonekwa kana decoding mapaketi. EVE yakawedzerawo kuratidzwa kweruzivo nezveVLANs uye traffic yekutora nzvimbo. Yakawedzerwa sarudzo yekuchengetedza ese misoro yeHTTP muEVE http log entries;
- eBPF-based handlers inopa tsigiro yehardware nzira dzekumhanyisa kubatwa kwepakeji. Hardware acceleration ikozvino inongogumira kune Netronome network adapters, asi ichakurumidza kuwanikwa kune mimwe michina;
- Iyo kodhi yekutora traffic uchishandisa iyo Netmap framework yakanyorwa patsva. Yakawedzera kugona kushandisa epamberi Netmap maficha akadai seyadhiroji switch ;
- tsigiro yeitsva keyword tsananguro chirongwa cheSticky Buffers. Chirongwa chitsva chinotsanangurwa mu "protocol.buffer" format, somuenzaniso, yekuongorora URI, izwi guru richatora fomu "http.uri" pane "http_uri";
- Yese Python kodhi inoshandiswa inoedzwa kuti ienderane nayo
Python3; - Tsigiro yeTilera architecture, iyo text log dns.log uye yekare log mafaera-json.log yakamiswa.
Zvinoumba Suricata:
- Uchishandisa fomati yakabatana kuratidza mhinduro dze scan , inoshandiswawo neSnort project, iyo inobvumira kushandiswa kwemaitiro ekuongorora maturusi akadai . Kugona kwekubatanidza neBASE, Snorby, Sguil uye SKerRT zvigadzirwa. PCAP yakabuda rutsigiro;
- Tsigiro yekuongorora otomatiki yeprotocol (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, nezvimwewo), zvichikubvumidza kuti ushande mumitemo chete nemhando yeprotocol, pasina kutaurwa kune nhamba yechiteshi (semuenzaniso, block HTTP traffic pane isiri-standard port) . Kuwanikwa kwemadhikodha eHTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP uye SSH protocol;
- Iyo ine simba HTTP traffic yekuongorora system inoshandisa yakakosha raibhurari yeHTP yakagadzirwa nemunyori weMod_Security purojekiti kuburitsa uye kugadzirisa HTTP traffic. A module inowanikwa kuchengetedza yakadzama yerogi yekufambisa HTTP kutamiswa; irogi rinochengetwa mune yakajairwa fomati
Apache. Kutora uye kutarisa mafaera anofambiswa kuburikidza neHTTP kunotsigirwa. Tsigiro yekupatsanura zvakamisikidzwa zvemukati. Kugona kuziva neURI, Cookie, misoro, mushandisi-mumiriri, chikumbiro/muviri wekupindura; - Tsigiro yeakasiyana mainterface ekuvharira traffic, kusanganisira NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING. Zvinokwanisika kuongorora mafaira akachengetwa kare muPCAP format;
- Kuita kwepamusoro, kugona kugadzirisa kunoyerera kusvika kugumi gigabits/sec pane zvakajairika midziyo.
- Yepamusoro-inoshanda mask yekufananidza michina yemaseti makuru eIP kero. Tsigiro yekusarudza zvirimo nemasiki uye zvinogara zvichitaurwa. Kuparadzanisa mafaera kubva kutraffic, kusanganisira kuzivikanwa kwawo nemazita, mhando kana MD5 checksum.
- Kugona kushandisa zvinoshanduka mumitemo: unogona kuchengetedza ruzivo kubva kune rukova uye gare gare ushandise mune mamwe mitemo;
- Kushandisa iyo YAML fomati mumafaira ekumisikidza, ayo anotendera iwe kuti uchengetedze kujeka uchiri nyore kugadzira muchina;
- Yakazara IPv6 rutsigiro;
- Yakavakirwa-mukati injini yeotomatiki defragmentation uye kuunganazve kwemapaketi, ichibvumira kugadzirisa kwakaringana hova, zvisinei nekurongeka uko mapaketi anosvika;
- Tsigiro yetunneling protocol: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE;
- Packet decoding support: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN;
- Mode yekucheka makiyi uye zvitupa zvinoonekwa mukati meTLS/SSL zvinongedzo;
- Kugona kunyora zvinyorwa muLua kupa ongororo yepamusoro uye kushandisa mamwe masimba anodiwa kuona mhando dzetraffic iyo yakajairwa mitemo isina kukwana.
Source: opennet.ru