Suricata - Gano Kutse da Kayan Aikin Tsaro na Rigakafi
Suricata injin ne mai ƙarfi, mai ƙarfi, kuma buɗaɗɗen tushen barazanar gano ingin wanda ke ba da ayyuka don gano kutse (IDS), rigakafin kutse (IPS), da saka idanu kan tsaro na cibiyar sadarwa. Yana yin binciken fakiti mai zurfi tare da madaidaicin tsari wanda ke da ƙarfi sosai wajen gano barazanar.
A lokacin rubuta wannan jagorar, sabuwar sigar Suricata ita ce 6.0.5.
- IDS/IPS - Suricata injin Neman Kutse da Rigakafi ne na tushen ƙa'ida wanda ke yin amfani da ƙa'idodin da aka haɓaka daga waje kamar Tsarin Barazana Suricata don saka idanu kan zirga-zirgar hanyar sadarwa don kowane mummunan aiki, take hakki, da barazana.
- Ganewar yarjejeniya ta atomatik - Injin Suricata yana gano ka'idoji ta atomatik kamar HTTP da HTTPS. FTP da SMB akan kowace tashar jiragen ruwa kuma yi amfani da ingantaccen ganowa da dabarun shiga. Wannan yana zuwa da amfani wajen gano malware da tashoshi na CnC.
- Rubutun Lua - Suricata na iya kiran rubutun Lua waɗanda ke ba da ci gaba na gano malware don ganowa da kuma warware zirga-zirgar malware waɗanda ke da wahalar ganowa.
- Multi-threading - Suricata yana ba da sauri da mahimmanci a cikin ƙaddarar zirga-zirgar hanyar sadarwa. An ƙirƙira injin ɗin don amfani da ƙarfin sarrafawa wanda ke samarwa ta hanyar kwakwalwan kwamfuta na kayan aikin zamani da yawa.
Shigar da Kayan aikin Gane Kutse na Suricata a cikin Linux
A cikin wannan sashe, za mu nuna yadda ake shigar da Suricata akan rarrabawar tushen RHEL.
An samar da Suricata ta wuraren ajiyar Debian/Ubuntu kuma ana iya shigar da su cikin sauƙi ta amfani da mai sarrafa fakitin da ya dace. Koyaya, yana da mahimmanci a lura cewa wannan baya shigar da sabon sigar Suricata. Don shigar da sabon sigar, kuna buƙatar shigar da shi daga tushe wanda za mu rufe daga baya a cikin wannan jagorar.
Don shigar da Suricata ta amfani da mai sarrafa fakitin dacewa, gudanar da umarni:
$ sudo apt install suricata -y
Suricata yana farawa ta atomatik da zarar an shigar. Kuna iya tabbatar da hakan kamar haka.
$ sudo systemctl status suricata
Don shigar da Suricata akan rarrabawar RHEL kamar CentOS Stream, Rocky Linux, AlmaLinux, Fedora, da RHEL, kuna buƙatar kunna ma'ajiyar EPEL da farko.
$ dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm [RHEL 9] $ dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm [RHEL 8] $ yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm [RHEL 7]
Da zarar an kunna EPEL, shigar da fakitin buƙatun masu zuwa kuma ƙara ma'ajin OISF zuwa tsarin ku.
----------- On Fedora Systems ----------- $ sudo dnf install dnf-plugins-core $ sudo dnf copr enable @oisf/suricata-6.0 ----------- On RHEL Systems ----------- $ sudo dnf install yum-plugin-copr $ sudo dnf copr enable @oisf/suricata-6.0
Na gaba, shigar da Suricata ta amfani da yum fakitin sarrafa kamar yadda aka nuna.
$ sudo dnf install suricata -y Or $ sudo yum install suricata -y
Da zarar an shigar da Suricata, fara kuma tabbatar da matsayinta.
$ sudo systemctl start suricata $ sudo systemctl status suricata
Sanya Suricata daga Source a cikin Linux
Tsofaffin ma'ajin OS ba sa samar da sabuwar sigar Suricata. Idan burin ku shine shigar da sabuwar sigar Suricata, to kuna buƙatar shigar da shi daga tushen.
A lokacin rubuta wannan jagorar, sabuwar sigar Suricata ita ce 6.0.5. Don shigar da Suricata daga tushen akan rarrabawar Ubuntu/Debian da RHEL, shigar da ɗakunan karatu masu zuwa, kayan aikin tattarawa, da abubuwan dogaro.
----------- On Debian Systems ----------- $ sudo apt install rustc build-essential cargo libpcre3 libpcre3-dbg libpcre3-dev make autoconf automake libtool libcap-ng0 make libmagic-dev libjansson-dev libjansson4 libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev pkg-config libnetfilter-queue1 libnfnetlink0 libnetfilter-queue-dev libnfnetlink-dev -y ----------- On RHEL Systems ----------- $ sudo yum install gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel PyYAML libmaxminddb-devel rustc cargo lz4-devel -y
Na gaba, shigar da kayan aikin suricata-update don sabunta dokokin Suricata.
$ sudo apt install python3-pip [On Debian] $ sudo yum install python3-pip [On RHEL] $ pip3 install --upgrade suricata-update
Sannan ƙirƙirar hanyar haɗi ta alama zuwa /usr/bin/suricata-update.
$ sudo ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update
Yanzu je zuwa umarnin wget.
$ wget https://www.openinfosecfoundation.org/download/suricata-6.0.6.tar.gz
Da zarar an sauke, cire fayil ɗin kwal ɗin kuma shigar da shi.
$ sudo tar -xvf suricata-6.0.6.tar.gz $ cd suricata-6.0.6 $ ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var $ make $ make install-full
Ana saita Suricata a cikin Linux
Don fara daidaita Suricata, muna buƙatar ƙayyade IP na ciki da cibiyar sadarwar waje. Don yin wannan, shiga cikin fayil ɗin sanyi.
$ sudo vim /etc/suricata/suricata.yaml
Don umarnin HOME_NET, saka adireshin IP na tsarin Linux ɗin ku.
HOME_NET: "[173.82.235.7]"
Bayan haka, saita umarnin EXTERNAL_NET zuwa !$HOME_NET.
EXTERNAL_NET: "!$HOME_NET"
Na gaba, saka hanyar sadarwa ta hanyar sadarwa wacce Suricata zata bincika zirga-zirgar hanyar sadarwa. A cikin yanayinmu, wannan shine ƙirar eth0.
Kuna iya tabbatar da haɗin yanar gizon ku mai aiki ta amfani da umarnin ip:
$ ip a
A cikin fayil ɗin daidaitawa, sabunta umarnin mu'amala tare da sunan cibiyar sadarwa.
- interface: eth0
Na gaba, tabbatar da cewa an saita sifa ta tsoho-doka-hanya zuwa /etc/suricata/rules.
Sannan ajiye canje-canje kuma rufe fayil ɗin sanyi. Sannan sake kunna Suricata don canje-canjen da za a yi amfani da su.
$ sudo systemctl status suricata
Ana sabunta Dokokin Suricata a cikin Linux
Ta hanyar tsoho, Suricata yana jigilar kaya tare da ƙayyadaddun ƙa'idodin ganowa waɗanda ke cikin /etc/suricata/rules directory. Duk da haka, ana ɗaukar waɗannan raunana kuma ba su da tasiri wajen gano kutse. Kuna buƙatar ɗaukar ƙa'idodin Barazana (ET) waɗanda aka ɗauka mafi ƙayyadaddun ƙa'idodin ƙa'idodi don Suricata.
Suricata yana ba da kayan aiki da aka sani da suricata-update wanda ke ɗaukar ka'idoji daga masu samar da waje. Don samun ƙa'idodi na zamani don uwar garken ku, gudanar da umarni mai zuwa.
$ sudo suricata-update -o /etc/suricata/rules
Daga fitowar, za ku iya ganin sabuntawar suricata-sabuntawa kyauta Buɗe Barazana ET da adana su zuwa fayil ɗin dokokin Suricata's /etc/suricata/rules/suricata. Bugu da ƙari, Yana nuna adadin ƙa'idodin da aka sarrafa. A cikin wannan misali, an ƙara jimillar 35941. Daga cikinsu, an kunna 28221, an cire 18, sannan 1249 aka gyara.
Ƙara Dokokin Suricata a cikin Linux
Kayan aikin suricata-update yana ba ku damar samo dokoki daga masu samar da dokoki. Wasu suna da kyauta kamar saitin ET Buɗe, yayin da wasu suna buƙatar biyan kuɗi.
Don jera tsoffin saitin masu samar da doka, gudanar da umarnin suricata-update kamar yadda aka nuna.
$ sudo suricata-update list-sources
Don ƙara dokoki, misali, ka'idojin tgreen/farauta, gudanar da umarni mai zuwa.
$ sudo suricata-update enable-source tgreen/hunting
Da zarar kun ƙara ƙa'idodin, sake gudanar da umarnin suricata-update sau ɗaya tare da alamar -o /etc/suricata/rules.
$ sudo suricata-update -o /etc/suricata/rules
Gwajin Dokokin Suricata a cikin Linux
Kafin ka fara gwada Suricata, ana ba da shawarar gwada idan tsarin yana da kyau. Don yin haka, gudanar da umarni mai zuwa:
$ sudo suricata -T -c /etc/suricata/suricata.yaml -v
Tabbatar cewa ba a sami rahoton kurakurai ba. Idan kuna gudana RHEL, CentOS Stream, Fedora, da Rocky Linux fara da kunna Suricata.
$ sudo systemctl start suricata $ sudo systemctl enable suricata
Ya zuwa yanzu, mun sami nasarar shigar, kuma mun daidaita Suricata kuma mun sabunta ƙa'idodi. Saitin Dokokin Buɗewa na ET ya ƙunshi dokoki sama da 30,000 don gano cunkoson ababen hawa. A cikin wannan sashe, za mu gwada Suricata kuma mu bincika ko zai iya gano hanyoyin sadarwar da ake tuhuma.
Za mu gwada ƙa'idodin Buɗaɗɗen ET ta hanyar kwaikwayon kutse kamar yadda jagorar Quickstart Suricata ta ba da shawarar.
Za a gwada aikin IDS tare da sa hannu ID na 2100498 ta hanyar aika buƙatar HTTP zuwa gidan yanar gizon testmynids.org wanda shine tsarin NIDS (Intrusion Network and Detection System).
$ curl http://testmynids.org/uid/index.html
Ya kamata ku sami fitarwa mai zuwa.
uid=0(root) gid=0(root) groups=0(root)
An ƙirƙiri buƙatar HTTP da aka aika don faɗakar da faɗakarwa ta hanyar kwaikwayi fitar da umarnin id wanda zai iya gudana akan tsarin nesa da aka lalata ta hanyar harsashi.
Yanzu bari mu shiga ta cikin rajistan ayyukan Suricata don faɗakarwa daidai. Suricata yana jigilar kaya tare da fayilolin log guda biyu waɗanda suka zo ta tsohuwa.
/var/log/suricata/fast.log /var/log/suricata/eve.log
Za mu bincika shigarwar log a cikin fayil ɗin log /var/log/suricata/fast.log wanda ya dace da umarnin grep. Za mu nemo shigarwar log ɗin ta amfani da mai gano ƙa'idar 2100498 daga takaddun Quickstart.
$ grep 2100948 /var/log/suricata/fast.log
Za ku sami fitarwa mai zuwa wanda ke nuna kutse. Anan, 173.82.235.7 shine adireshin IP na jama'a na uwar garken.
09/09/2022-22:17:06.796434 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 13.226.210.123:80 -> 173.82.235.7:33822
A madadin, zaku iya duba fayil ɗin log /var/log/suricata/eve.log don sa hannun ID na 2100498 kamar yadda aka nuna.
$ jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json
Wannan cikakken jagora ne kan yadda ake girka da daidaita Suricata akan Linux. Mun duba hanyoyin shigarwa daban-daban, yadda ake saita Suricata da sabunta dokokin Suricata da yadda ake sarrafa sabis na tsarin Suricata da yin gwajin kutse na hanyar sadarwa.
Fatanmu ne cewa yanzu zaku iya shigarwa cikin kwanciyar hankali da amfani da Suricata don kiyaye tsarin ku daga kutse na hanyar sadarwa ko mugayen zirga-zirga.