Ukukhutshwa kwenkqubo yokubamba, ukugcina kunye nesalathisi iipakethi zenethiwekhi i-Arkime 5.0 ishicilelwe, ibonelela ngezixhobo zokuvavanya ngokubonakalayo ukuhamba kwezithuthi kunye nokukhangela ulwazi olunxulumene nomsebenzi wenethiwekhi. Le projekthi yaphuhliswa ekuqaleni yi-AOL ngenjongo yokudala ukutshintshwa okuvulekileyo kwiiplatifomu zokuthengisa iipakethi zenethiwekhi ezixhasa ukuthunyelwa kwiiseva zayo kwaye zikwazi ukulinganisa ukucubungula i-traffic ngesantya samashumi eegigabhithi ngomzuzwana. Ikhowudi yecandelo lokubamba i-traffic ibhalwe kwi-C, kwaye i-interface iphunyezwe kwi-Node.js/JavaScript. Ikhowudi yomthombo isasazwa phantsi kwelayisensi ye-Apache 2.0. Ixhasa umsebenzi kwiLinux kunye neFreeBSD. Iiphakheji esele zenziwe zilungiselelwe iArch Linux, RHEL/CentOS kunye noBuntu.
I-Arkime ibandakanya izixhobo zokubamba kunye ne-indexing PCAP traffic, kwaye ikwabonelela ngezixhobo zokufikelela ngokukhawuleza kwidatha enesalathisi. Ukusetyenziswa kwefomathi ye-PCAP esemgangathweni yenza lula kakhulu ukudibanisa kunye nabahlalutyi bezithuthi abakhoyo njenge-Wireshark. Umthamo wedatha egciniweyo ulinganiselwe kuphela ngobungakanani bediski ekhoyo. Imetadata yeseshoni ifakwe kwisalathisi kwi-cluster esekwe kwi-Elasticsearch okanye kwi-injini ye-OpenSearch. Icandelo le-traffic capture component lisebenza kwimodi ye-multi-threaded kunye nokusombulula imisebenzi yokubeka iliso, ukubhala i-PCAP yokulahla i-disk, ukucazulula iipakethi ezifakiwe kunye nokuthumela i-metadata malunga neeseshoni (i-SPI, ukuhlolwa kwepakethi esemthethweni) kunye neeprotocol kwi-cluster ye-Elasticsearch / OpenSearch. Kuyenzeka ukugcina iifayile zePCAP kwifom efihliweyo.
Ukuhlalutya ulwazi oluqokelelweyo, i-interface yewebhu inikezelwa evumela ukuba uhambe, ukhangele kwaye ukhuphe iisampuli. Ujongano lwewebhu lubonelela ngeendlela ezininzi zokujonga - ukusuka kwiinkcukacha-manani ngokubanzi, iimephu zoqhagamshelo kunye neegrafu ezibonakalayo ezinedatha malunga nokutshintsha komsebenzi womnatha ukuya kwizixhobo zokufunda iiseshoni zomntu ngamnye, ukuhlalutya umsebenzi kumxholo wemigaqo esetyenziswayo kunye nokwahlulahlula idatha kwi-PCAP yokulahla. I-API iphinde ibonelelwe evumela ukuba uthumele idatha malunga neepakethi ezithathiweyo kwifomathi ye-PCAP kunye neeseshoni ezichithwe kwifomathi ye-JSON kwizicelo zomntu wesithathu.
Kwinguqulelo entsha:
- Kongezwe ukukwazi ukuthumela izicelo zokukhangela ezidityanisiweyo zolwazi ngenkonzo ye-Cont3xt ukuqokelela ulwazi olufumaneka kwimithombo eyahlukeneyo evulekileyo (OSINT) ngaxeshanye malunga nezinto ezininzi.
- Inkxaso eyongeziweyo ye-JA4 kunye ne-JA4 + iindlela ze-traffic fingerprinting ukuchonga iiprothokholi zenethiwekhi kunye nezicelo.
- Uyilo lwebhloko kunye nolwazi olucacileyo malunga neseshoni luye lwatshintshwa, olunciphisa indawo engasetyenziswanga kwaye luphumeza ukuhlelwa kweekholamu ezimbini kwizikrini ezinkulu.
- Iibhloko ezilahlayo zongezwe kwiiFayile, iMbali kunye neeTati tabs zokukhangela ngaxeshanye kwiimeko ezininzi zojongano lweenkcukacha-manani (umbonisi).
- Inkqubo yogunyaziso iye yadityaniswa kwaye yahlulwa yaba yimodyuli eyahlukileyo, esetyenziswa ngoku kuzo zonke izicelo ze-Arkime. Endaweni yendlela yogunyaziso engaziwa, indlela yokugaya isetyenziswa ngokungagqibekanga. Iindlela zogunyaziso ezitsha zongeziwe: isiseko, ifom, isiseko+ifomu, isiseko+i-oidc, i-headerKuphela, i-header+digest kunye ne-header+esisiseko.
- Zonke izicelo zikhutshelwe kwindlela esezantsi yoqwalaselo edityanisiweyo exhasa izicwangciso zokucwangcisa kwiifomati ezahlukeneyo (ini, json, yaml) kwaye iyakwazi ukulayisha izicwangciso ezivela kwimithombo eyahlukeneyo, umzekelo, ukusuka kwidisk, phezu komsebenzi womnatha ngeHTTPS okanye kwiOpenSearch/Elasticsearch. .
- Inkxaso eyongeziweyo yokungenisa okugciniweyo (ngaphandle kwe-intanethi) i-PCAP yokulahla kunye nokukhuphela nge-URL nge-HTTPS okanye kwi-Amazon S3 yokugcina, ngaphandle kwesidingo sokuqala ukugcina kwinkqubo yendawo.
umthombo: opennet.ru