Inhlangano i-OISF (Open Information Security Foundation) ukukhululwa kokutholwa kokungena kwenethiwekhi kanye nesistimu yokuvimbela , ehlinzeka ngamathuluzi okuhlola izinhlobo ezahlukene zethrafikhi. Ekucushweni kwe-Suricata kungenzeka ukusebenzisa , ithuthukiswe iphrojekthi ye-Snort, kanye nesethi yemithetho ΠΈ . Imithombo yephrojekthi ilayisensi ngaphansi kwe-GPLv2.
Izinguquko eziyinhloko:
- Amamojula amasha okuhlaziya nokugawula afakiwe
I-RDP, i-SNMP ne-SIP ebhalwe ngo-Rust. Ikhono lokungena nge-subsystem ye-EVE lengezwe kumojula yokuhlaziya ye-FTP, ihlinzeka ngokuphuma komcimbi ngefomethi ye-JSON; - Ngaphezu kokusekelwa kwendlela yokuhlonza iklayenti ye-JA3 TLS evele ekukhishweni kokugcina, usekelo lwendlela. , Ngokusekelwe ezicini zezingxoxo zokuxhuma kanye nemingcele ecacisiwe, thola ukuthi iyiphi isofthiwe esetshenziselwa ukusungula uxhumano (ngokwesibonelo, ikuvumela ukuthi unqume ukusetshenziswa kwe-Tor nezinye izinhlelo zokusebenza ezijwayelekile). I-JA3 ikuvumela ukuthi uchaze amaklayenti, futhi i-JA3S ikuvumela ukuthi uchaze amaseva. Imiphumela yokunqunywa ingasetshenziswa kulimi lokuhlela umthetho nakulogi;
- Kwengezwe amandla okuhlola okufanisa amasampuli asuka kumasethi amakhulu edatha, asetshenziswa kusetshenziswa imisebenzi emisha . Isibonelo, lesi sici sisebenza ekusesheni imaski ohlwini oluvinjelwe olukhulu oluqukethe izigidi zezinto ezifakiwe;
- Imodi yokuhlola ye-HTTP inikeza ukumbozwa okugcwele kwazo zonke izimo ezichazwe kuhlelo lokuhlola (isb., ihlanganisa amasu asetshenziswa ukufihla izenzo ezinonya kuthrafikhi);
- Amathuluzi okuthuthukisa amamojula ngolimi lwe-Rust adlulisiwe esuka kuzinketho aya kumakhono ajwayelekile ayisibopho. Ngokuzayo, kuhlelwe ukwandisa ukusetshenziswa kwe-Rust kusisekelo sekhodi yephrojekthi futhi kancane kancane kushintshe amamojula ngama-analogue athuthukiswe ku-Rust;
- Injini yencazelo yephrothokholi ithuthukisiwe ukuze kuthuthukiswe ukunemba nokusingatha ukugeleza kwethrafikhi okungavumelaniyo;
- Usekelo lohlobo olusha "oluyindida" lwengezwe kulogi ye-EVE, egcina imicimbi engavamile etholwa lapho kukhishwa amaphakethe. I-EVE iphinde yandisa ukuboniswa kolwazi mayelana nama-VLAN nezindawo zokuthwebula ithrafikhi. Inketho eyengeziwe yokugcina zonke izihloko ze-HTTP ku-EVE http log entries;
- Izibambi ezisekelwe ku-eBPF zihlinzeka ngosekelo lwezindlela zehadiwe zokusheshisa ukuthwebula iphakethe. Ukusheshiswa kwezingxenyekazi zekhompuyutha okwamanje kunqunyelwe kuma-adaptha enethiwekhi ye-Netronome, kodwa maduze kuzotholakala kwezinye izinto zokusebenza;
- Ikhodi yokuthwebula ithrafikhi kusetshenziswa uhlaka lwe-Netmap ibhalwe kabusha. Kwengezwe amandla okusebenzisa izici ezithuthukile ze-Netmap njengeswishi ebonakalayo ;
- usekelo lwesikimu sencazelo yegama elingukhiye elisha lama-Sticky Buffers. Uhlelo olusha luchazwa ngefomethi ethi βprotocol.bufferβ, isibonelo, ukuze kuhlolwe i-URI, igama elingukhiye lizothatha ifomu elithi βhttp.uriβ esikhundleni selithi βhttp_uriβ;
- Yonke ikhodi yePython esetshenzisiwe ihlolelwa ukuhambisana nayo
I-Python 3; - Ukusekelwa kwezakhiwo ze-Tilera, irekhodi lombhalo elithi dns.log kanye nefayela lokungena elidala-json.log kuyekiwe.
Izici ze-Suricata:
- Kusetshenziswa ifomethi ehlanganisiwe ukuze ubonise imiphumela yokuskena , ebuye isetshenziswe iphrojekthi ye-Snort, evumela ukusetshenziswa kwamathuluzi okuhlaziya ajwayelekile njenge . Amathuba okuhlanganiswa nemikhiqizo ye-BASE, Snorby, Sguil kanye ne-SKerRT. Ukusekelwa kokuphuma kwe-PCAP;
- Ukusekelwa kokutholwa okuzenzakalelayo kwezivumelwano (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, njll.), okukuvumela ukuthi usebenze ngemithetho kuphela ngohlobo lwephrothokholi, ngaphandle kokubhekisela kwinombolo yembobo (isibonelo, vimba i-HTTP ithrafikhi echwebeni elingajwayelekile) . Ukutholakala kwama-decoder we-HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP kanye nezivumelwano ze-SSH;
- Uhlelo olunamandla lokuhlaziya ithrafikhi ye-HTTP esebenzisa umtapo wezincwadi okhethekile we-HTP odalwe umlobi wephrojekthi ye-Mod_Security ukuze ahlaziye futhi enze ithrafikhi ye-HTTP ibe yejwayelekile. Imojuli iyatholakala ukuze kugcinwe ilogu enemininingwane yokudluliswa kwe-HTTP yezokuthutha; ilogu igcinwa ngefomethi evamile
I-Apache. Ukubuyisa nokuhlola amafayela athunyelwa nge-HTTP kuyasekelwa. Usekelo lokuhlaziya okuqukethwe okucindezelwe. Ikhono lokuhlonza nge-URI, Ikhukhi, izihloko, i-ejenti yomsebenzisi, indikimba yesicelo/yempendulo; - Ukusekela kokusebenzelana okuhlukahlukene kokuvinjwa kwethrafikhi, okuhlanganisa i-NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING. Kungenzeka ukuhlaziya amafayela asevele agciniwe ngefomethi ye-PCAP;
- Ukusebenza okuphezulu, ikhono lokucubungula ligeleza lifinyelela ku-10 gigabits/isekhondi kumishini evamile.
- Indlela yokufanisa imaski esebenza kahle kakhulu yamasethi amakhulu amakheli e-IP. Ukusekelwa kokukhetha okuqukethwe ngemaski nezinkulumo ezijwayelekile. Ukuhlukanisa amafayela kuthrafikhi, okuhlanganisa ukukhonjwa kwawo ngegama, uhlobo noma i-MD5 checksum.
- Ikhono lokusebenzisa okuguquguqukayo emithethweni: ungagcina ulwazi emfudlaneni futhi kamuva ulusebenzise kweminye imithetho;
- Ukusetshenziswa kwefomethi ye-YAML kumafayela okumisa, okukuvumela ukuthi ugcine ukucaca kuyilapho kulula ukuwenza ngomshini;
- Ukusekelwa okugcwele kwe-IPv6;
- Injini eyakhelwe ngaphakathi yokwahlukaniswa okuzenzakalelayo nokuhlanganiswa kabusha kwamaphakethe, okuvumela ukucutshungulwa okufanele kwemifudlana, kungakhathaliseki ukuthi amaphakethe afika ngaluphi uhlelo;
- Ukusekelwa kwezivumelwano zokuhubhela: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE;
- Ukusekelwa kokuqopha iphakethe: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN;
- Imodi yezikhiye zokungena nezitifiketi ezivela phakathi koxhumo lwe-TLS/SSL;
- Ikhono lokubhala izikripthi ngesi-Lua ukuze kuhlinzekwe ukuhlaziywa okuthuthukile nokusebenzisa amakhono engeziwe adingekayo ukuze kukhonjwe izinhlobo zethrafikhi imithetho evamile enganele.
Source: opennet.ru