Ti tu silẹ Suricata 1.4.4 - Iwari Iwọle Intanẹẹti Nẹtiwọọki, Idena ati Eto Abojuto Aabo
Suricata jẹ orisun ṣiṣi giga ti iṣawari Iwari Intanẹẹti Nẹtiwọọki igbalode, Idena ati Eto Abojuto Aabo fun Unix/Linux, FreeBSD ati awọn eto orisun Windows. O ti dagbasoke ati ohun-ini nipasẹ ipilẹ ti kii ṣe èrè ni OISF (Open Security Security Foundation).
Laipẹpẹ, ẹgbẹ iṣẹ akanṣe OISF kede ifasilẹ Suricata 1.4.4 pẹlu kekere ṣugbọn awọn imudojuiwọn pataki ati ṣe atunṣe awọn idun pataki kan lori ifasilẹ ti tẹlẹ.
Awọn ẹya ara ẹrọ Suricata
Suricata jẹ Iwari Intrusion ti ofin ati ẹrọ Idena ti o lo awọn ilana ti ita idagbasoke ti ita ṣeto lati ṣe atẹle ijabọ nẹtiwọọki, bakanna ni anfani lati mu ọpọ gigabyte ijabọ ati fifun awọn itaniji imeeli si Awọn alabojuto Eto/Nẹtiwọọki.
Suricata pese iyara ati pataki ni ipinnu ijabọ ọja nẹtiwọọki. Ẹrọ naa ti ni idagbasoke lati lo agbara iṣelọpọ ti o pọ sii ti a funni nipasẹ awọn ipilẹ awọn ohun elo eroja pupọ-pataki
Ẹrọ naa kii ṣe awọn ọrọ-ọrọ nikan fun TCP, UDP, ICMP ati IP, ṣugbọn tun ni atilẹyin ti a ṣe sinu fun HTTP, FTP, TLS ati SMB. Oluṣakoso eto le ni anfani lati ṣẹda ofin tirẹ lati ṣe awari ibaramu laarin ṣiṣan HTTP kan. Eyi yoo di oriṣiriṣi wiwa ati iṣakoso Malware.
Dajudaju engine naa yoo gba awọn ofin ti o jẹ awọn ere IP ti o da lori RBN ati awọn atokọ IP ti o gbogun ni Awọn Irokeke Nyoju ati tọju wọn sinu aṣaaju-ọna tuntun ti o baamu iyara.
Igbesẹ: 1 Fifi Suricata sii ni RHEL, CentOS ati Fedora
O gbọdọ lo ibi ipamọ EPEL ti Fedora lati fi sori ẹrọ diẹ ninu awọn idii ti o nilo fun awọn ọna i386 ati x86_64.
- Jeki ibi ipamọ EPEL ti Fedora ṣiṣẹ
Ṣaaju ki o to ṣajọ ati kọ Suricata fun eto rẹ, fi awọn idii igbẹkẹle atẹle ti o nilo fun fifi sori siwaju sii. Ilana naa le gba igba diẹ lati pari, da lori iyara intanẹẹti.
# yum -y install libpcap libpcap-devel libnet libnet-devel pcre \ pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \ libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel magic magic-devel file file-devel
Nigbamii, kọ Suricata pẹlu atilẹyin IPS. Fun eyi, a nilo awọn idii “libnfnetlink” ati “libnetfilter_queue”, ṣugbọn awọn idii ti a ti kọ tẹlẹ wọnyi ko si ni awọn ibi ipamọ EPEL tabi CentOS. Nitorinaa, a nilo lati gba lati ayelujara ati fi awọn rpms sii lati ibi ipamọ CentOS Awọn Irokeke Irokeke.
# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-0.0.15-1.i386.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-devel-0.0.15-1.i386.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-0.0.30-1.i386.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-devel-0.0.30-1.i386.rpm
# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-devel-0.0.15-1.x86_64.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-0.0.30-1.x86_64.rpm \ http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-devel-0.0.30-1.x86_64.rpm
Ṣe igbasilẹ awọn faili orisun Suricata tuntun ki o kọ nipa lilo awọn ofin wọnyi.
# cd /tmp # wget http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz # tar -xvzf suricata-1.4.4.tar.gz # cd suricata-1.4.4
Bayi a lo ẹya-ara Ṣiṣeto Aifọwọyi Suricata lati ṣẹda laifọwọyi gbogbo awọn ilana pataki, awọn faili iṣeto ati awọn ilana ofin titun.
# ./configure && make && make install-conf # ./configure && make && make install-rules # ./configure && make && make install-full
Igbesẹ 2: Fifi Suricata sori Debian ati Ubuntu
Ṣaaju, ti o bẹrẹ fifi sori ẹrọ, o gbọdọ ni awọn apejọ ṣaaju-ibeere wọnyi ti a fi sori ẹrọ lori eto lati tẹsiwaju siwaju. Rii daju pe o gbọdọ jẹ olumulo root lati ṣiṣe aṣẹ atẹle. Ilana fifi sori ẹrọ yii le gba diẹ ninu akoko, da lori iyara lọwọlọwọ ti intanẹẹti rẹ.
# apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libtool libpcap-dev libnet1-dev \ libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev \ pkg-config magic file libhtp-dev
Nipa aiyipada, ṣiṣẹ bi IDS. Ti o ba fẹ ṣafikun atilẹyin IDS, fi diẹ sii awọn idii ti o nilo bi atẹle.
# apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
Ṣe igbasilẹ bọọlu afẹsẹgba Suricata tuntun ki o kọ pẹlu lilo awọn ofin wọnyi.
# cd /tmp # wget http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz # tar -xvzf suricata-1.4.4.tar.gz # cd suricata-1.4.4
Lo aṣayan Oṣo Aifọwọyi Suricata lati ṣẹda gbogbo awọn ilana itọsọna ti o nilo, awọn faili iṣeto ati awọn ilana ofin laifọwọyi bi a ṣe han ni isalẹ.
# ./configure && make && make install-conf # ./configure && make && make install-rules # ./configure && make && make install-full
Igbesẹ 3: Eto Ipilẹ Suricata
Lẹhin igbasilẹ ati fifi sori ẹrọ Suricata, bayi akoko rẹ lati tẹsiwaju si Eto ipilẹ. Ṣẹda awọn itọsọna taara.
# mkdir /var/log/suricata # mkdir /etc/suricata
Apa ti n tẹle ni lati daakọ awọn faili iṣeto bi “classification.config“, “reference.config” ati “suricata.yaml” lati itọsọna ipilẹ fifi sori ipilẹ.
# cd /tmp/suricata-1.4.4 # cp classification.config /etc/suricata # cp reference.config /etc/suricata # cp suricata.yaml /etc/suricata
Lakotan, bẹrẹ “Ẹrọ Suricata” ni igba akọkọ ki o ṣọkasi orukọ ẹrọ iwoye ti ayanfẹ rẹ. Dipo eth0, o le ṣafikun kaadi nẹtiwọọki ti ayanfẹ rẹ.
# suricata -c /etc/suricata/suricata.yaml -i eth0 23/7/2013 -- 12:22:45 - - This is Suricata version 1.4.4 RELEASE 23/7/2013 -- 12:22:45 - - CPUs/cores online: 2 23/7/2013 -- 12:22:45 - - Found an MTU of 1500 for 'eth0' 23/7/2013 -- 12:22:45 - - allocated 2097152 bytes of memory for the defrag hash... 65536 buckets of size 32 23/7/2013 -- 12:22:45 - - preallocated 65535 defrag trackers of size 104 23/7/2013 -- 12:22:45 - - defrag memory usage: 8912792 bytes, maximum: 33554432 23/7/2013 -- 12:22:45 - - AutoFP mode using default "Active Packets" flow load balancer 23/7/2013 -- 12:22:45 - - preallocated 1024 packets. Total memory 3170304 23/7/2013 -- 12:22:45 - - allocated 131072 bytes of memory for the host hash... 4096 buckets of size 32 23/7/2013 -- 12:22:45 - - preallocated 1000 hosts of size 76 23/7/2013 -- 12:22:45 - - host memory usage: 207072 bytes, maximum: 16777216 23/7/2013 -- 12:22:45 - - allocated 2097152 bytes of memory for the flow hash... 65536 buckets of size 32 23/7/2013 -- 12:22:45 - - preallocated 10000 flows of size 176 23/7/2013 -- 12:22:45 - - flow memory usage: 3857152 bytes, maximum: 33554432 23/7/2013 -- 12:22:45 - - IP reputation disabled 23/7/2013 -- 12:22:45 - - using magic-file /usr/share/file/magic
Lẹhin iṣẹju diẹ lẹhinna, ṣayẹwo ẹrọ naa n ṣiṣẹ ni deede ati gba ati ṣayẹwo ijabọ.
# cd /usr/local/var/log/suricata/ # ls -l -rw-r--r-- 1 root root 25331 Jul 23 12:27 fast.log drwxr-xr-x 2 root root 4096 Jul 23 11:34 files -rw-r--r-- 1 root root 12345 Jul 23 11:37 http.log -rw-r--r-- 1 root root 650978 Jul 23 12:27 stats.log -rw-r--r-- 1 root root 22853 Jul 23 11:53 unified2.alert.1374557837 -rw-r--r-- 1 root root 2691 Jul 23 12:09 unified2.alert.1374559711 -rw-r--r-- 1 root root 2143 Jul 23 12:13 unified2.alert.1374559939 -rw-r--r-- 1 root root 6262 Jul 23 12:27 unified2.alert.1374560613
Wo faili “stats.log” ati rii daju pe alaye ti o han ni ọjọ-ọjọ ni akoko gidi.
# tail -f stats.log tcp.reassembly_memuse | Detect | 0 tcp.reassembly_gap | Detect | 0 detect.alert | Detect | 27 flow_mgr.closed_pruned | FlowManagerThread | 3 flow_mgr.new_pruned | FlowManagerThread | 277 flow_mgr.est_pruned | FlowManagerThread | 0 flow.memuse | FlowManagerThread | 3870000 flow.spare | FlowManagerThread | 10000 flow.emerg_mode_entered | FlowManagerThread | 0 flow.emerg_mode_over | FlowManagerThread | 0
Itọkasi Awọn ọna asopọ
Aaye akọọkan Suricata
Itọsọna Olumulo Suricata