ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > Siideynta Suricata 6.0 nidaamka ogaanshaha faragelinta

Siideynta Suricata 6.0 nidaamka ogaanshaha faragelinta

ПослС Π³ΠΎΠ΄Π° Ρ€Π°Π·Ρ€Π°Π±ΠΎΡ‚ΠΊΠΈ организация OISF (Open Information Security Foundation) la daabacay sii daynta ogaanshaha iyo nidaamka ka-hortagga soo gelitaanka shabakadda Meerkat 6.0, kaas oo bixiya qalabka lagu baaro noocyada kala duwan ee taraafikada. Habaynta Suricata waa suurtagal in la isticmaalo database-yada saxiixa, oo uu sameeyay mashruuca Snort, iyo sidoo kale xeerar Hanjabaadaha Soo ifbaxaya ΠΈ Hanjabaadaha Soo ifbaxaya Pro. Ilaha mashruuca faafin shatiga ku haysta GPLv2.

Isbeddellada ugu waaweyn:

  • ΠΠ°Ρ‡Π°Π»ΡŒΠ½Π°Ρ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° HTTP/2.
  • ΠŸΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»ΠΎΠ² RFB ΠΈ MQTT, Π²ΠΊΠ»ΡŽΡ‡Π°Ρ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ опрСдСлСния ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Π° ΠΈ вСдСния Π»ΠΎΠ³Π°.
  • Π’ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ вСдСния Π»ΠΎΠ³Π° для ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Π° DCERPC.
  • Π—Π½Π°Ρ‡ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎΠ΅ ΠΏΠΎΠ²Ρ‹ΡˆΠ΅Π½ΠΈΠ΅ ΠΏΡ€ΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎΡΡ‚ΠΈ вСдСния Π»ΠΎΠ³Π° Ρ‡Π΅Ρ€Π΅Π· подсистСму EVE, ΠΎΠ±Π΅ΡΠΏΠ΅Ρ‡ΠΈΠ²Π°ΡŽΡ‰ΡƒΡŽ Π²Ρ‹Π²ΠΎΠ΄ событий Π² Ρ„ΠΎΡ€ΠΌΠ°Ρ‚Π΅ JSON. УскорСниС достигнуто благодаря Π·Π°Π΄Π΅ΠΉΡΡ‚Π²ΠΎΠ²Π°Π½ΠΈΡŽ Π½ΠΎΠ²ΠΎΠ³ΠΎ ΠΏΠΎΡΡ‚Ρ€ΠΎΠΈΡ‚Π΅Π»ΡŒ сток JSON, написанного Π½Π° языкС Rust.
  • ΠŸΠΎΠ²Ρ‹ΡˆΠ΅Π½Π° ΠΌΠ°ΡΡˆΡ‚Π°Π±ΠΈΡ€ΡƒΠ΅ΠΌΠΎΡΡ‚ΡŒ систСмы Π»ΠΎΠ³ΠΎΠ² EVE ΠΈ Ρ€Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ вСдСния ΠΎΡ‚Π΅Π»ΡŒΠ½ΠΎΠ³ΠΎ Π»ΠΎΠ³-Ρ„Π°ΠΉΠ»Π° Π½Π° ΠΊΠ°ΠΆΠ΄Ρ‹ΠΉ ΠΏΠΎΡ‚ΠΎΠΊ.
  • Π’ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ опрСдСлСния условий для сброса свСдСний Π² Π»ΠΎΠ³.
  • Π’ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ отраТСния MAC-адрСсов Π² Π»ΠΎΠ³Π΅ EVE ΠΈ ΠΏΠΎΠ²Ρ‹ΡˆΠ΅Π½ΠΈΠ΅ Π΄Π΅Ρ‚Π°Π»ΠΈΠ·Π°Ρ†ΠΈΠΈ Π»ΠΎΠ³Π° DNS.
  • ΠŸΠΎΠ²Ρ‹ΡˆΠ΅Π½ΠΈΠ΅ ΠΏΡ€ΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎΡΡ‚ΠΈ Π΄Π²ΠΈΠΆΠΊΠ° ΠΎΠ±Ρ€Π°Π±ΠΎΡ‚ΠΊΠΈ ΠΏΠΎΡ‚ΠΎΠΊΠΎΠ² (flow engine).
  • ΠŸΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° ΠΈΠ΄Π΅Π½Ρ‚ΠΈΡ„ΠΈΠΊΠ°Ρ†ΠΈΠΈ Ρ€Π΅Π°Π»ΠΈΠ·Π°Ρ†ΠΈΠΉ SSH (HASSH).
  • РСализация Π΄Π΅ΠΊΠΎΠ΄ΠΈΡ€ΠΎΠ²Ρ‰ΠΈΠΊΠ° Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ GENEVE.
  • На языкС Rust пСрСписан ΠΊΠΎΠ΄ для ΠΎΠ±Ρ€Π°Π±ΠΎΡ‚ΠΊΠΈ ASN.1, DCERPC ΠΈ SSH. На Rust Ρ‚Π°ΠΊΠΆΠ΅ Ρ€Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π° ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° Π½ΠΎΠ²Ρ‹Ρ… ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»ΠΎΠ².
  • Π’ языкС опрСдСлСния ΠΏΡ€Π°Π²ΠΈΠ» Π² ΠΊΠ»ΡŽΡ‡Π΅Π²ΠΎΠΌ словС byte_jump Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Π° from_end, Π° Π² byte_test β€” ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Π° bitmask. Π Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½ΠΎ ΠΊΠ»ΡŽΡ‡Π΅Π²ΠΎΠ΅ слово pcrexform, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡŽΡ‰Π΅Π΅ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚ΡŒ рСгулярныС выраТСния (pcre) для Π·Π°Ρ…Π²Π°Ρ‚Π° подстроки. Π”ΠΎΠ±Π°Π²Π»Π΅Π½ΠΎ ΠΏΡ€Π΅ΠΎΠ±Ρ€Π°Π·ΠΎΠ²Π°Π½ΠΈΠ΅ urldecode. Π”ΠΎΠ±Π°Π²Π»Π΅Π½ΠΎ ΠΊΠ»ΡŽΡ‡Π΅Π²ΠΎΠ΅ слово byte_math.
  • ΠŸΡ€Π΅Π΄ΠΎΡΡ‚Π°Π²Π»Π΅Π½ΠΈΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ использования cbindgen для Π³Π΅Π½Π΅Ρ€Π°Ρ†ΠΈΠΈ привязок Π½Π° языках Rust ΠΈ C.
  • Π”ΠΎΠ±Π°Π²Π»Π΅Π½Π° Π½Π°Ρ‡Π°Π»ΡŒΠ½Π°Ρ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° ΠΏΠ»Π°Π³ΠΈΠ½ΠΎΠ².

Sifooyinka Suricata:

  • Isticmaalka qaab midaysan si aad u muujiso natiijooyinka iskaanka Midaysan2, sidoo kale loo isticmaalo mashruuca Snort, kaas oo u oggolaanaya isticmaalka qalabka falanqaynta caadiga ah sida barnadii2. Suurtagalnimada isdhexgalka BASE, Snorby, Sguil iyo SQueRT. Taageerada wax soo saarka PCAP;
  • Taageerada ogaanshaha tooska ah ee borotokoolka (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, iwm.), taasoo kuu oggolaanaysa inaad ku shaqeyso qawaaniinta kaliya nooca borotokoolka, iyada oo aan loo tixraacin lambarka dekedda (tusaale, xannibo HTTP taraafikada dekedda aan caadiga ahayn) . Helitaanka decoders HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP iyo borotokoolka SSH;
  • Nidaam xoog leh oo falanqaynta taraafikada HTTP oo isticmaala maktabad gaar ah oo HTP ah oo uu sameeyay qoraaga mashruuca Mod_Security si uu u kala saaro oo caadi uga dhigo taraafikada HTTP. Qayb ayaa diyaar u ah ilaalinta diiwaanka tafaasiisha HTTP ee wareejinta; galku waxa uu u kaydsan yahay qaab caadi ah
    Apache Soo celinta iyo hubinta faylasha lagu gudbiyo HTTP waa la taageeray. Taageerada kala saarista waxyaabaha la isku cadeeyey. Awoodda lagu aqoonsan karo URI, Kukiyada, madax-madaxeedyada, wakiilka isticmaalaha, codsiga/jirka jawaabta;

  • Taageerada is-dhexgalyada kala duwan ee ka-hortagga taraafikada, oo ay ku jiraan NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING. Waa suurtagal in lagu falanqeeyo faylalka horay loo keydiyay oo qaab PCAP ah;
  • Waxqabadka sare, awoodda habaynta socodka ilaa 10 gigabits / sec ee qalabka caadiga ah.
  • Qaabka u dhigma maaskarada waxqabadka sare leh ee xirmooyin badan oo cinwaanada IP ah. Taageerada xulashada nuxurka waji-xidhka iyo tibaaxaha caadiga ah. Ka-soocida feylasha taraafikada, oo ay ku jirto aqoonsigooda magac ahaan, nooca ama MD5 checksum.
  • Awoodda isticmaalka doorsoomayaasha xeerarka: waxaad kaydin kartaa macluumaadka durdur ka dibna u isticmaal xeerar kale;
  • Isticmaalka qaabka YAML ee faylasha qaabeynta, kaas oo kuu ogolaanaya inaad ilaaliso caddayn inta aad si fudud u shaqeyneyso mashiinka;
  • IPV6 taageero buuxda;
  • Matoorka lagu dhex dhisay si toos ah u jajabinta iyo dib-u-ururinta baakadaha, u oggolaanaya habaynta saxda ah ee durdurrada, iyada oo aan loo eegin nidaamka ay baakidhyadu yimaadaan;
  • Taageerada borotokoolka tunneling: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE;
  • Taageerada furista xirmada: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN;
  • Habka gelitaanka furayaasha iyo shahaadooyinka ka dhex muuqda xidhiidhada TLS/SSL;
  • Awoodda qorista qoraallada Lua si ay u bixiso falanqayn horumarsan oo ay hirgeliso awoodo dheeraad ah oo loo baahan yahay si loo aqoonsado noocyada taraafikada ee xeerarka caadiga ahi aanay ku filnayn.

Source: opennet.ru

Add a comment