Ngokwezibalo, umthamo wethrafikhi yenethiwekhi ukhuphuka cishe ngo-50% njalo ngonyaka. Lokhu kuholela ekwenyukeni komthwalo emishinini futhi, ikakhulukazi, kwandisa izidingo zokusebenza kwe-IDS/IPS. Ungathenga ihadiwe elikhethekile elibizayo, kepha kunenketho eshibhile - ukusebenzisa enye yezinhlelo zomthombo ovulekile. Abaphathi abaningi be-novice bacabanga ukuthi ukufaka nokumisa i-IPS yamahhala kunzima impela. Endabeni ye-Suricata, lokhu akulona iqiniso ngokuphelele - ungayifaka futhi uqale ukuxosha ukuhlaselwa okujwayelekile ngesethi yemithetho yamahhala emizuzwini embalwa.
Kungani sidinga enye i-IPS evulekile?
Isikhathi eside kubhekwa izinga, i-Snort ibilokhu ithuthukiswa kusukela ngasekupheleni kweminyaka engamashumi ayisishiyagalolunye, ngakho-ke ekuqaleni ibiwuchungechunge olulodwa. Ngokuhamba kweminyaka, ithole zonke izici zesimanjemanje, ezifana nosekelo lwe-IPv6, ikhono lokuhlaziya amaphrothokholi ezinga lohlelo lokusebenza, noma imojula yokufinyelela idatha yendawo yonke.
Injini eyisisekelo ye-Snort 2.X ifunde ukusebenza ngama-cores amaningi, kodwa yahlala inomucu owodwa ngakho ayikwazi ukusizakala ngezinkundla zesimanje zehadiwe.
Inkinga yaxazululwa enguqulweni yesithathu yesistimu, kodwa kwathatha isikhathi eside ukulungiselela ukuthi i-Suricata, ebhalwe kusukela ekuqaleni, ikwazi ukuvela emakethe. Ngo-2009, yaqala ukuthuthukiswa ngokunembile njengendawo enezintambo eziningi ku-Snort, eyayinemisebenzi ye-IPS ngaphandle kwebhokisi. Ikhodi isatshalaliswa ngaphansi kwelayisensi ye-GPLv2, kodwa ozakwethu bezezimali bephrojekthi banokufinyelela kunguqulo evaliwe yenjini. Ezinye izinkinga ngokulinganisa zavela ezinguqulweni zokuqala zesistimu, kodwa zaxazululwa ngokushesha.
Kungani iSuricata?
I-Suricata inamamojula amaningana (njenge-Snort): ukuthwebula, ukutholwa, ukuqopha, ukutholwa kanye nokukhiphayo. Ngokuzenzakalela, ithrafikhi ethwebuliwe ihamba ngaphambi kokuqoshwa kuchungechunge olulodwa, nakuba lokhu kulayisha isistimu ngaphezulu. Uma kunesidingo, imicu ingahlukaniswa kuzilungiselelo futhi isatshalaliswe phakathi kwamaphrosesa - iSuricata ilungiselelwe kahle kakhulu ihadiwe ethile, nakuba lokhu akuselona izinga le-HOWTO labaqalayo. Kuyaphawuleka futhi ukuthi i-Suricata inamathuluzi okuhlola i-HTTP athuthukisiwe asekelwe kulabhulali ye-HTP. Angasetshenziswa futhi ukuze ungene ku-traffic ngaphandle kokutholwa. Uhlelo futhi lusekela ukuqoshwa kwe-IPv6, okuhlanganisa imigudu ye-IPv4-in-IPv6, IPv6-in-IPv6 neminye.
Izixhumi ezibonakalayo ezihlukene zingasetshenziswa ukuvimba ithrafikhi (i-NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING), futhi kumodi ye-Unix Socket ungakwazi ukuhlaziya ngokuzenzakalelayo amafayela e-PCAP athwetshulwe ngomunye umdunusi. Ngaphezu kwalokho, i-architecture ye-modular ye-Suricata yenza kube lula ukuxhuma izakhi ezintsha ukuze uthwebule, ukhiphe ikhodi, uhlaziye futhi ucubungule amaphakethe enethiwekhi. Kubalulekile futhi ukuqaphela ukuthi eSuricata, ithrafikhi ivinjiwe kusetshenziswa isihlungi sesistimu yokusebenza esijwayelekile. Ku-GNU/Linux, izinketho ezimbili zokusebenza kwe-IPS ziyatholakala: ngomugqa we-NFQUEUE (imodi ye-NFQ) nangekhophi eyiziro (imodi ye-AF_PACKET). Esimweni sokuqala, iphakethe elifaka ama-iptables lithunyelwa kulayini we-NFQUEUE, lapho lingacutshungulwa khona ezingeni lomsebenzisi. I-Suricata iyiqhuba ngokwemithetho yayo futhi ikhipha isinqumo esisodwa kwezithathu: NF_ACCEPT, NF_DROP kanye ne-NF_REPEAT. Amabili okuqala ayazichaza, kodwa owokugcina ikuvumela ukuthi umake amaphakethe futhi uwathumele ekuqaleni kwetafula le-iptables lamanje. Imodi ye-AF_PACKET iyashesha, kodwa ibeka inani lemikhawulo kusistimu: kufanele ibe nezixhumanisi ezimbili zenethiwekhi futhi isebenze njengesango. Iphakethe elivinjiwe alimane lidluliselwe kusixhumi esibonakalayo sesibili.
Isici esibalulekile se-Suricata yikhono lokusebenzisa ukuthuthukiswa kwe-Snort. Umlawuli uyakwazi ukufinyelela, ikakhulukazi, izimiso ze-Sourcefire VRT kanye ne-OpenSource Emerging Threats, kanye ne-Emerging Threats Pro. Okukhiphayo okuhlanganisiwe kungahlaziywa kusetshenziswa i-backends edumile, futhi okuphumayo ku-PCAP ne-Syslog nakho kuyasekelwa. Izilungiselelo zesistimu nemithetho kugcinwa kumafayela e-YAML, afundeka kalula futhi angacutshungulwa ngokuzenzakalelayo. Injini ye-Suricata ibona amaphrothokholi amaningi, ngakho-ke imithetho ayidingi ukuboshelwa enombolweni yembobo. Ngaphezu kwalokho, umqondo we-flowbits wenziwa ngenkuthalo emithethweni ye-Suricata. Ukuze ulandelele ukucupha, kusetshenziswa okuguquguqukayo kweseshini, okukuvumela ukuthi udale futhi usebenzise izinto zokubala namafulegi ahlukahlukene. Ama-IDS amaningi aphatha ukuxhumana okuhlukile kwe-TCP njengezinhlangano ezihlukene futhi angase angaboni ukuxhumana phakathi kwakho ukukhombisa ukuqala kokuhlasela. I-Suricata izama ukubona isithombe sonke futhi ezimweni eziningi ibona ithrafikhi enonya esatshalaliswa ekuxhumekeni okuhlukahlukene. Singakhuluma ngezinzuzo zayo isikhathi eside; kungcono siqhubekele ekufakeni nasekuyilungiseni.
Ungayifaka kanjani?
Sizobe sifaka iSuricata kuseva ebonakalayo esebenzisa Ubuntu 18.04 LTS. Yonke imiyalo kufanele yenziwe njenge-superuser (impande). Inketho evikeleke kakhulu ukuxhuma kuseva nge-SSH njengomsebenzisi ojwayelekile, bese usebenzisa insiza ye-sudo ukukhulisa amalungelo. Okokuqala sidinga ukufaka amaphakheji esiwadingayo:
sudo apt -y install libpcre3 libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config libnetfilter-queue-dev geoip-bin geoip-database geoipupdate apt-transport-httpsUkuxhuma indawo yokugcina yangaphandle:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get updateFaka inguqulo yakamuva ezinzile ye-Suricata:
sudo apt-get install suricataUma kunesidingo, hlela igama lamafayela okumisa, esikhundleni se-eth0 ezenzakalelayo negama langempela lesixhumi esibonakalayo sangaphandle seseva. Izilungiselelo ezizenzakalelayo zigcinwa kufayela /etc/default/suricata, futhi izilungiselelo ngokwezifiso zigcinwa ku-/etc/suricata/suricata.yaml. Ukulungiselelwa kwe-IDS kukhawulelwe kakhulu ekuhleleni leli fayela lokumisa. Inamapharamitha amaningi okuthi, egameni nenjongo, aqondane nama-analogue awo avela ku-Snort. I-syntax nokho ihluke ngokuphelele, kodwa ifayela lifundeka kalula kune-Snort configs, futhi kuphawulwe kahle.
sudo nano /etc/default/suricata
ΠΈ
sudo nano /etc/suricata/suricata.yaml
Qaphela! Ngaphambi kokuqala, kufanele uhlole amanani okuguquguqukayo kusuka esigabeni se-vars.
Ukuze uqedele ukusetha, uzodinga ukufaka i-suricata-update ukuze ubuyekeze futhi ulande imithetho. Kulula kakhulu ukwenza lokhu:
sudo apt install python-pip
sudo pip install pyyaml
sudo pip install <a href="https://github.com/OISF/suricata-update/archive/master.zip">https://github.com/OISF/suricata-update/archive/master.zip</a>
sudo pip install --pre --upgrade suricata-updateOkulandelayo sidinga ukusebenzisa umyalo we-suricata-update ukuze ufake i-Emerging Threats Open ruleset:
sudo suricata-update
Ukuze ubuke uhlu lwemithombo yemithetho, sebenzisa umyalo olandelayo:
sudo suricata-update list-sources
Buyekeza imithombo yomthetho:
sudo suricata-update update-sources
Siphinde sibheke imithombo ebuyekeziwe:
sudo suricata-update list-sourcesUma kunesidingo, ungafaka imithombo yamahhala etholakalayo:
sudo suricata-update enable-source ptresearch/attackdetection
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source sslbl/ssl-fp-blacklistNgemva kwalokhu, udinga ukubuyekeza imithetho futhi:
sudo suricata-updateKuleli qophelo, ukufakwa nokucushwa kokuqala kweSuricata ku-Ubuntu 18.04 LTS kungathathwa njengokuphelele. Khona-ke ubumnandi buqala: esihlokweni esilandelayo sizoxhuma iseva ebonakalayo kunethiwekhi yehhovisi nge-VPN futhi siqale ukuhlaziya yonke ithrafikhi engenayo nephumayo. Sizonaka ngokukhethekile ukuvimbela ukuhlasela kwe-DDoS, umsebenzi wohlelo olungayilungele ikhompuyutha, kanye nemizamo yokusebenzisa ubungozi kumasevisi afinyeleleka kumanethiwekhi omphakathi. Ukuze kucace, ukuhlaselwa kwezinhlobo ezivame kakhulu kuzolingiswa.
Source: www.habr.com