TS Umbono opheleleyo. Ukuqokelelwa koMnyhadala, uHlalutyo lwezehlo, kunye neSixhobo sokuPhendula ngokuzenzekela ngoSongelo

Molo emva kwemini, kumanqaku angaphambili siye saqhelana nomsebenzi we-ELK Stack. Ngoku makhe sixoxe ngamathuba anokuthi aphunyezwe yingcali yokhuseleko lolwazi ekusebenziseni ezi nkqubo. Ziziphi iilogi ezinokuthi kwaye zifanele zifakwe kwi-elasticsearch. Makhe siqwalasele ukuba zeziphi izibalo ezinokufumaneka ngokumisela iideshibhodi kunye nokuba kukho nayiphi na inzuzo kule nto. Unokwenza njani ukuzenzekelayo kweenkqubo zokhuseleko lolwazi usebenzisa i-ELK stack. Masizobe uyilo lwenkqubo. Lilonke, ukuphunyezwa kwayo yonke imisebenzi ngumsebenzi omkhulu kakhulu kwaye unzima, ngoko ke isisombululo sanikwa igama elahlukileyo - TS Total Sight.

Okwangoku, izisombululo ezidibanisa kwaye zihlalutye iziganeko zokhuseleko lolwazi kwindawo enye enengqiqo zifumana ngokukhawuleza ukuthandwa, ngenxa yoko, ingcali ifumana izibalo kunye nomda wezenzo zokuphucula imeko yokhuseleko lolwazi kwintlangano. Sizibekele lo msebenzi ekusebenziseni isitaki se-ELK, kwaye ngenxa yoko sahlulahlula umsebenzi ophambili kumacandelo ama-4:

1. Iinkcukacha-manani kunye nokubonwayo;
2. Ukufunyanwa kweziganeko zokhuseleko lolwazi;
3. Ukubekwa phambili kwesiganeko;
4. Ukuzenzekela kweenkqubo zokhuseleko lolwazi.

Okulandelayo, siza kujonga ngakumbi umntu ngamnye.

Ukufunyanwa kweziganeko zokhuseleko lolwazi

Umsebenzi oyintloko wokusebenzisa i-elasticsearch kwimeko yethu kukuqokelela kuphela iziganeko zokhuseleko lolwazi. Unokuqokelela ulwazi lweziganeko zokhuseleko kuzo naziphi na iindlela zokhuseleko ukuba zixhasa ubuncinane ezinye iindlela zokuthumela iilogi, umgangatho yi-syslog okanye i-scp yokugcina kwifayile.

Unganika imizekelo eqhelekileyo yezixhobo zokhuseleko kunye nokunye, ukusuka apho kufuneka uqwalasele ugqithiso lweelog:

1. Naziphi na izixhobo ze-NGFW (Khangela indawo, i-Fortinet);
2. Naziphi na izikena zobuthathaka (PT Scanner, OpenVas);
3. I-Firewall yeSicelo seWebhu (PT AF);
4. abahlalutyi be-netflow (Flowmon, Cisco StealthWatch);
5. Iseva yeAD.

Nje ukuba uqwalasele ukuthunyelwa kweelog kunye neefayile zoqwalaselo kwiLogstash, unokulungelelanisa kwaye uthelekise neziganeko ezivela kwizixhobo ezahlukeneyo zokhuseleko. Ukwenza oku, kulungele ukusebenzisa izalathisi apho siya kugcina zonke iziganeko ezinxulumene nesixhobo esithile. Ngamanye amazwi, isalathiso esinye zonke izehlo kwisixhobo esinye. Olu lwabiwo lunokuphunyezwa ngeendlela ezi-2.

Ikhetho lokuqala Oku kukuqwalasela iLogstash yoqwalaselo. Ukwenza oku, kufuneka uphindaphinde ilog yemihlaba ethile kwiyunithi eyahlukileyo enodidi olwahlukileyo. Kwaye ke sebenzisa olu hlobo kwixesha elizayo. Kumzekelo, iilogi zenziwe kwi-IPS blade ye-Check Point firewall.

filter {
    if [product] == "SmartDefense" {
        clone {
	    clones => ["CloneSmartDefense"]
	    add_field => {"system" => "checkpoint"}
	}
    }
}

Ukuze ugcine iziganeko ezinjalo kwisalathiso esahlukileyo ngokuxhomekeke kwimihlaba yelog, umzekelo, njengeSiginiya sohlaselo lwemisayino ye IP. Ungasebenzisa ulwakhiwo olufanayo:

output {
    if [type] == "CloneSmartDefense"{
    {
         elasticsearch {
    	 hosts => [",<IP_address_elasticsearch>:9200"]
    	 index => "smartdefense-%{dst}"
    	 user => "admin"
    	 password => "password"
  	 }
    }
}

Kwaye ngale ndlela, ungagcina zonke iziganeko kwisalathiso, umzekelo, ngedilesi ye-IP, okanye ngegama lesizinda somatshini. Kule meko, siyigcina kwisalathisi "smartdefense-%{dst}", ngedilesi ye-IP yendawo yotyikityo.

Nangona kunjalo, iimveliso ezahlukeneyo ziya kuba neendawo ezahlukeneyo zokungena, eziya kukhokelela kwisiphithiphithi kunye nokusetyenziswa kwememori ngokungeyomfuneko. Kwaye apha kuya kufuneka utshintshe ngononophelo imimandla kwi-Logstash yoqwalaselo lwezicwangciso kunye neziyilwe kwangaphambili, eziza kufana nazo zonke iintlobo zeziganeko, ezikwangumsebenzi onzima.

Inketho yesibini yokuphunyezwa - oku kubhala iskripthi okanye inkqubo eya kufikelela kwisiseko sedatha ye-elastic ngexesha langempela, ukukhupha iziganeko eziyimfuneko, kwaye uzigcine kwisalathisi esitsha, lo ngumsebenzi onzima, kodwa kukuvumela ukuba usebenze ngezigodo njengoko uthanda, kwaye unxibelelane ngokuthe ngqo neziganeko ezivela kwezinye izixhobo zokhuseleko. Olu khetho likuvumela ukuba uqwalasele umsebenzi ngeelog zibe luncedo kakhulu kwityala lakho ngokuguquguquka okukhulu, kodwa apha ingxaki ivela ekufumaneni ingcali enokuphumeza oku.

Kwaye ke, owona mbuzo ubalulekileyo, kwaye yintoni enokudibanisa kwaye ibhaqwe??

Kusenokubakho iinketho ezininzi apha, kwaye kuxhomekeke ekubeni zeziphi izixhobo zokhuseleko ezisetyenziswayo kwisiseko sakho, imizekelo embalwa:

1. Eyona nto icacileyo kwaye, ngokombono wam, olona khetho lunomdla kwabo banesisombululo se-NGFW kunye neskena sobungozi. Olu luthelekiso lweelog ze-IPS kunye neziphumo zokuskena ubuthathaka. Ukuba uhlaselo lufunyenwe (aluvalwanga) yinkqubo ye-IPS, kwaye lo mngcipheko awuvalwanga kumatshini wokugqibela ngokusekelwe kwiziphumo zokuskena, kuyimfuneko ukuvuthela impempe, ekubeni kukho amathuba aphezulu okuba ukuxhatshazwa kuye kwasetyenziswa. .
2. Iinzame ezininzi zokungena kumatshini omnye ukuya kwiindawo ezahlukeneyo zinokufuzisela umsebenzi okhohlakeleyo.
3. Umsebenzisi ukhuphela iifayile zentsholongwane ngenxa yokutyelela inani elikhulu leendawo ezinokuba yingozi.

Amanani kunye nokubonwa

Eyona nto icacileyo neqondakalayo ekufuneka i-ELK Stack kukugcinwa kunye nokubonwa kweelogi, kumanqaku angaphambili kwaboniswa ukuba ungenza njani iilog kwizixhobo ezahlukeneyo usebenzisa iLogstash. Emva kokuba iingodo ziye kwi-Elasticsearch, unokuseta iideshibhodi, eziye zakhankanywa kumanqaku angaphambili, ngolwazi kunye nezibalo ozifunayo ngokubonwa.

imizekelo:

1. Ideshibhodi yeziganeko zoThintelo lweNgozi enezona ziganeko zibalulekileyo. Apha ungabonisa ukuba yeyiphi imisayino ye-IPS efunyenweyo kwaye ivela phi ngokwejografi.

   

2. Ideshibhodi ekusetyenzisweni kwezona zicelo zibaluleke kakhulu ekunokuvuzwa kuzo ulwazi.

   

3. Skena iziphumo kuso nasiphi na iskena sokhuseleko.

   

4. Uvimba weefayili osebenzayo ngumsebenzisi.

   

5. Ideshibhodi yoqhagamshelwano lweVPN.

Kulo mzekelo, ukuba uqwalasela iidashbhodi ukuhlaziya yonke imizuzwana embalwa, ungafumana inkqubo efanelekileyo ngokufanelekileyo yokubeka iliso kwiziganeko ngexesha lokwenyani, enokuthi ke isetyenziselwe impendulo ekhawulezayo kwiziganeko zokhuseleko lolwazi ukuba ubeka iidashbhodi kwindawo eyahlukileyo. isikrini.

Ukubekwa phambili kwesiganeko

Kwiimeko zeziseko ezinkulu, inani lezehlo linokuthi lihambe, kwaye iingcali aziyi kuba nexesha lokujongana nazo zonke iziganeko ngexesha. Kule meko, kuyimfuneko, okokuqala, ukugqamisa kuphela ezo ziganeko ezenza ingozi enkulu. Ke ngoko, inkqubo kufuneka ibeke phambili izehlo ngokusekwe kubungqongqo bazo ngokunxulumene neziseko zophuhliso zakho. Kuyacetyiswa ukuba usete i-imeyile okanye isilumkiso setelegram kwezi ziganeko. Ukubekwa phambili kunokuphunyezwa ngokusebenzisa izixhobo ze-Kibana ezisemgangathweni ngokumisela ukubonwa. Kodwa ngezaziso kunzima ngakumbi; ngokuzenzekelayo, oku kusebenza akubandakanywa kuguqulelo olusisiseko lwe-Elasticsearch, kuphela kwinguqulelo ehlawulweyo. Ke, nokuba uthenge inguqulelo ehlawulweyo, okanye, kwakhona, bhala inkqubo ngokwakho eya kwazisa iingcali ngexesha lokwenyani nge-imeyile okanye ngetelegram.

Ukuzenzekela kweenkqubo zokhuseleko lolwazi

Kwaye enye yezona nxalenye zinomdla kakhulu kukuzenzekelayo kwezenzo zeziganeko zokhuseleko lolwazi. Ngaphambili, siphumeze lo msebenzi we-Splunk, unokufunda okungakumbi kule nto nqaku. Ingcamango ephambili kukuba umgaqo-nkqubo we-IPS awuzange uvavanywe okanye uphuculwe, nangona kwezinye iimeko yinxalenye ebalulekileyo yeenkqubo zokhuseleko lolwazi. Ngokomzekelo, unyaka emva kokuphunyezwa kwe-NGFW kunye nokungabikho kwezenzo zokwandisa i-IPS, uya kuqokelela inani elikhulu lamasayino kunye nesenzo se-Detect, esingayi kuvalwa, esinciphisa kakhulu imeko yokhuseleko lolwazi kwintlangano. Apha ngezantsi kukho imizekelo yezinto ezinokuzenzekela:

1. Ukutshintshela umsayino we-IPS ukusuka kwi-Detect ukuya kuThintelo. Ukuba i-Prevent ayisebenzi kwiisignesha ezibalulekileyo, ke oku kungaphandle komyalelo kunye ne-gap enzulu kwinkqubo yokukhusela. Sitshintsha isenzo kumgaqo-nkqubo sibe yimisayino enjalo. Lo msebenzi unokuphunyezwa ukuba isixhobo se-NGFW sinokusebenza kwe-REST API. Oku kunokwenzeka kuphela ukuba unezakhono zokucwangcisa; kufuneka ukhuphe ulwazi oluyimfuneko kwi-Elastcisearch kwaye wenze izicelo ze-API kumncedisi wolawulo we-NGFW.
2. Ukuba iisignesha ezininzi zichongiwe okanye zivaliwe kwitrafikhi yenethiwekhi ukusuka kwidilesi enye ye-IP, ngoko kuyavakala ukuvala le dilesi ye-IP okwethutyana kumgaqo-nkqubo we-Firewall. Ukuphunyezwa kwakhona kubandakanya ukusebenzisa i-REST API.
3. Qhuba isikena somamkeli ngeskena somngcipheko, ukuba lo mamkeli unenani elikhulu lomsayino we-IPS okanye ezinye izixhobo zokhuseleko; ukuba yi-OpenVas, ngoko ungabhala iskripthi esiya kudibanisa nge-ssh kwiskena sokhuseleko kwaye usebenzise iskena.

TS Umbono opheleleyo

Lilonke, ukuphunyezwa kwayo yonke imisebenzi ngumsebenzi omkhulu kakhulu kwaye unzima. Ngaphandle kokuba nezakhono zokucwangcisa, unokuqwalasela ubuncinane bokusebenza, obunokwanela ukusetyenziswa kwimveliso. Kodwa ukuba unomdla kuyo yonke imisebenzi, unokunikela ingqalelo kwi-TS Total Sight. Unokufumana iinkcukacha ezithe kratya kweyethu indawo. Ngenxa yoko, sonke iskimu sokusebenza kunye noyilo luya kujongeka ngolu hlobo:

isiphelo

Sijonge into enokuphunyezwa ngokusebenzisa i-ELK Stack. Kumanqaku alandelayo, siya kuqwalasela ngokwahlukileyo ukusebenza kwe-TS Total Sight ngokubanzi!

Ngoko hlala ubukele (yocingo, Facebook, VK, TS Solution Blog), Yandex.Zen.

umthombo: www.habr.com