Ho ea ka lipalo-palo, palo ea sephethephethe sa marang-rang e eketseha ka hoo e ka bang 50% selemo le selemo. Sena se lebisa keketsehong ea mojaro oa lisebelisoa mme, haholoholo, ho eketsa litlhoko tsa ts'ebetso ea IDS / IPS. U ka reka lisebelisoa tse khethehileng tse theko e boima, empa ho na le khetho e theko e tlaase - ho kenyelletsa e 'ngoe ea mekhoa e bulehileng ea mohloli. Batsamaisi ba bangata ba li-novice ba fumana ho le thata ho kenya le ho lokisa IPS ea mahala. Tabeng ea Suricata, sena ha se 'nete ka ho feletseng - u ka e kenya' me ua qala ho leleka litlhaselo tse tloaelehileng ka sete ea melao ea mahala ka metsotso e seng mekae.
Hobaneng re hloka IPS e 'ngoe e bulehileng?
Nako e telele e nkoa e le maemo, Snort esale e ntse e tsoela pele ho tloha bofelong ba lilemo tsa borobong, kahoo qalong e ne e le khoele e le 'ngoe. Ho theosa le lilemo, likarolo tsohle tsa sejoale-joale li hlahile ho eona, joalo ka tšehetso ea IPv6, bokhoni ba ho sekaseka liprothokholo tsa boemo ba ts'ebeliso, kapa mojule oa phihlello ea data.
Enjene ea mantlha ea Snort 2.X e ithutile ho sebetsa ka li-cores tse ngata, empa e lutse e le khoele e le 'ngoe, ka hona e ke ke ea nka monyetla ka sethala sa sejoale-joale sa hardware.
Bothata bo ile ba rarolloa ka mokhoa oa boraro oa tsamaiso, empa ho ile ha nka nako e telele ho lokisetsa hore Suricata, e ngotsoeng ho tloha qalong, e khone ho hlaha 'marakeng. Ka 2009, e ile ea qala ho ntlafatsoa hantle joalo ka mokhoa o fapaneng oa likhoele tse ngata ho Snort, o nang le mesebetsi ea IPS kantle ho lebokose. Khoutu e ajoa tlas'a laesense ea GPLv2, empa balekane ba lichelete ba morero ba na le monyetla oa ho fumana mofuta o koetsoeng oa enjene. Mathata a mang a scalability a hlahile liphetolelong tsa pele tsa sistimi, empa a ile a rarolloa kapele.
Ke hobane'ng ha Surica?
Suricata e na le li-module tse 'maloa (tse ts'oanang le Snort): ho ts'oara, ho ts'oara, ho khetholla, ho lemoha, le tlhahiso. Ka nako e sa lekanyetsoang, sephethephethe se hapuoeng se tsoela pele ho qaptjoa ka molapo o le mong, leha sena se laela sistimi ho feta. Haeba ho hlokahala, likhoele li ka aroloa litlhophisong 'me tsa ajoa har'a li-processor - Suricata e ntlafalitsoe hantle bakeng sa lisebelisoa tse khethehileng, leha sena ha e sa le boemo ba HOWTO bakeng sa ba qalang. Hape ke habohlokoa ho hlokomela hore Suricata e na le lisebelisoa tse tsoetseng pele tsa ho hlahloba HTTP tse thehiloeng ho laeborari ea HTP. Li ka boela tsa sebelisoa ho kenya sephethephethe ntle le ho lemoha. Sistimi e boetse e ts'ehetsa IPv6 decoding, ho kenyeletsoa lithanele tsa IPv4-in-IPv6, lithanele tsa IPv6-in-IPv6, le tse ling.
Li-interfaces tse fapaneng li ka sebelisoa ho thibela sephethephethe (NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING), 'me ka mokhoa oa Unix Socket, u ka hlahloba lifaele tsa PCAP tse hapiloeng ke motho e mong ea sniffer. Ntle le moo, meralo ea modular ea Suricata e etsa hore ho be bonolo ho hokela lintho tse ncha ho hapa, ho li hlalosa, ho li hlalosa le ho sebetsana le lipakete tsa marang-rang. Hape ke habohlokoa ho hlokomela hore Suricata, sephethephethe se koetsoe ka mokhoa oa ho hloekisa kamehla oa tsamaiso ea tsamaiso. GNU/Linux e na le mekhoa e 'meli ea hore na IPS e sebetsa joang: ka NFQUEUE queue (NFQ mode) le ka zero copy (AF_PACKET mode). Boemong ba pele, pakete e kenang li-iptables e romelloa mocheng oa NFQUEUE, moo e ka sebetsoang boemong ba mosebedisi. Suricata e e tsamaisa ho latela melao ea eona mme e fana ka e 'ngoe ea likahlolo tse tharo: NF_ACCEPT, NF_DROP le NF_REPEAT. Tse peli tsa pele li itlhalosa, ha tsa ho qetela li lumella lipakete hore li tšoaee le ho romelloa ka holimo ho tafole ea hona joale ea iptables. Mokhoa oa AF_PACKET o potlakile, empa o beha lithibelo tse ngata tsamaisong: e tlameha ho ba le li-interfaces tse peli tsa marang-rang le ho sebetsa e le heke. Pakete e koetsoeng ha e fetisetsoe ho sebopeho sa bobeli.
Karolo ea bohlokoa ea Suricata ke bokhoni ba ho sebelisa nts'etsopele bakeng sa Snort. Motsamaisi o na le phihlello, haholo-holo, ho mehloli ea melao ea Sourcefire VRT le OpenSource Emerging Threats, hammoho le khoebo ea Emerging Threats Pro. Sehlahisoa se kopaneng se ka aroloa ho sebelisoa li-backend tse tsebahalang, PCAP le Syslog le tsona lia tšehetsoa. Litlhophiso le melao ea sistimi li bolokiloe lifaeleng tsa YAML, tse balehang habonolo mme li ka sebetsoa ka bo eona. Enjene ea Suricata e lemoha liprothokholo tse ngata, kahoo melao ha e hloke ho tlamelloa ho nomoro ea boema-kepe. Ho phaella moo, khopolo ea li-flowbits e sebelisoa ka mafolofolo melaong ea Suricata. Ho latela sesosa, mefuta e fapaneng ea nako e sebelisoa ho theha le ho sebelisa li-counter le lifolakha tse fapaneng. Li-IDS tse ngata li tšoara likhokahano tse fapaneng tsa TCP e le mekhatlo e arohaneng 'me li kanna tsa se bone khokahano lipakeng tsa tsona e bonts'ang qalo ea tlhaselo. Suricata e leka ho bona setšoantšo sohle mme maemong a mangata e hlokomela sephethephethe se kotsi se phatlalalitsoeng likhokahanong tse fapaneng. U ka bua ka melemo ea eona nako e telele, ho molemo hore re fetele pele ho kenya le ho hlophisa.
Joang ho kenya?
Re tla be re kenya Suricata ho seva sa sebele se sebelisang Ubuntu 18.04 LTS. Litaelo tsohle li tlameha ho etsoa molemong oa superuser (motso). Khetho e sireletsehileng ka ho fetesisa ke ho SSH ho seva joalo ka mosebelisi ea tloaelehileng ebe o sebelisa sesebelisoa sa sudo ho phahamisa litokelo. Pele u lokela ho kenya liphutheloana tseo re li hlokang:
sudo apt -y install libpcre3 libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config libnetfilter-queue-dev geoip-bin geoip-database geoipupdate apt-transport-httpsHo hokela polokelo ea kantle:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get updateKenya mofuta oa morao-rao o tsitsitseng oa Suricata:
sudo apt-get install suricataHaeba ho hlokahala, fetola lebitso la lifaele tsa tlhophiso, u nkele sebaka sa eth0 ka lebitso la 'nete la sebopeho sa kantle sa seva. Litlhophiso tsa kamehla li bolokiloe faeleng ea /etc/default/suricata, 'me litlhophiso tsa tloaelo li bolokiloe ho /etc/suricata/suricata.yaml. Ho lokisa IDS hangata ho lekanyelitsoe ho hlophisa faele ena ea tlhophiso. E na le liparamente tse ngata tseo, ka mabitso le morero, li lumellanang le li-analogues tse tsoang ho Snort. Syntax e fapane haholo, leha ho le joalo, empa faele e bonolo haholo ho e bala ho feta Snort configs, 'me e fana ka maikutlo hantle.
sudo nano /etc/default/suricata
и
sudo nano /etc/suricata/suricata.yaml
Ela hloko! Pele o qala, ho bohlokoa ho hlahloba boleng ba mefuta e tsoang karolong ea vars.
Ho qeta ho seta, o tla hloka ho kenya suricata-update ho ntlafatsa le ho laela melao. Ho bonolo haholo ho etsa sena:
sudo apt install python-pip
sudo pip install pyyaml
sudo pip install <a href="https://github.com/OISF/suricata-update/archive/master.zip">https://github.com/OISF/suricata-update/archive/master.zip</a>
sudo pip install --pre --upgrade suricata-updateKa mor'a moo, re hloka ho tsamaisa taelo ea suricata-update ho kenya melao ea Emerging Threats Open:
sudo suricata-update
Ho sheba lenane la mehloli ea melao, tsamaisa taelo e latelang:
sudo suricata-update list-sources
Ntlafatsa mehloli ea melao:
sudo suricata-update update-sources
Ho sheba hape mehloli e ntlafalitsoeng:
sudo suricata-update list-sourcesHaeba ho hlokahala, o ka kenyelletsa mehloli ea mahala e fumanehang:
sudo suricata-update enable-source ptresearch/attackdetection
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source sslbl/ssl-fp-blacklistKa mor'a moo, o hloka ho ntlafatsa melao hape:
sudo suricata-updateSena se phethela ts'ebetso le ts'ebetso ea pele ea Suricata ho Ubuntu 18.04 LTS. Joale monate o qala: sehloohong se latelang, re tla hokahanya seva sa sebele ho marang-rang a ofisi ka VPN mme re qale ho hlahloba sephethephethe sohle se kenang le se tsoang. Re tla ela hloko ka ho khetheha ho thibela litlhaselo tsa DDoS, ts'ebetso ea malware le liteko tsa ho sebelisa hampe lits'ebeletso tse fumanehang marang-rang a sechaba. Bakeng sa ho hlaka, litlhaselo tsa mefuta e tloaelehileng haholo li tla etsisoa.
Source: www.habr.com