Suricata 1.4.4 Imetolewa - Mfumo wa Kugundua Uingiliaji wa Mtandao, Kinga na Ufuatiliaji wa Usalama
Suricata ni chanzo huria chenye utendaji wa juu wa kisasa wa Utambuzi wa Uingiliaji wa Mtandao, Mfumo wa Kuzuia na Kufuatilia Usalama kwa mifumo ya Unix/Linux, FreeBSD na Windows. Ilianzishwa na kumilikiwa na taasisi isiyo ya faida ya OISF (Open Information Security Foundation).
Hivi majuzi, timu ya mradi wa OISF ilitangaza kuchapishwa kwa Suricata 1.4.4 na masasisho madogo lakini muhimu na kurekebisha hitilafu muhimu zaidi ya toleo la awali.
Vipengele vya Suricata
Suricata ni injini ya Kugundua na Kuzuia ya Uingiliaji kulingana na sheria ambayo hutumia seti za sheria zilizoundwa nje kufuatilia trafiki ya mtandao, na pia uwezo wa kushughulikia trafiki nyingi za gigabyte na inatoa arifa za barua pepe kwa wasimamizi wa Mfumo/Mtandao.
Suricata hutoa kasi na umuhimu katika uamuzi wa trafiki ya mtandao. Injini imeundwa ili kutumia nguvu ya usindikaji iliyoongezeka inayotolewa na seti za kisasa za vifaa vya msingi vya chip.
Injini haitoi tu maneno muhimu kwa TCP, UDP, ICMP na IP, lakini pia ina usaidizi wa ndani wa HTTP, FTP, TLS na SMB. Msimamizi wa mfumo anaweza kuunda sheria yake mwenyewe ili kugundua inayolingana ndani ya mtiririko wa HTTP. Hii itakuwa ugunduzi na udhibiti tofauti wa Malware.
Injini hakika itachukua sheria ambazo ni zinazolingana na IP kulingana na RBN na orodha za IP zilizoathiriwa katika Vitisho Vinavyoibuka na kuziweka katika kichakataji awali kinacholingana kwa haraka.
Hatua :1 Kusakinisha Suricata katika RHEL, CentOS na Fedora
Ni lazima utumie hazina ya EPEL ya Fedora ili kusakinisha baadhi ya vifurushi vinavyohitajika kwa mifumo ya i386 na x86_64.
- Washa hazina ya EPEL ya Fedora
Kabla ya kukusanya na kuunda Suricata kwa mfumo wako, sakinisha vifurushi vifuatavyo vya utegemezi ambavyo vinahitajika kwa usakinishaji zaidi. Mchakato unaweza kuchukua muda kukamilika, kulingana na kasi ya mtandao.
# yum -y install libpcap libpcap-devel libnet libnet-devel pcre \ pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \ libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel magic magic-devel file file-devel
Ifuatayo, jenga Suricata kwa usaidizi wa IPS. Kwa hili, tunahitaji vifurushi vya libnfnetlink na libnetfilter_queue, lakini vifurushi hivi vilivyoundwa awali havipatikani katika hazina za EPEL au CentOS Base. Kwa hivyo, tunahitaji kupakua na kusakinisha rpms kutoka hazina ya CentOS ya Vitisho vinavyojitokeza.
# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-0.0.15-1.i386.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-devel-0.0.15-1.i386.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-0.0.30-1.i386.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-devel-0.0.30-1.i386.rpm
# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-devel-0.0.15-1.x86_64.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-0.0.30-1.x86_64.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-devel-0.0.30-1.x86_64.rpm
Pakua faili za chanzo za Suricata za hivi punde na uijenge kwa kutumia amri zifuatazo.
# cd /tmp # wget http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz # tar -xvzf suricata-1.4.4.tar.gz # cd suricata-1.4.4
Sasa tunatumia kipengele cha Kuweka Kiotomatiki cha Suricata kuunda saraka zote muhimu, faili za usanidi na kanuni za hivi punde kiotomatiki.
# ./configure && make && make install-conf # ./configure && make && make install-rules # ./configure && make && make install-full
Hatua ya 2: Kufunga Suricata katika Debian na Ubuntu
Kabla, kuanza usakinishaji, lazima uwe na vifurushi vifuatavyo vya mahitaji ya awali vilivyosakinishwa kwenye mfumo ili kuendelea zaidi. Hakikisha lazima uwe mtumiaji wa mizizi ili kutekeleza amri ifuatayo. Mchakato huu wa usakinishaji unaweza kuchukua muda, kulingana na kasi ya sasa ya mtandao wako.
# apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libtool libpcap-dev libnet1-dev \ libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev \ pkg-config magic file libhtp-dev
Kwa chaguo-msingi, hufanya kazi kama kitambulisho. Ikiwa unataka kuongeza usaidizi wa IDS, sakinisha vifurushi vinavyohitajika kama ifuatavyo.
# apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
Pakua mpira wa tar wa hivi karibuni wa Suricata na uujenge kwa kutumia amri zifuatazo.
# cd /tmp # wget http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz # tar -xvzf suricata-1.4.4.tar.gz # cd suricata-1.4.4
Tumia chaguo la Kuweka Kiotomatiki la Suricata ili kuunda saraka zote zinazohitajika, faili za usanidi na kanuni kiotomatiki kama inavyoonyeshwa hapa chini.
# ./configure && make && make install-conf # ./configure && make && make install-rules # ./configure && make && make install-full
Hatua ya 3: Usanidi Msingi wa Suricata
Baada ya kupakua na kusakinisha Suricata, sasa ni wakati wa kuendelea na Usanidi wa Msingi. Unda kurugenzi zifuatazo.
# mkdir /var/log/suricata # mkdir /etc/suricata
Sehemu inayofuata ni kunakili faili za usanidi kama vile classification.config, reference.config na suricata.yaml kutoka kwenye saraka ya usakinishaji wa muundo msingi.
# cd /tmp/suricata-1.4.4 # cp classification.config /etc/suricata # cp reference.config /etc/suricata # cp suricata.yaml /etc/suricata
Hatimaye, anza Suricata Engine mara ya kwanza na ubainishe jina la kifaa cha kiolesura unachopenda. Badala ya eth0, unaweza kujumuisha kadi ya mtandao ya upendeleo wako.
# suricata -c /etc/suricata/suricata.yaml -i eth0 23/7/2013 -- 12:22:45 - - This is Suricata version 1.4.4 RELEASE 23/7/2013 -- 12:22:45 - - CPUs/cores online: 2 23/7/2013 -- 12:22:45 - - Found an MTU of 1500 for 'eth0' 23/7/2013 -- 12:22:45 - - allocated 2097152 bytes of memory for the defrag hash... 65536 buckets of size 32 23/7/2013 -- 12:22:45 - - preallocated 65535 defrag trackers of size 104 23/7/2013 -- 12:22:45 - - defrag memory usage: 8912792 bytes, maximum: 33554432 23/7/2013 -- 12:22:45 - - AutoFP mode using default "Active Packets" flow load balancer 23/7/2013 -- 12:22:45 - - preallocated 1024 packets. Total memory 3170304 23/7/2013 -- 12:22:45 - - allocated 131072 bytes of memory for the host hash... 4096 buckets of size 32 23/7/2013 -- 12:22:45 - - preallocated 1000 hosts of size 76 23/7/2013 -- 12:22:45 - - host memory usage: 207072 bytes, maximum: 16777216 23/7/2013 -- 12:22:45 - - allocated 2097152 bytes of memory for the flow hash... 65536 buckets of size 32 23/7/2013 -- 12:22:45 - - preallocated 10000 flows of size 176 23/7/2013 -- 12:22:45 - - flow memory usage: 3857152 bytes, maximum: 33554432 23/7/2013 -- 12:22:45 - - IP reputation disabled 23/7/2013 -- 12:22:45 - - using magic-file /usr/share/file/magic
Baada ya dakika kadhaa baadaye, angalia injini inafanya kazi kwa usahihi na inapokea na kukagua trafiki.
# cd /usr/local/var/log/suricata/ # ls -l -rw-r--r-- 1 root root 25331 Jul 23 12:27 fast.log drwxr-xr-x 2 root root 4096 Jul 23 11:34 files -rw-r--r-- 1 root root 12345 Jul 23 11:37 http.log -rw-r--r-- 1 root root 650978 Jul 23 12:27 stats.log -rw-r--r-- 1 root root 22853 Jul 23 11:53 unified2.alert.1374557837 -rw-r--r-- 1 root root 2691 Jul 23 12:09 unified2.alert.1374559711 -rw-r--r-- 1 root root 2143 Jul 23 12:13 unified2.alert.1374559939 -rw-r--r-- 1 root root 6262 Jul 23 12:27 unified2.alert.1374560613
Tazama faili ya stats.log na uhakikishe kuwa maelezo yanayoonyeshwa yamesasishwa kwa wakati halisi.
# tail -f stats.log tcp.reassembly_memuse | Detect | 0 tcp.reassembly_gap | Detect | 0 detect.alert | Detect | 27 flow_mgr.closed_pruned | FlowManagerThread | 3 flow_mgr.new_pruned | FlowManagerThread | 277 flow_mgr.est_pruned | FlowManagerThread | 0 flow.memuse | FlowManagerThread | 3870000 flow.spare | FlowManagerThread | 10000 flow.emerg_mode_entered | FlowManagerThread | 0 flow.emerg_mode_over | FlowManagerThread | 0
Viungo vya Marejeleo
Ukurasa wa Nyumbani wa Suricata
Mwongozo wa Mtumiaji wa Suricata