Marka loo eego tirakoobyada, mugga taraafikada shabakadu waxay kordhisaa qiyaastii 50% sanad kasta. Tani waxay keenaysaa kororka culeyska qalabka iyo, gaar ahaan, waxay kordhisaa shuruudaha waxqabadka IDS / IPS. Waxaad ka iibsan kartaa qalab khaas ah oo qaali ah, laakiin waxaa jira ikhtiyaar ka jaban - hordhaca mid ka mid ah nidaamyada ilaha furan. Maamulayaal badan oo cusub ayay ku adagtahay inay rakibaan oo habeeyaan IPS bilaasha ah. Xaaladda Suricata, tani gabi ahaanba run maaha - waad ku rakibi kartaa oo waxaad bilaabi kartaa inaad iska celiso weerarrada caadiga ah oo leh xeerar bilaash ah dhowr daqiiqo gudahood.
Maxaynu ugu baahanahay IPS kale oo furan?
Muddo dheer la tixgeliyey heerka, Snort wuxuu ku jiray horumar ilaa sagaashamaadkii dambe, sidaas darteed asal ahaan waxay ahayd hal-threaded. Sanadihii la soo dhaafay, dhammaan sifooyinka casriga ah ayaa ka dhex muuqday, sida taageerada IPv6, awoodda falanqaynta borotokoolka heerka codsiga, ama qaybta helitaanka xogta caalamiga ah.
Matoorka xudunta u ah Snort 2.X waxa uu bartay in uu ku shaqeeyo koofiyadaha kala duwan, laakiin waxa uu ahaa mid hal-xadhig leh oo sidaas darteed si fiican ugama faa'iidaysan karo qalabyada casriga ah.
Dhibaatada waxaa lagu xalliyay qaabka saddexaad ee nidaamka, laakiin waxay qaadatay waqti dheer in la diyaariyo in Suricata, oo laga soo qoray xoqan, ay u suurtagashay in ay ka soo muuqato suuqa. Sannadkii 2009, waxa la bilaabay in si sax ah loo horumariyo sidii beddelka dunta badan ee Snort, kaas oo leh hawlaha IPS ee ka baxsan sanduuqa. Koodhka waxaa lagu qaybiyaa shatiga GPLv2, laakiin la-hawlgalayaasha maaliyadeed ee mashruuca ayaa heli kara nooc xiran oo matoorka ah. Qaar ka mid ah dhibaatooyinka scalability ayaa ka kacay noocyadii ugu horreeyay ee nidaamka, laakiin si dhakhso ah ayaa loo xalliyay.
Waa maxay sababta Surica?
Suricata waxay leedahay dhawr qaybood (oo la mid ah Snort): qabsashada, qabashada, koodka, ogaanshaha, iyo soo saarista. Sida caadiga ah, taraafikada la qabtay ayaa tagaya ka hor inta aan la go'aamin hal ilbidhiqsi, in kasta oo tani ay sii kordhinayso nidaamka. Haddii loo baahdo, dunta waxaa loo qaybin karaa goobaha waxaana loo qaybin karaa soosaarayaasha - Suricata si aad u wanaagsan ayaa loogu hagaajiyay qalab gaar ah, in kasta oo tani aysan hadda ahayn heerka HOWTO ee bilawga. Waxa kale oo xusid mudan in Suricata ay leedahay qalab baadhiseed HTTP horumarsan oo ku salaysan maktabadda HTP. Waxa kale oo loo isticmaali karaa in lagu galo taraafikada iyada oo aan la ogaan. Nidaamku waxa uu sidoo kale taageeraa dejinta IPV6, oo ay ku jiraan IPv4-in-IPv6 tunnels, IPv6-in-IPv6 tunnels, iyo in ka badan.
Is-dhexgalyo kala duwan ayaa loo isticmaali karaa in lagu xakameeyo taraafikada (NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING), iyo qaabka Unix Socket, waxaad si toos ah u falanqeyn kartaa faylasha PCAP ee uu qabtay mid kale. Intaa waxaa dheer, qaab dhismeedka modular ee Suricata waxa uu fududeeyaa in lagu xidho walxo cusub si loo qabto, loo kala saaro, loo kala saaro, loona habeeyo xidhmooyinka shabakada. Waxa kale oo muhiim ah in la ogaado in gudaha Suricata, gaadiidka lagu xannibay iyada oo la adeegsanayo shaandheynta caadiga ah ee nidaamka hawlgalka. GNU/Linux waxay leedahay laba ikhtiyaar oo ah sida IPS u shaqeyso: iyada oo loo marayo safka NFQUEUE (qaabka NFQ) iyo iyada oo loo marayo nuqul eber ah (qaabka AF_PACKET). Xaaladda ugu horreysa, baakidhka gelaya iptables waxaa loo diraa safka NFQUEUE, halkaas oo looga baaraandegi karo heerka isticmaalaha. Suricata waxay u shaqeysaa si waafaqsan xeerarkeeda waxayna soo saartaa mid ka mid ah saddexda xukun: NF_ACCEPT, NF_DROP iyo NF_REPEAT. Labada hore waa is-sharaxaadda, halka kan ugu dambeeya uu oggol yahay in baakadaha lagu calaamadiyo oo loo diro xagga sare ee miiska iptables-ka ee hadda jira. Habka AF_PACKET waa dhakhso badan yahay, laakiin wuxuu ku soo rogayaa tiro xaddidaad ah nidaamka: waa inuu leeyahay laba shabakadood oo isku xidha oo u shaqeeya sidii albaab. Xirmada la xannibay si fudud looma gudbiyo interface-ka labaad.
Muuqaalka muhiimka ah ee Suricata waa awooda isticmaalka horumarka ee Snort. Maamuluhu waxa uu marin u leeyahay, gaar ahaan, Sourcefire VRT iyo OpenSource Emerging Threats xeerka u dejisan, iyo sidoo kale ganacsiga Soo baxaya Hanjabaadaha Pro. Wax soo saarka midaysan waxa lagu kala saari karaa iyadoo la isticmaalayo gadaal caan ah, PCAP iyo Syslog wax soo saarka sidoo kale waa la taageerayaa. Dejinta nidaamka iyo qawaaniinta waxaa lagu kaydiyaa faylalka YAML, kuwaas oo ay fududahay in la akhriyo oo si toos ah looga baaraandegi karo. Matoorka Suricata wuxuu aqoonsanayaa borotokool badan, markaa sharciyadu uma baahna in lagu xidho lambarka dekeda. Intaa waxaa dheer, fikradda flowbits waxaa si firfircoon loogu dhaqmaa xeerarka Suricata. Si loo raad raaco kicinta, doorsoomayaasha kalfadhiga ayaa loo isticmaalaa in lagu sameeyo oo lagu dabaqo tirooyin iyo calamo kala duwan. IDS-yo badan waxay ula dhaqmaan isku xirka TCP ee kala duwan sidii hay'ado gaar ah waxaana laga yaabaa inaysan arkin xiriir ka dhexeeya iyaga oo tilmaamaya bilawga weerarka. Suricata waxay isku daydaa inay aragto sawirka oo dhan, marar badanna waxay aqoonsan tahay taraafikada xaasidnimada leh ee loo qaybiyay xiriirro kala duwan. Waxaad ka hadli kartaa faa'iidooyinkeeda muddo dheer, waxaan si fiican ugu socon karnaa rakibidda iyo habeynta.
Sida loo rakibo?
Waxaan ku rakibi doonaa Suricata server-ka farsamada gacanta ee Ubuntu 18.04 LTS. Dhammaan amarrada waa in loo fuliyaa iyagoo ka wakiil ah superuser-ka (xididka). Xulashada ugu ammaansan waa in SSH loo geliyo server-ka sidii isticmaale caadi ah ka dibna loo isticmaalo utility sudo si kor loogu qaado mudnaanta. Marka hore waxaad u baahan tahay inaad rakibto baakadaha aan u baahanahay:
sudo apt -y install libpcre3 libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config libnetfilter-queue-dev geoip-bin geoip-database geoipupdate apt-transport-httpsIsku xirka kaydka dibadda:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get updateKu rakib nooca ugu dambeeyay ee Suricata:
sudo apt-get install suricataHaddii loo baahdo, wax ka beddel magaca faylasha qaabeynta, adigoo ku beddelaya eth0-ga caadiga ah oo leh magaca dhabta ah ee is-dhexgalka dibadda ee server-ka. Default settings waxa lagu kaydiyaa faylka /etc/default/suricata, iyo goobaha gaarka ah waxa lagu kaydiyaa /etc/suricata/suricata.yaml. Habaynta IDS waxay inta badan ku xaddidan tahay tafatirka faylka qaabeynta. Waxay leedahay cabbirro badan oo, magac ahaan iyo ujeeddooyin ahaan, ku beegan analogues ka yimid Snort. Si kastaba ha ahaatee, syntaxku aad ayuu uga duwan yahay, si kastaba ha ahaatee, faylka ayaa aad uga sahlan in la akhriyo marka loo eego Snort configs, oo si fiican ayaa looga faallooday.
sudo nano /etc/default/suricata
ΠΈ
sudo nano /etc/suricata/suricata.yaml
Fiiro gaar ah! Kahor intaadan bilaabin, waxaa haboon inaad hubiso qiyamka doorsoomayaasha qaybta vars.
Si aad u dhamaystirto habaynta, waxaad u baahan doontaa inaad ku rakibto suricata-update si aad u cusboonaysiiso oo aad u shubto sharciyada. Way fududahay in tan la sameeyo:
sudo apt install python-pip
sudo pip install pyyaml
sudo pip install <a href="https://github.com/OISF/suricata-update/archive/master.zip">https://github.com/OISF/suricata-update/archive/master.zip</a>
sudo pip install --pre --upgrade suricata-updateMarka xigta, waxaan u baahannahay inaan socodsiino amarka suricata-update si aan u rakibno qaanuunka Furan ee Hanjabaadaha Soo baxaya:
sudo suricata-update
Si aad u aragto liiska ilaha sharciga, socodsii amarka soo socda:
sudo suricata-update list-sources
Cusbooneysii ilaha sharciga:
sudo suricata-update update-sources
Dib-u-eegga ilaha la cusboonaysiiyay:
sudo suricata-update list-sourcesHaddii loo baahdo, waxaad ku dari kartaa ilo bilaash ah:
sudo suricata-update enable-source ptresearch/attackdetection
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source sslbl/ssl-fp-blacklistIntaa ka dib, waxaad u baahan tahay inaad mar kale cusboonaysiiso xeerarka:
sudo suricata-updateTani waxay dhamaystiraysaa rakibaadda iyo qaabeynta bilowga ah ee Suricata gudaha Ubuntu 18.04 LTS. Dabadeed madadaalo ayaa bilaabmaysa: maqaalka soo socda, waxaanu ku xidhi doonaa server-ka casriga ah ee shabakada xafiiska iyada oo loo marayo VPN waxaanan bilaabi doonaa falanqaynta dhammaan taraafikada soo galaya iyo kuwa baxaya. Waxaan fiiro gaar ah siin doonaa joojinta weerarrada DDoS, dhaqdhaqaaqa malware iyo isku dayga lagu doonayo in looga faa'iidaysto dayacanka adeegyada laga heli karo shabakadaha dadweynaha. Si loo caddeeyo, weerarrada noocyada ugu badan ayaa la isku ekaysiinayaa.
Source: www.habr.com