Ngokwezibalo, umthamo wetrafikhi yenethiwekhi unyuka malunga ne-50% ngonyaka. Oku kukhokelela ekwandeni komthwalo kwisixhobo kwaye, ngokukodwa, kwandisa iimfuno zokusebenza kwe-IDS/IPS. Unokuthenga i-hardware ekhethekileyo ebiza kakhulu, kodwa kukho inketho engabizi kakhulu - ukuphumeza enye yeenkqubo zomthombo ovulekileyo. Abalawuli abaninzi be-novice bacinga ukuba ukufaka kunye nokuqwalasela i-IPS yasimahla kunzima kakhulu. Kwimeko yeSuricata, oku akuyonyani ngokupheleleyo - unokuyifaka kwaye uqale ukugxotha ukuhlaselwa okuqhelekileyo kunye nesethi yemithetho yamahhala kwimizuzu embalwa.
Kutheni sifuna enye i-IPS evulekileyo?
Kudala kuqwalaselwa umgangatho, iSnort ibikuphuhliso ukusukela kwiminyaka yamashumi alithoba, ngoko ke ibinomsonto omnye. Ukutyhubela iminyaka, ifumene zonke iimpawu zale mihla, njengenkxaso ye-IPv6, ukukwazi ukuhlalutya iiprothokholi zomgangatho wesicelo, okanye imodyuli yofikelelo lwedatha jikelele.
I-injini ye-Snort ye-2.X esisiseko ifunde ukusebenza ngee-cores ezininzi, kodwa yahlala i-single-threaded kwaye ngenxa yoko ayinakukwazi ukuthatha inzuzo kwiiplatifti ze-hardware zanamhlanje.
Ingxaki yasonjululwa kwinguqulelo yesithathu yenkqubo, kodwa kwathatha ixesha elide ukulungiselela ukuba iSuricata, ebhalwe ukusuka ekuqaleni, ikwazile ukuvela kwimarike. Ngo-2009, yaqala ukuphuhliswa ngokuchanekileyo njengenye indlela enemisonto emininzi kwi-Snort, eyayinemisebenzi ye-IPS ngaphandle kwebhokisi. Ikhowudi isasazwa phantsi kwelayisensi ye-GPLv2, kodwa amahlakani emali eprojekthi anokufikelela kuhlobo oluvaliweyo lwenjini. Ezinye iingxaki ngokulinganisa zavela kwiinguqulelo zokuqala zenkqubo, kodwa zasonjululwa ngokukhawuleza.
Kutheni iSuricata?
I-Suricata ineemodyuli ezininzi (ezifana ne-Snort): ukubamba, ukufumana, ukucacisa, ukufumanisa kunye nemveliso. Ngokungagqibekanga, itrafikhi ebanjiweyo ihamba phambi kokwenza iikhowudi kumsonto omnye, nangona oku kulayisha inkqubo ngakumbi. Ukuba kuyimfuneko, imisonto inokwahlulwa kwizicwangciso kwaye isasazwe phakathi kweeprosesa - iSuricata ilungiselelwe kakuhle kakhulu kwi-hardware ethile, nangona oku akuseyiyo inqanaba le-HOWTO kubaqalayo. Kuyafaneleka ukuba uqaphele ukuba i-Suricata inezixhobo zokuhlola i-HTTP eziphambili ezisekelwe kwilayibrari ye-HTP. Zisenokusetyenziswa ukuloga traffic ngaphandle kokubhaqwa. Inkqubo ikwaxhasa i-IPv6 decoding, kuquka i-IPv4-in-IPv6, IPv6-in-IPv6 itonela kunye nezinye.
Ujongano olwahlukileyo lunokusetyenziselwa ukuthintela i-traffic (NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING), kwaye kwimowudi ye-Unix Socket unokuhlalutya ngokuzenzekelayo iifayile zePCAP ezibanjwe ngomnye umjongi. Ukongeza, uyilo lwemodyuli yeSuricata yenza kube lula ukudibanisa izinto ezintsha ukuze ubambe, uchaze, uhlalutye kwaye uqhubekisele phambili iipakethi zenethiwekhi. Kwakhona kubalulekile ukuba uqaphele ukuba eSuricata, i-traffic ivaliwe ngokusebenzisa isihluzo senkqubo yokusebenza eqhelekileyo. Kwi-GNU/Linux, zimbini iinketho zokusebenza kwe-IPS ziyafumaneka: nge-NFQUEUE queue (imo ye-NFQ) kunye ne-zero copy (AF_PACKET mode). Kwimeko yokuqala, ipakethe yokufaka iptables ithunyelwa kumgca we-NFQUEUE, apho inokuthi iqhutywe kwinqanaba lomsebenzisi. I-Suricata iyiqhuba ngokwemigaqo yayo kwaye ikhupha esinye sezigwebo ezintathu: NF_ACCEPT, NF_DROP kunye ne-NF_REPEAT. Izibini zokuqala zichaza ngokuzimeleyo, kodwa okokugqibela kukuvumela ukuba uphawule iipakethi kwaye uzithumele ekuqaleni kwetafile ye-iptables yangoku. Imowudi ye-AF_PACKET ikhawuleza, kodwa ibeka inani lezithintelo kwinkqubo: kufuneka ibe nojongano lwenethiwekhi ezimbini kwaye isebenze njengesango. Ipakethi evaliweyo ayithunyelwanga kujongano lwesibini.
Uphawu olubalulekileyo lweSuricata kukukwazi ukusebenzisa uphuhliso lwe-Snort. Umlawuli unokufikelela, ngokukodwa, kwi-Sourcefire VRT kunye ne-OpenSource Emerging Threats ruleets, kunye ne-Emerging Threats Pro. Imveliso edibeneyo inokuhlalutywa kusetyenziswa i-backends ethandwayo, kunye nemveliso kwi-PCAP kunye ne-Syslog nayo iyaxhaswa. Iisetingi zenkqubo kunye nemithetho zigcinwa kwiifayile ze-YAML, ekulula ukuzifunda kwaye zinokulungiswa ngokuzenzekelayo. Injini yeSuricata ibona iiprothokholi ezininzi, ngoko ke imithetho ayifuni ukubotshelelwa kwinombolo yezibuko. Ukongeza, ingqikelelo ye-flowbits yenziwa ngokusebenzayo kwimithetho yeSuricata. Ukulandelela ukuqalisa, iinguqu zeseshoni zisetyenziswa, ezikuvumela ukuba udale kwaye usebenzise izixhobo zokubala ezahlukeneyo kunye neeflegi. Ii-IDS ezininzi ziphatha udibaniso lwe-TCP olwahlukileyo njengamaqumrhu ahlukeneyo kwaye zisenokungaboni uxhulumaniso phakathi kwazo ukubonisa ukuqala kohlaselo. I-Suricata izama ukubona umfanekiso uphela kwaye kwiimeko ezininzi ibona itrafikhi ekhohlakeleyo esasazwa kuzo zonke iindibano ezahlukeneyo. Singakwazi ukuthetha malunga neenzuzo zayo ixesha elide; kungcono siqhubele phambili kufakelo kunye noqwalaselo.
Uyifaka njani?
Siza kufaka iSuricata kwiseva ebonakalayo esebenzisa Ubuntu 18.04 LTS. Yonke imiyalelo kufuneka iphunyezwe njengomsebenzisi ophezulu (ingcambu). Olona khetho lukhuselekileyo kukuqhagamshela kumncedisi nge-SSH njengomsebenzisi oqhelekileyo, kwaye emva koko usebenzise into eluncedo ye-sudo ukunyusa amalungelo. Okokuqala kufuneka sifake iipakethe esizifunayo:
sudo apt -y install libpcre3 libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config libnetfilter-queue-dev geoip-bin geoip-database geoipupdate apt-transport-httpsUkuqhagamshela indawo yokugcina yangaphandle:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get updateFaka inguqulelo yamva nje ezinzileyo yeSuricata:
sudo apt-get install suricataUkuba kuyimfuneko, hlela igama leefayile zoqwalaselo, ubuyisela i-eth0 engagqibekanga ngegama lokwenyani lojongano lwangaphandle lomncedisi. Izicwangciso ezihlala zikhona zigcinwa kwifayile /etc/default/suricata, kwaye izicwangciso zesiko zigcinwa kwi /etc/suricata/suricata.yaml. Ubumbeko lwe-IDS lukhawulelwe kakhulu ekuhleleni le fayile yoqwalaselo. Ineeparamitha ezininzi ezithi, ngegama kunye nenjongo, zihambelane ne-analogues yazo evela kwi-Snort. I-syntax nangona kunjalo yahluke ngokupheleleyo, kodwa ifayile ifundeka lula kune-Snort configs, kwaye ihlonyelwe kakuhle.
sudo nano /etc/default/suricata
и
sudo nano /etc/suricata/suricata.yaml
Ingqalelo! Ngaphambi kokuba uqale, kuya kufuneka ujonge amaxabiso eenguqu ukusuka kwicandelo le-vars.
Ukugqiba ukuseta, kuya kufuneka ufake i-suricata-update ukuhlaziya nokukhuphela imithetho. Kulula kakhulu ukwenza oku:
sudo apt install python-pip
sudo pip install pyyaml
sudo pip install <a href="https://github.com/OISF/suricata-update/archive/master.zip">https://github.com/OISF/suricata-update/archive/master.zip</a>
sudo pip install --pre --upgrade suricata-updateOkulandelayo kufuneka siqhube umyalelo wohlaziyo lwe-suricata ukuze ufake i-Emerging Threats Open ruleset:
sudo suricata-update
Ukujonga uluhlu lwemithombo yomthetho, sebenzisa lo myalelo ulandelayo:
sudo suricata-update list-sources
Hlaziya imithetho yemithombo:
sudo suricata-update update-sources
Sijonga kwakhona kwimithombo ehlaziyiweyo:
sudo suricata-update list-sourcesUkuba kuyimfuneko, unokubandakanya imithombo ekhoyo yasimahla:
sudo suricata-update enable-source ptresearch/attackdetection
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source sslbl/ssl-fp-blacklistEmva koko, kufuneka uhlaziye imithetho kwakhona:
sudo suricata-updateOkwangoku, ukufakela kunye noqwalaselo lokuqala lweSuricata kwi-Ubuntu 18.04 LTS lunokuthiwa lugqitywe. Emva koko ulonwabo luqala: kwinqaku elilandelayo siya kudibanisa iseva ebonakalayo kwinethiwekhi yeofisi nge-VPN kwaye siqale ukuhlalutya zonke izithuthi ezingenayo neziphumayo. Siza kuhlawula ingqalelo ekhethekileyo ekuthinteleni uhlaselo lwe-DDoS, umsebenzi we-malware, kunye nokuzama ukuxhaphaza ubuthathaka kwiinkonzo ezifikelelekayo kwiinethiwekhi zoluntu. Ukucaca, ukuhlaselwa kweentlobo eziqhelekileyo kuya kufaniswa.
umthombo: www.habr.com