ΠΠΎΡΠ»Π΅ Π³ΠΎΠ΄Π° ΡΠ°Π·ΡΠ°Π±ΠΎΡΠΊΠΈ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ OISF (Open Information Security Foundation)
Utshintsho oluphambili:
- ΠΠ°ΡΠ°Π»ΡΠ½Π°Ρ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° HTTP/2.
- ΠΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΠΏΡΠΎΡΠΎΠΊΠΎΠ»ΠΎΠ² RFB ΠΈ MQTT, Π²ΠΊΠ»ΡΡΠ°Ρ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΡ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° ΠΈ Π²Π΅Π΄Π΅Π½ΠΈΡ Π»ΠΎΠ³Π°.
- ΠΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ Π²Π΅Π΄Π΅Π½ΠΈΡ Π»ΠΎΠ³Π° Π΄Π»Ρ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° DCERPC.
- ΠΠ½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎΠ΅ ΠΏΠΎΠ²ΡΡΠ΅Π½ΠΈΠ΅ ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΠ΅Π»ΡΠ½ΠΎΡΡΠΈ Π²Π΅Π΄Π΅Π½ΠΈΡ Π»ΠΎΠ³Π° ΡΠ΅ΡΠ΅Π· ΠΏΠΎΠ΄ΡΠΈΡΡΠ΅ΠΌΡ EVE, ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°ΡΡΡΡ Π²ΡΠ²ΠΎΠ΄ ΡΠΎΠ±ΡΡΠΈΠΉ Π² ΡΠΎΡΠΌΠ°ΡΠ΅ JSON. Π£ΡΠΊΠΎΡΠ΅Π½ΠΈΠ΅ Π΄ΠΎΡΡΠΈΠ³Π½ΡΡΠΎ Π±Π»Π°Π³ΠΎΠ΄Π°ΡΡ Π·Π°Π΄Π΅ΠΉΡΡΠ²ΠΎΠ²Π°Π½ΠΈΡ Π½ΠΎΠ²ΠΎΠ³ΠΎ ΠΏΠΎΡΡΡΠΎΠΈΡΠ΅Π»Ρ ΡΡΠΎΠΊ JSON, Π½Π°ΠΏΠΈΡΠ°Π½Π½ΠΎΠ³ΠΎ Π½Π° ΡΠ·ΡΠΊΠ΅ Rust.
- ΠΠΎΠ²ΡΡΠ΅Π½Π° ΠΌΠ°ΡΡΡΠ°Π±ΠΈΡΡΠ΅ΠΌΠΎΡΡΡ ΡΠΈΡΡΠ΅ΠΌΡ Π»ΠΎΠ³ΠΎΠ² EVE ΠΈ ΡΠ΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ Π²Π΅Π΄Π΅Π½ΠΈΡ ΠΎΡΠ΅Π»ΡΠ½ΠΎΠ³ΠΎ Π»ΠΎΠ³-ΡΠ°ΠΉΠ»Π° Π½Π° ΠΊΠ°ΠΆΠ΄ΡΠΉ ΠΏΠΎΡΠΎΠΊ.
- ΠΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΡ ΡΡΠ»ΠΎΠ²ΠΈΠΉ Π΄Π»Ρ ΡΠ±ΡΠΎΡΠ° ΡΠ²Π΅Π΄Π΅Π½ΠΈΠΉ Π² Π»ΠΎΠ³.
- ΠΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΠΎΡΡΠ°ΠΆΠ΅Π½ΠΈΡ MAC-Π°Π΄ΡΠ΅ΡΠΎΠ² Π² Π»ΠΎΠ³Π΅ EVE ΠΈ ΠΏΠΎΠ²ΡΡΠ΅Π½ΠΈΠ΅ Π΄Π΅ΡΠ°Π»ΠΈΠ·Π°ΡΠΈΠΈ Π»ΠΎΠ³Π° DNS.
- ΠΠΎΠ²ΡΡΠ΅Π½ΠΈΠ΅ ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΠ΅Π»ΡΠ½ΠΎΡΡΠΈ Π΄Π²ΠΈΠΆΠΊΠ° ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΈ ΠΏΠΎΡΠΎΠΊΠΎΠ² (flow engine).
- ΠΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΠΈΠ΄Π΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΉ SSH (
IHASSH ). - Π Π΅Π°Π»ΠΈΠ·Π°ΡΠΈΡ Π΄Π΅ΠΊΠΎΠ΄ΠΈΡΠΎΠ²ΡΠΈΠΊΠ° ΡΡΠ½Π½Π΅Π»Π΅ΠΉ GENEVE.
- ΠΠ° ΡΠ·ΡΠΊΠ΅ Rust ΠΏΠ΅ΡΠ΅ΠΏΠΈΡΠ°Π½ ΠΊΠΎΠ΄ Π΄Π»Ρ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΈ
ASN.1 , DCERPC ΠΈ SSH. ΠΠ° Rust ΡΠ°ΠΊΠΆΠ΅ ΡΠ΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° Π½ΠΎΠ²ΡΡ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»ΠΎΠ². - Π ΡΠ·ΡΠΊΠ΅ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΡ ΠΏΡΠ°Π²ΠΈΠ» Π² ΠΊΠ»ΡΡΠ΅Π²ΠΎΠΌ ΡΠ»ΠΎΠ²Π΅ byte_jump Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠ° from_end, Π° Π² byte_test β ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠ° bitmask. Π Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½ΠΎ ΠΊΠ»ΡΡΠ΅Π²ΠΎΠ΅ ΡΠ»ΠΎΠ²ΠΎ pcrexform, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡΡΠ΅Π΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ ΡΠ΅Π³ΡΠ»ΡΡΠ½ΡΠ΅ Π²ΡΡΠ°ΠΆΠ΅Π½ΠΈΡ (pcre) Π΄Π»Ρ Π·Π°Ρ Π²Π°ΡΠ° ΠΏΠΎΠ΄ΡΡΡΠΎΠΊΠΈ. ΠΠΎΠ±Π°Π²Π»Π΅Π½ΠΎ ΠΏΡΠ΅ΠΎΠ±ΡΠ°Π·ΠΎΠ²Π°Π½ΠΈΠ΅ urldecode. ΠΠΎΠ±Π°Π²Π»Π΅Π½ΠΎ ΠΊΠ»ΡΡΠ΅Π²ΠΎΠ΅ ΡΠ»ΠΎΠ²ΠΎ byte_math.
- ΠΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»Π΅Π½ΠΈΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ cbindgen Π΄Π»Ρ Π³Π΅Π½Π΅ΡΠ°ΡΠΈΠΈ ΠΏΡΠΈΠ²ΡΠ·ΠΎΠΊ Π½Π° ΡΠ·ΡΠΊΠ°Ρ Rust ΠΈ C.
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° Π½Π°ΡΠ°Π»ΡΠ½Π°Ρ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΠΏΠ»Π°Π³ΠΈΠ½ΠΎΠ².
Iimpawu zeSuricata:
- Ukusebenzisa ifomathi emanyeneyo ukubonisa iziphumo zokuskena
Umanyano2 , isetyenziswe kwakhona yiprojekthi ye-Snort, evumela ukusetyenziswa kwezixhobo zokuhlalutya eziqhelekileyo ezifanaibhari2 . Amathuba okudibanisa kunye ne-BASE, i-Snorby, i-Sguil kunye neemveliso ze-QUeRT. Inkxaso yemveliso yePCAP; - Inkxaso yokufunyanwa ngokuzenzekelayo kweprotocol (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, njl.), ikuvumela ukuba usebenze ngemithetho kuphela ngohlobo lweprotocol, ngaphandle kokubhekisela kwinombolo yezibuko (umzekelo, ibhloko yeHTTP traffic kwizibuko elingekho mgangathweni) . Ukufumaneka kwee-decoder ze-HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP kunye ne-SSH protocol;
- Inkqubo enamandla yohlalutyo lwendlela ye-HTTP esebenzisa ithala leencwadi elikhethekileyo le-HTP elenziwe ngumbhali weprojekthi ye-Mod_Security ukuhlaziya kunye nokuqhelanisa i-traffic ye-HTTP. Imodyuli iyafumaneka ukuze kugcinwe ilog eneenkcukacha yokudluliselwa kweHTTP; ilog igcinwa kwifomati eqhelekileyo
Apache. Ukufumana kunye nokujonga iifayile ezithunyelwa nge-HTTP kuyaxhaswa. Inkxaso yokwahlulahlula umxholo ocinezelweyo. Ukukwazi ukuchonga nge-URI, i-Cookie, ii-headers, umsebenzisi-arhente, isicelo / umzimba wokuphendula; - Inkxaso yojongano olwahlukeneyo longenelelo lwetrafikhi, kuquka iNFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING. Kunokwenzeka ukuhlalutya iifayile esele zigcinwe kwifomathi yePCAP;
- Ukusebenza okuphezulu, ukukwazi ukuqhubela phambili ukuya kwiigigabhithi ezili-10 / isekhondi kwizixhobo eziqhelekileyo.
- Umgangatho ophezulu wokuthelekisa imaski indlela yeeseti ezinkulu zeedilesi ze-IP. Inkxaso yokukhetha umxholo ngemaski kunye neenkcazo eziqhelekileyo. Ukwahlula iifayile kwi-traffic, kubandakanywa ukuchongwa kwazo ngegama, uhlobo okanye i-MD5 checksum.
- Ukukwazi ukusebenzisa izinto eziguquguqukayo kwimigaqo: ungagcina ulwazi oluvela kumlambo kwaye kamva uyisebenzise kweminye imithetho;
- Ukusetyenziswa kwefomathi ye-YAML kwiifayile zoqwalaselo, ekuvumela ukuba ugcine ukucaca ngelixa kulula ukwenza umatshini;
- Inkxaso ye-IPv6 epheleleyo;
- I-injini eyakhelwe-ngaphakathi yokuchithwa ngokuzenzekelayo kunye nokuhlanganiswa kwakhona kweepakethi, okuvumela ukulungiswa okuchanekileyo kwemijelo, kungakhathaliseki ukuba iipakethi zifika njani;
- Inkxaso yeeprotocol ze-tunneling: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE;
- Ukuxhaswa kwePacket decoding: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN;
- Imowudi yamaqhosha okuloga kunye nezatifikethi ezibonakala ngaphakathi koqhagamshelwano lwe-TLS/SSL;
- Ikhono lokubhala izikripthi kwi-Lua ukubonelela ngohlalutyo oluphambili kunye nokuphumeza izakhono ezongezelelweyo ezifunekayo ukuchonga iintlobo zezithuthi apho imithetho esemgangathweni ayanele.
umthombo: opennet.ru