ProHoster > Blog > litaba tsa inthanete > Sistimi ea ho lemoha tlhaselo ea Suricata 5.0 e fumaneha

Sistimi ea ho lemoha tlhaselo ea Suricata 5.0 e fumaneha

Mokhatlo oa OISF (Open Information Security Foundation) e phatlalalitsoeng ho lokolloa ha marang-rang a ho lemoha le ho thibela mokhoa oa ho thibela Meerkat 5.0, e fanang ka lisebelisoa tsa ho hlahloba mefuta e fapaneng ea sephethephethe. Ho litlhophiso tsa Suricata hoa khoneha ho sebelisa tekeno ya database, e ntlafalitsoeng ke morero oa Snort, hammoho le lihlopha tsa melao Litšokelo Tse Hlahang и Litšokelo tse Hlahang Pro. Mehloli ea morero ho jaleha e nang le laesense tlasa GPLv2.

Liphetoho tse kholo:

  • Ho hlahisitsoe li-module tse ncha tsa ho arola le ho rema lifate
    RDP, SNMP le SIP tse ngotsoeng ka Rust. Bokhoni ba ho kena ka mokhoa o ka tlase oa EVE o kentsoe mojuleng oa parsing oa FTP, o fana ka tlhahiso ea ketsahalo ka sebopeho sa JSON;

  • Ntle le ts'ehetso ea mokhoa oa ho tsebahatsa bareki ba JA3 TLS o hlahileng tokollong ea ho qetela, tšehetso ea mokhoa ona. JA3S, lumella Ho ipapisitsoe le litšoaneleho tsa lipuisano tsa khokahano le liparamente tse boletsoeng, fumana hore na ke software efe e sebelisetsoang ho theha khokahano (mohlala, e u lumella ho tseba ts'ebeliso ea Tor le lits'ebetso tse ling tse tloaelehileng). JA3 e u lumella ho hlalosa bareki, 'me JA3S e u lumella ho hlalosa li-server. Liphetho tsa boikemisetso li ka sebelisoa puong ea ho beha melao le ho li-log;
  • Bokhoni bo ekelitsoeng ba liteko ho bapisa lisampole ho tsoa ho li-data tse kholo, tse kentsoeng ts'ebetsong e ncha dataset le datarep. Mohlala, karolo ena e sebetsa ho batleng limaske mananeng a maholo a nang le limilione tsa likenyo;
  • Mokhoa oa ho hlahloba HTTP o fana ka ts'ireletso e felletseng ea maemo ohle a hlalositsoeng lethathamong la liteko HTTP Evader (mohlala, e akaretsa mekhoa e sebelisoang ho pata liketso tse lonya sephethephetheng);
  • Lisebelisoa tsa ho ntlafatsa li-module ka puo ea Rust li fetisitsoe ho tloha likhethong ho ea ho bokhoni bo tloaelehileng bo tlamang. Nakong e tlang, ho reriloe ho atolosa tšebeliso ea Rust sebakeng sa khoutu ea morero le butle-butle ho nkela li-modules ka li-analogues tse entsoeng ka Rust;
  • Enjene ea tlhaloso ea protocol e ntlafalitsoe ho ntlafatsa ho nepahala le ho sebetsana le phallo ea sephethephethe ea asynchronous;
  • Ts'ehetso ea mofuta o mocha oa ho kena oa "anomaly" e kentsoe lethathamong la EVE, le bolokang liketsahalo tse sa tloaelehang tse bonoang ha lipakete li khetha. EVE e boetse e atolositse ponts'o ea tlhahisoleseling mabapi le li-VLAN le li-interface tsa ho hapa sephethephethe. Khetho e ekelitsoeng ea ho boloka lihlooho tsohle tsa HTTP ho EVE http log entries;
  • Basebelisi ba thehiloeng ho eBPF ba fana ka ts'ehetso bakeng sa mekhoa ea hardware bakeng sa ho potlakisa ho ts'oaroa ha lipakete. Ho potlakisa lisebelisoa hona joale ho lekanyelitsoe ho li-adapter tsa marang-rang tsa Netronome, empa haufinyane li tla fumaneha bakeng sa lisebelisoa tse ling;
  • Khoutu ea ho ts'oara sephethephethe u sebelisa moralo oa Netmap e ngotsoe bocha. E ekelitse bokhoni ba ho sebelisa likarolo tse tsoetseng pele tsa Netmap joalo ka switch ea sebele Vale;
  • E kentsoe tšehetso bakeng sa morero o mocha oa tlhaloso ea mantsoe a sehlooho bakeng sa Sticky Buffers. Morero o mocha o hlalosoa ka mokhoa oa "protocol.buffer", mohlala, bakeng sa ho hlahloba URI, lentsoe la sehlooho le tla nka "http.uri" ho e-na le "http_uri";
  • Khoutu eohle ea Python e sebelisitsoeng e lekoa hore e lumellana le
    Python3;

  • Tšehetso bakeng sa meralo ea Tilera, log log dns.log le lifaele tsa khale tsa log-json.log li khaolitsoe.

Likarolo tsa Suricata:

  • Ho sebelisa sebopeho se kopaneng ho hlahisa liphetho tsa scan Unified2, e boetse e sebelisoa ke morero oa Snort, o lumellang tšebeliso ea lisebelisoa tse tloaelehileng tsa tlhahlobo tse kang lebala la molala2. Monyetla oa ho kopanngoa le lihlahisoa tsa BASE, Snorby, Sguil le SQueRT. Tšehetso ea tlhahiso ea PCAP;
  • Ts'ehetso bakeng sa ho lemoha ka mokhoa o itekanetseng oa li-protocol (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, joalo-joalo), e u lumellang hore u sebetse ka melao feela ka mofuta oa protocol, ntle le ho bua ka nomoro ea boema-kepe (mohlala, thibela HTTP. sephethephethe boemakepeng boo e seng ba maemo) . Ho fumaneha ha li-decoder bakeng sa liprothokholo tsa HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP le SSH;
  • Sistimi e matla ea tlhahlobo ea sephethephethe sa HTTP e sebelisang laeborari e khethehileng ea HTP e entsoeng ke sengoli sa morero oa Mod_Security ho hlalosa le ho etsa hore sephethephethe sa HTTP se tloaelehe. Mojule oa fumaneha bakeng sa ho boloka lintlha tse qaqileng tsa phetisetso ea HTTP; log e bolokiloe ka mokhoa o tloaelehileng
    Apache. Ho fumana le ho hlahloba lifaele tse fetisoang ka HTTP hoa tšehetsoa. Tšehetso bakeng sa ho arola litaba tse hatisitsoeng. Bokhoni ba ho tsebahatsa ka URI, Cookie, lihlooho, moemeli oa basebelisi, 'mele oa kopo / karabo;

  • Ts'ehetso bakeng sa likhokahano tse fapaneng bakeng sa thibelo ea sephethephethe, ho kenyeletsoa NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING. Hoa khoneha ho sekaseka lifaele tse seng li bolokiloe ka mokhoa oa PCAP;
  • Ts'ebetso e phahameng, bokhoni ba ho sebetsa bo phalla ho fihlela ho 10 gigabits / sec ka thepa e tloaelehileng.
  • Mokhoa o ts'oanang oa ts'ebetso e phahameng ea mask bakeng sa liaterese tse kholo tsa liaterese tsa IP. Tšehetso ea ho khetha litaba ka mask le lipolelo tse tloaelehileng. Ho arola lifaele ho tsoa ho sephethephethe, ho kenyelletsa le boitsebahatso ba tsona ka mabitso, mofuta kapa MD5 checksum.
  • Bokhoni ba ho sebelisa mefuta e fapaneng melaong: o ka boloka tlhahisoleseling ho tsoa molapong mme hamorao o e sebelisa melaong e meng;
  • Tšebeliso ea sebopeho sa YAML lifaeleng tsa tlhophiso, e u lumellang ho boloka ho hlaka ha ho ntse ho le bonolo ho sebetsa mochini;
  • Tšehetso e felletseng ea IPv6;
  • Enjene e hahelletsoeng bakeng sa defragmentation ea othomathiki le ho kopanya hape lipakete, e lumellang ts'ebetso e nepahetseng ea melapo, ho sa tsotelehe tatellano eo lipakete li fihlang ka eona;
  • Tšehetso ea li-protocol tsa tunneling: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE;
  • Tšehetso ea ho khetholla liphutheloana: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN;
  • Mokhoa oa ho rema linotlolo le litifikeiti tse hlahang ka har'a likhokahano tsa TLS/SSL;
  • Bokhoni ba ho ngola mangolo ka Lua ho fana ka tlhahlobo e tsoetseng pele le ho kenya ts'ebetsong bokhoni bo eketsehileng bo hlokahalang ho khetholla mefuta ea sephethephethe eo melao e tloaelehileng e sa lekaneng.

    • Source: opennet.ru

Eketsa ka tlhaloso