ProHoster > Ibhulogi > iindaba ze-intanethi > Ukukhutshwa kweSuricata 6.0 inkqubo yokufumanisa ukungena

Ukukhutshwa kweSuricata 6.0 inkqubo yokufumanisa ukungena

ПослС Π³ΠΎΠ΄Π° Ρ€Π°Π·Ρ€Π°Π±ΠΎΡ‚ΠΊΠΈ организация OISF (Open Information Security Foundation) ipapashiwe ukukhululwa kwenkqubo yokubona ukungena kwenethiwekhi kunye nokuthintela IMeerkat 6.0, ebonelela ngezixhobo zokuhlola iintlobo ezahlukeneyo zezithuthi. Kuqwalaselo lweSuricata lunokwenzeka ukuba lusetyenziswe utyikityo lwedatha, ephuhliswe yiprojekthi yeSnort, kunye neeseti zemithetho Izoyikiso Ezisakhulayo ΠΈ Izoyikiso Ezisakhulayo Pro. Imithombo yeprojekthi usasazeko ilayisenisi phantsi kwe-GPLv2.

Utshintsho oluphambili:

  • ΠΠ°Ρ‡Π°Π»ΡŒΠ½Π°Ρ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° HTTP/2.
  • ΠŸΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»ΠΎΠ² RFB ΠΈ MQTT, Π²ΠΊΠ»ΡŽΡ‡Π°Ρ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ опрСдСлСния ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Π° ΠΈ вСдСния Π»ΠΎΠ³Π°.
  • Π’ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ вСдСния Π»ΠΎΠ³Π° для ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Π° DCERPC.
  • Π—Π½Π°Ρ‡ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎΠ΅ ΠΏΠΎΠ²Ρ‹ΡˆΠ΅Π½ΠΈΠ΅ ΠΏΡ€ΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎΡΡ‚ΠΈ вСдСния Π»ΠΎΠ³Π° Ρ‡Π΅Ρ€Π΅Π· подсистСму EVE, ΠΎΠ±Π΅ΡΠΏΠ΅Ρ‡ΠΈΠ²Π°ΡŽΡ‰ΡƒΡŽ Π²Ρ‹Π²ΠΎΠ΄ событий Π² Ρ„ΠΎΡ€ΠΌΠ°Ρ‚Π΅ JSON. УскорСниС достигнуто благодаря Π·Π°Π΄Π΅ΠΉΡΡ‚Π²ΠΎΠ²Π°Π½ΠΈΡŽ Π½ΠΎΠ²ΠΎΠ³ΠΎ ΠΏΠΎΡΡ‚Ρ€ΠΎΠΈΡ‚Π΅Π»ΡŒ сток JSON, написанного Π½Π° языкС Rust.
  • ΠŸΠΎΠ²Ρ‹ΡˆΠ΅Π½Π° ΠΌΠ°ΡΡˆΡ‚Π°Π±ΠΈΡ€ΡƒΠ΅ΠΌΠΎΡΡ‚ΡŒ систСмы Π»ΠΎΠ³ΠΎΠ² EVE ΠΈ Ρ€Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ вСдСния ΠΎΡ‚Π΅Π»ΡŒΠ½ΠΎΠ³ΠΎ Π»ΠΎΠ³-Ρ„Π°ΠΉΠ»Π° Π½Π° ΠΊΠ°ΠΆΠ΄Ρ‹ΠΉ ΠΏΠΎΡ‚ΠΎΠΊ.
  • Π’ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ опрСдСлСния условий для сброса свСдСний Π² Π»ΠΎΠ³.
  • Π’ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ отраТСния MAC-адрСсов Π² Π»ΠΎΠ³Π΅ EVE ΠΈ ΠΏΠΎΠ²Ρ‹ΡˆΠ΅Π½ΠΈΠ΅ Π΄Π΅Ρ‚Π°Π»ΠΈΠ·Π°Ρ†ΠΈΠΈ Π»ΠΎΠ³Π° DNS.
  • ΠŸΠΎΠ²Ρ‹ΡˆΠ΅Π½ΠΈΠ΅ ΠΏΡ€ΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎΡΡ‚ΠΈ Π΄Π²ΠΈΠΆΠΊΠ° ΠΎΠ±Ρ€Π°Π±ΠΎΡ‚ΠΊΠΈ ΠΏΠΎΡ‚ΠΎΠΊΠΎΠ² (flow engine).
  • ΠŸΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° ΠΈΠ΄Π΅Π½Ρ‚ΠΈΡ„ΠΈΠΊΠ°Ρ†ΠΈΠΈ Ρ€Π΅Π°Π»ΠΈΠ·Π°Ρ†ΠΈΠΉ SSH (IHASSH).
  • РСализация Π΄Π΅ΠΊΠΎΠ΄ΠΈΡ€ΠΎΠ²Ρ‰ΠΈΠΊΠ° Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ GENEVE.
  • На языкС Rust пСрСписан ΠΊΠΎΠ΄ для ΠΎΠ±Ρ€Π°Π±ΠΎΡ‚ΠΊΠΈ ASN.1, DCERPC ΠΈ SSH. На Rust Ρ‚Π°ΠΊΠΆΠ΅ Ρ€Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π° ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° Π½ΠΎΠ²Ρ‹Ρ… ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»ΠΎΠ².
  • Π’ языкС опрСдСлСния ΠΏΡ€Π°Π²ΠΈΠ» Π² ΠΊΠ»ΡŽΡ‡Π΅Π²ΠΎΠΌ словС byte_jump Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Π° from_end, Π° Π² byte_test β€” ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Π° bitmask. Π Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½ΠΎ ΠΊΠ»ΡŽΡ‡Π΅Π²ΠΎΠ΅ слово pcrexform, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡŽΡ‰Π΅Π΅ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚ΡŒ рСгулярныС выраТСния (pcre) для Π·Π°Ρ…Π²Π°Ρ‚Π° подстроки. Π”ΠΎΠ±Π°Π²Π»Π΅Π½ΠΎ ΠΏΡ€Π΅ΠΎΠ±Ρ€Π°Π·ΠΎΠ²Π°Π½ΠΈΠ΅ urldecode. Π”ΠΎΠ±Π°Π²Π»Π΅Π½ΠΎ ΠΊΠ»ΡŽΡ‡Π΅Π²ΠΎΠ΅ слово byte_math.
  • ΠŸΡ€Π΅Π΄ΠΎΡΡ‚Π°Π²Π»Π΅Π½ΠΈΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ использования cbindgen для Π³Π΅Π½Π΅Ρ€Π°Ρ†ΠΈΠΈ привязок Π½Π° языках Rust ΠΈ C.
  • Π”ΠΎΠ±Π°Π²Π»Π΅Π½Π° Π½Π°Ρ‡Π°Π»ΡŒΠ½Π°Ρ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° ΠΏΠ»Π°Π³ΠΈΠ½ΠΎΠ².

Iimpawu zeSuricata:

  • Ukusebenzisa ifomathi emanyeneyo ukubonisa iziphumo zokuskena Umanyano2, isetyenziswe kwakhona yiprojekthi ye-Snort, evumela ukusetyenziswa kwezixhobo zokuhlalutya eziqhelekileyo ezifana ibhari2. Amathuba okudibanisa kunye ne-BASE, i-Snorby, i-Sguil kunye neemveliso ze-QUeRT. Inkxaso yemveliso yePCAP;
  • Inkxaso yokufunyanwa ngokuzenzekelayo kweprotocol (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, njl.), ikuvumela ukuba usebenze ngemithetho kuphela ngohlobo lweprotocol, ngaphandle kokubhekisela kwinombolo yezibuko (umzekelo, ibhloko yeHTTP traffic kwizibuko elingekho mgangathweni) . Ukufumaneka kwee-decoder ze-HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP kunye ne-SSH protocol;
  • Inkqubo enamandla yohlalutyo lwendlela ye-HTTP esebenzisa ithala leencwadi elikhethekileyo le-HTP elenziwe ngumbhali weprojekthi ye-Mod_Security ukuhlaziya kunye nokuqhelanisa i-traffic ye-HTTP. Imodyuli iyafumaneka ukuze kugcinwe ilog eneenkcukacha yokudluliselwa kweHTTP; ilog igcinwa kwifomati eqhelekileyo
    Apache. Ukufumana kunye nokujonga iifayile ezithunyelwa nge-HTTP kuyaxhaswa. Inkxaso yokwahlulahlula umxholo ocinezelweyo. Ukukwazi ukuchonga nge-URI, i-Cookie, ii-headers, umsebenzisi-arhente, isicelo / umzimba wokuphendula;

  • Inkxaso yojongano olwahlukeneyo longenelelo lwetrafikhi, kuquka iNFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING. Kunokwenzeka ukuhlalutya iifayile esele zigcinwe kwifomathi yePCAP;
  • Ukusebenza okuphezulu, ukukwazi ukuqhubela phambili ukuya kwiigigabhithi ezili-10 / isekhondi kwizixhobo eziqhelekileyo.
  • Umgangatho ophezulu wokuthelekisa imaski indlela yeeseti ezinkulu zeedilesi ze-IP. Inkxaso yokukhetha umxholo ngemaski kunye neenkcazo eziqhelekileyo. Ukwahlula iifayile kwi-traffic, kubandakanywa ukuchongwa kwazo ngegama, uhlobo okanye i-MD5 checksum.
  • Ukukwazi ukusebenzisa izinto eziguquguqukayo kwimigaqo: ungagcina ulwazi oluvela kumlambo kwaye kamva uyisebenzise kweminye imithetho;
  • Ukusetyenziswa kwefomathi ye-YAML kwiifayile zoqwalaselo, ekuvumela ukuba ugcine ukucaca ngelixa kulula ukwenza umatshini;
  • Inkxaso ye-IPv6 epheleleyo;
  • I-injini eyakhelwe-ngaphakathi yokuchithwa ngokuzenzekelayo kunye nokuhlanganiswa kwakhona kweepakethi, okuvumela ukulungiswa okuchanekileyo kwemijelo, kungakhathaliseki ukuba iipakethi zifika njani;
  • Inkxaso yeeprotocol ze-tunneling: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE;
  • Ukuxhaswa kwePacket decoding: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN;
  • Imowudi yamaqhosha okuloga kunye nezatifikethi ezibonakala ngaphakathi koqhagamshelwano lwe-TLS/SSL;
  • Ikhono lokubhala izikripthi kwi-Lua ukubonelela ngohlalutyo oluphambili kunye nokuphumeza izakhono ezongezelelweyo ezifunekayo ukuchonga iintlobo zezithuthi apho imithetho esemgangathweni ayanele.

umthombo: opennet.ru

Yongeza izimvo