Umbutho OISF (iSiseko soKhuseleko loLwazi oluVulekileyo) ukukhululwa kwenkqubo yokubona ukungena kwenethiwekhi kunye nokuthintela , ebonelela ngezixhobo zokuhlola iintlobo ezahlukeneyo zezithuthi. Kuqwalaselo lweSuricata lunokwenzeka ukuba lusetyenziswe , ephuhliswe yiprojekthi yeSnort, kunye neeseti zemithetho ΠΈ . Imithombo yeprojekthi ilayisenisi phantsi kwe-GPLv2.
Utshintsho oluphambili:
- Iimodyuli ezintsha zokwahlulahlula kunye nokugawulwa kweeprothokholi ziye zaziswa
I-RDP, i-SNMP kunye ne-SIP ebhalwe kwi-Rust. Ukukwazi ukungena nge-subsystem ye-EVE yongezwe kwimodyuli ye-FTP yokwahlulahlula, ukubonelela ngemveliso yesiganeko kwifomathi ye-JSON; - Ukongeza kwinkxaso ye-JA3 TLS yokuchonga umxhasi wendlela evele ekukhululweni kokugqibela, inkxaso yendlela. , Ngokusekwe kwiimpawu zothethathethwano lonxibelelwano kunye neeparamitha ezichaziweyo, misela ukuba yeyiphi isoftware esetyenziselwa ukuseka uqhagamshelo (umzekelo, ikuvumela ukuba umisele ukusetyenziswa kweTor kunye nezinye iinkqubo eziqhelekileyo). I-JA3 ikuvumela ukuba uchaze abathengi, kwaye i-JA3S ikuvumela ukuba uchaze iiseva. Iziphumo zokumisela zingasetyenziswa kulwimi lokumisela umthetho nakwilogi;
- Ukongezwa amandla okulinga ukudibanisa iisampulu kwiiseti ezinkulu zedatha, eziphunyezwe kusetyenziswa imisebenzi emitsha . Umzekelo, uphawu luyasebenza ekukhangeleni iimaski kuludwe olukhulu olumnyama oluqulethe izigidi zamangeno;
- Imowudi yokuhlola i-HTTP ibonelela ngokugubungela ngokupheleleyo zonke iimeko ezichazwe kwi-suite yovavanyo (umz., igubungela iindlela ezisetyenziswayo ukufihla izenzo ezikhohlakeleyo kwizithuthi);
- Izixhobo zokuphuhlisa iimodyuli kulwimi lweRust zikhutshiwe ukusuka kwiinketho ukuya kwizakhono ezisemgangathweni ezinyanzelekileyo. Kwixesha elizayo, kucwangciswe ukwandisa ukusetyenziswa kweRust kwisiseko sekhowudi yeprojekthi kunye nokutshintsha ngokuthe ngcembe iimodyuli ezine-analogues eziphuhliswe kwiRust;
- I-injini yenkcazo yeprotocol iphuculwe ukuphucula ukuchaneka kunye nokusingatha ukuhamba kwe-asynchronous traffic;
- Inkxaso yohlobo olutsha lokungena "olungaqhelekanga" longezwe kwi-log ye-EVE, egcina iziganeko ezingaqhelekanga ezifunyenweyo xa kuchithwa iipakethi. I-EVE ikwandise ukuboniswa kolwazi malunga neVLAN kunye ne-traffic captures interfaces. Inketho eyongeziweyo yokugcina zonke iiheader zeHTTP kwi-EVE http amangeno elogi;
- Abaphangi abasekwe kwi-eBPF babonelela ngenkxaso kwiindlela zehardware zokukhawulezisa ukuthathwa kwepakethi. Ukukhawuleza kwe-Hardware okwangoku kukhawulelwe kwiiadaptha zenethiwekhi ye-Netronome, kodwa kungekudala ziya kufumaneka kwezinye izixhobo;
- Ikhowudi yokubamba i-traffic usebenzisa isakhelo se-Netmap ibhalwe kwakhona. Yongezwe ukukwazi ukusebenzisa iimpawu eziphambili zeNetmap ezinjengokutshintsha okubonakalayo ;
- inkxaso yenkqubo entsha yenkcazo yegama elingundoqo lee-Sticky Buffers. Iskimu esitsha sichazwe kwifomathi ye "protocol.buffer", umzekelo, ukuhlola i-URI, igama elingundoqo liya kuthatha ifom "http.uri" endaweni ye "http_uri";
- Yonke ikhowudi yePython esetyenzisiweyo ivavanyelwa ukuhambelana nayo
iPython3; - Inkxaso yoyilo lweTilera, ilog yokubhaliweyo dns.log kunye nefayile yelog endala-json.log iye yanqunyanyiswa.
Iimpawu zeSuricata:
- Ukusebenzisa ifomathi emanyeneyo ukubonisa iziphumo zokuskena , isetyenziswe kwakhona yiprojekthi ye-Snort, evumela ukusetyenziswa kwezixhobo zokuhlalutya eziqhelekileyo ezifana . Amathuba okudibanisa kunye ne-BASE, i-Snorby, i-Sguil kunye neemveliso ze-QUeRT. Inkxaso yemveliso yePCAP;
- Inkxaso yokufunyanwa ngokuzenzekelayo kweprotocol (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, njl.), ikuvumela ukuba usebenze ngemithetho kuphela ngohlobo lweprotocol, ngaphandle kokubhekisela kwinombolo yezibuko (umzekelo, ibhloko yeHTTP traffic kwizibuko elingekho mgangathweni) . Ukufumaneka kwee-decoder ze-HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP kunye ne-SSH protocol;
- Inkqubo enamandla yohlalutyo lwendlela ye-HTTP esebenzisa ithala leencwadi elikhethekileyo le-HTP elenziwe ngumbhali weprojekthi ye-Mod_Security ukuhlaziya kunye nokuqhelanisa i-traffic ye-HTTP. Imodyuli iyafumaneka ukuze kugcinwe ilog eneenkcukacha yokudluliselwa kweHTTP; ilog igcinwa kwifomati eqhelekileyo
Apache. Ukufumana kunye nokujonga iifayile ezithunyelwa nge-HTTP kuyaxhaswa. Inkxaso yokwahlulahlula umxholo ocinezelweyo. Ukukwazi ukuchonga nge-URI, i-Cookie, ii-headers, umsebenzisi-arhente, isicelo / umzimba wokuphendula; - Inkxaso yojongano olwahlukeneyo longenelelo lwetrafikhi, kuquka iNFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING. Kunokwenzeka ukuhlalutya iifayile esele zigcinwe kwifomathi yePCAP;
- Ukusebenza okuphezulu, ukukwazi ukuqhubela phambili ukuya kwiigigabhithi ezili-10 / isekhondi kwizixhobo eziqhelekileyo.
- Umgangatho ophezulu wokuthelekisa imaski indlela yeeseti ezinkulu zeedilesi ze-IP. Inkxaso yokukhetha umxholo ngemaski kunye neenkcazo eziqhelekileyo. Ukwahlula iifayile kwi-traffic, kubandakanywa ukuchongwa kwazo ngegama, uhlobo okanye i-MD5 checksum.
- Ukukwazi ukusebenzisa izinto eziguquguqukayo kwimigaqo: ungagcina ulwazi oluvela kumlambo kwaye kamva uyisebenzise kweminye imithetho;
- Ukusetyenziswa kwefomathi ye-YAML kwiifayile zoqwalaselo, ekuvumela ukuba ugcine ukucaca ngelixa kulula ukwenza umatshini;
- Inkxaso ye-IPv6 epheleleyo;
- I-injini eyakhelwe-ngaphakathi yokuchithwa ngokuzenzekelayo kunye nokuhlanganiswa kwakhona kweepakethi, okuvumela ukulungiswa okuchanekileyo kwemijelo, kungakhathaliseki ukuba iipakethi zifika njani;
- Inkxaso yeeprotocol ze-tunneling: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE;
- Ukuxhaswa kwePacket decoding: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN;
- Imowudi yamaqhosha okuloga kunye nezatifikethi ezibonakala ngaphakathi koqhagamshelwano lwe-TLS/SSL;
- Ikhono lokubhala izikripthi kwi-Lua ukubonelela ngohlalutyo oluphambili kunye nokuphumeza izakhono ezongezelelweyo ezifunekayo ukuchonga iintlobo zezithuthi apho imithetho esemgangathweni ayanele.
umthombo: opennet.ru