Suricata 1.4.4 da aka Saki - Gano hanyar Cutar Sadarwa, Tsarin Rigakafi da Tsarin Kula da Tsaro
Suricata babbar hanyar buɗe hanya ce mai saurin gano Cutar Sadarwa ta Zamani, Tsarin Rigakafin da Tsarin Kula da Tsaro don tsarin Unix/Linux, FreeBSD da tsarin Windows. An kirkire ta kuma mallakar ta gidauniyar sa kai ta OISF (Open Information Security Foundation).
Kwanan nan, ƙungiyar aikin OISF ta sanar da sakin Suricata 1.4.4 tare da ƙarami amma ingantattun bayanai kuma sun gyara wasu kwari masu mahimmanci akan sakin da ya gabata.
Siffofin Suricata
Suricata ƙaddara ce ta Injin Cutar da Rigakafin da ke amfani da sabbin ƙa'idodin ƙa'idodi waɗanda aka tsara don kula da zirga-zirgar sadarwar, da kuma iya ɗaukar zirga-zirgar gigabyte da yawa kuma yana ba da faɗakarwar imel ga masu tsarin/Network.
Suricata yana ba da sauri da mahimmanci a ƙaddarar zirga-zirgar hanyoyin sadarwa. Injin ya haɓaka don amfani da ƙarancin ƙarfin sarrafawa wanda ƙirar kayan masarufi na zamani masu yawa suka bayar.
Injin din baya samarda kalmomin shiga kawai don TCP, UDP, ICMP da IP, amma kuma yana da ginanniyar tallafi don HTTP, FTP, TLS da SMB. Mai sarrafa tsarin na iya ƙirƙirar ƙa'idar sa don gano daidaituwa tsakanin rafin HTTP. Wannan zai zama daban-daban gano Malware da sarrafawa.
Lallai injin ɗin zai ɗauki ƙa'idodi waɗanda suka dace da IP dangane da RBN da jerin abubuwan IP waɗanda ke cikin barazanar Barazana da kiyaye su cikin takamaiman mai dacewa wanda ya dace.
Mataki: 1 Shigar da Suricata a cikin RHEL, CentOS da Fedora
Dole ne kuyi amfani da wurin ajiyar EPEL na Fedora don girka wasu fakitin da ake buƙata don tsarin i386 da x86_64.
- Enable Fedora's EPEL adana
Kafin ka iya tattarawa da gina Suricata don tsarinka, girka waɗannan fakitocin dogaro waɗanda ake buƙata don ƙarin shigarwa. A tsari na iya ɗaukar wani lokaci don kammala, dangane da saurin intanet.
# yum -y install libpcap libpcap-devel libnet libnet-devel pcre \ pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \ libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel magic magic-devel file file-devel
Na gaba, gina Suricata tare da tallafin IPS. Don wannan, muna buƙatar fakitin "libnfnetlink" da "libnetfilter_queue", amma waɗannan abubuwan da aka riga aka gina ba su samuwa a cikin wuraren ajiyar EPEL ko CentOS Base. Don haka, muna buƙatar saukewa da shigar rpms daga matattarar barazanar barazanar CentOS.
# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-0.0.15-1.i386.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-devel-0.0.15-1.i386.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-0.0.30-1.i386.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-devel-0.0.30-1.i386.rpm
# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-devel-0.0.15-1.x86_64.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-0.0.30-1.x86_64.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-devel-0.0.30-1.x86_64.rpm
Zazzage sabon fayilolin tushen Suricata kuma gina shi ta amfani da waɗannan umarnin.
# cd /tmp # wget http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz # tar -xvzf suricata-1.4.4.tar.gz # cd suricata-1.4.4
Yanzu muna amfani da fasalin Saitin Auto na Suricata don ƙirƙirar duk kundayen adireshi da suka dace, fayilolin sanyi da sabbin ka'idoji.
# ./configure && make && make install-conf # ./configure && make && make install-rules # ./configure && make && make install-full
Mataki 2: Shigar da Suricata a cikin Debian da Ubuntu
Kafin, fara shigarwa, dole ne a sami waɗannan abubuwan buƙatun da aka sanya a gaba akan tsarin don ci gaba da gaba. Tabbatar dole ne ku zama tushen mai amfani don gudanar da wannan umarnin. Wannan tsarin shigarwar na iya daukar lokaci, ya danganta da saurin intanet dinka na yanzu.
# apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libtool libpcap-dev libnet1-dev \ libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev \ pkg-config magic file libhtp-dev
Ta hanyar tsoho, yana aiki azaman IDS. Idan kanaso ka kara tallafi na IDS, sanya wasu abubuwanda ake bukata kamar haka.
# apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
Zazzage sabon juzuron kwalban Suricata kuma gina shi ta amfani da waɗannan umarnin.
# cd /tmp # wget http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz # tar -xvzf suricata-1.4.4.tar.gz # cd suricata-1.4.4
Yi amfani da zaɓin Saitin Kai na Suricata don ƙirƙirar duk kundin adireshi da ake buƙata, fayilolin daidaitawa da kundin tsarin mulki ta atomatik kamar yadda aka nuna a ƙasa.
# ./configure && make && make install-conf # ./configure && make && make install-rules # ./configure && make && make install-full
Mataki na 3: Tsarin Saiti na Suricata
Bayan zazzagewa da shigar da Suricata, yanzu lokaci yayi da za a ci gaba zuwa Sanya Saiti. Createirƙiri bin umarni.
# mkdir /var/log/suricata # mkdir /etc/suricata
Kashi na gaba shine kwafa fayilolin sanyi kamar su "classification.config", "reference.config" da "suricata.yaml" daga ginshikin shigarwa ginshiƙin shigarwa.
# cd /tmp/suricata-1.4.4 # cp classification.config /etc/suricata # cp reference.config /etc/suricata # cp suricata.yaml /etc/suricata
A ƙarshe, fara "Injin Suricata" a karo na farko kuma saka sunan na'urar da ke son abubuwan da kuke so. Maimakon eth0, zaka iya haɗa katin cibiyar sadarwar da kake so.
# suricata -c /etc/suricata/suricata.yaml -i eth0 23/7/2013 -- 12:22:45 - - This is Suricata version 1.4.4 RELEASE 23/7/2013 -- 12:22:45 - - CPUs/cores online: 2 23/7/2013 -- 12:22:45 - - Found an MTU of 1500 for 'eth0' 23/7/2013 -- 12:22:45 - - allocated 2097152 bytes of memory for the defrag hash... 65536 buckets of size 32 23/7/2013 -- 12:22:45 - - preallocated 65535 defrag trackers of size 104 23/7/2013 -- 12:22:45 - - defrag memory usage: 8912792 bytes, maximum: 33554432 23/7/2013 -- 12:22:45 - - AutoFP mode using default "Active Packets" flow load balancer 23/7/2013 -- 12:22:45 - - preallocated 1024 packets. Total memory 3170304 23/7/2013 -- 12:22:45 - - allocated 131072 bytes of memory for the host hash... 4096 buckets of size 32 23/7/2013 -- 12:22:45 - - preallocated 1000 hosts of size 76 23/7/2013 -- 12:22:45 - - host memory usage: 207072 bytes, maximum: 16777216 23/7/2013 -- 12:22:45 - - allocated 2097152 bytes of memory for the flow hash... 65536 buckets of size 32 23/7/2013 -- 12:22:45 - - preallocated 10000 flows of size 176 23/7/2013 -- 12:22:45 - - flow memory usage: 3857152 bytes, maximum: 33554432 23/7/2013 -- 12:22:45 - - IP reputation disabled 23/7/2013 -- 12:22:45 - - using magic-file /usr/share/file/magic
Bayan severalan mintoci kaɗan, bincika injin ɗin yana aiki daidai kuma karɓa da kuma bincika zirga-zirga.
# cd /usr/local/var/log/suricata/ # ls -l -rw-r--r-- 1 root root 25331 Jul 23 12:27 fast.log drwxr-xr-x 2 root root 4096 Jul 23 11:34 files -rw-r--r-- 1 root root 12345 Jul 23 11:37 http.log -rw-r--r-- 1 root root 650978 Jul 23 12:27 stats.log -rw-r--r-- 1 root root 22853 Jul 23 11:53 unified2.alert.1374557837 -rw-r--r-- 1 root root 2691 Jul 23 12:09 unified2.alert.1374559711 -rw-r--r-- 1 root root 2143 Jul 23 12:13 unified2.alert.1374559939 -rw-r--r-- 1 root root 6262 Jul 23 12:27 unified2.alert.1374560613
Kalli fayil din “stats.log” kuma ka tabbatar bayanan da aka nuna sun kasance masu kwanan wata a ainihin lokacin.
# tail -f stats.log tcp.reassembly_memuse | Detect | 0 tcp.reassembly_gap | Detect | 0 detect.alert | Detect | 27 flow_mgr.closed_pruned | FlowManagerThread | 3 flow_mgr.new_pruned | FlowManagerThread | 277 flow_mgr.est_pruned | FlowManagerThread | 0 flow.memuse | FlowManagerThread | 3870000 flow.spare | FlowManagerThread | 10000 flow.emerg_mode_entered | FlowManagerThread | 0 flow.emerg_mode_over | FlowManagerThread | 0
Tunanin Mahaɗa
Shafin Shafin Suricata
Jagorar Mai Amfani da Suricata