完善的特征语言用于描述已知的威胁和恶意行为,
并兼容Emerging Threats Suricata ruleset(Proofpoint和Intel规则)
和VRT ruleset(snort规则),支持 Barnyard 和 Barnyard2 工具
单个suricata示例可检测千兆网络流量,该引擎基于多线程编码和硬件加速(pf_ring,af_packet)
自动对端口协议扫描,有利于发现恶意软件和通信信道
Suricata可记录所有的http请求链接,DNS请求和tls密钥交换,并支持从流中提取信息存储到磁盘中。
LUA脚本可以弥补规则集中无法描述的特征
主要日志输出格式为Eve,即所有的协议事件,警报输出
(可单独指定主机或子网段,可配置全局规则或单独规则),流量记录
Linux、FreeBSD、OpenBSD、macOS / Mac OS X、Windows
YAML作为规则文件格式,可读性好
支持IPV6,支持隧道解码包括:Teredo、IP-IP、IP6-IP4、IP4-IP6、GRE、
VXLAN、Geneve,支持会话跟踪和流重组,IP分片重组,
支持多种协议解码包括IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE,Ethernet,
PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN, VXLAN, Geneve,HTTP, HTTP/2,
SSL, TLS, SMB, DCERPC, SMTP, FTP, SSH, DNS, Modbus, ENIP/CIP, DNP3, NFS, NTP,
DHCP, TFTP, KRB5, IKEv2, SIP, SNMP, RDP, RFB, MQTT
实现基于libhtp有状态的http解析器,可解析URL,请求和响应首部,cookie,
user-agent,request body and response body,请求方法和状态码,host
可基于多特征进行检测匹配,包括:协议关键字,正则(Hyperscan),
快速模式和预处理,文件匹配,JA3 / JA3S / HASSH匹配。
规则方面支持实时加载规则而不重启suricata,规则延迟初始化
高性能捕获模式:AF_PACKET,PF_RING,NETMAP
标准模式:NFLOG ,PCAP
IPS模式:Netfilter ,NETMAP,AF_PACKET (Linux),ipfw (reeBSD and NetBSD)
线程支持可配,一个到几十个都可以;互斥操作采用原子函数提高性能;
Hyperscan is a high-performance multiple regex matching library, In Suricata it can be used to perform multi pattern matching (mpm).
首先安装一下hyperscan:
apt-get install cmake ragel
apt-get install libboost-dev
sudo apt-get python-dev libbz2-dev
wget https://dl.bintray.com/boostorg/release/1.66.0/source/boost_1_66_0.tar.gz
tar xvzf boost_1_66_0.tar.gz
cd boost_1_66_0
./bootstrap.sh --prefix=~/tmp/boost-1.66
./b2 install
git clone https://github.com/intel/hyperscan
cd hyperscan
mkdir build
cd build
cmake -DBUILD_STATIC_AND_SHARED=1 ../
cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=~/tmp/boost-1.66 ../
make
sudo make install
其次默认情况,suricata在编译时没有启用hyperscan, 我们需要显示的编译suricata时加入以下命令:
–with-libhs-includes=/usr/local/include/hs/ –with-libhs-libraries=/usr/local/lib/ 然后再suricata.yaml中修改 mpm-algo and spm-algo values to ‘hs’.
High Performance Confifiguration
If you have enough RAM, consider the following options in suricata.yaml
detect:
profile: custom
custom-values:
toclient-groups: 200
toserver-groups: 200
sgh-mpm-context: auto
inspection-recursion-limit: 3000
关闭suricata时,也可以看到总的收发包数和丢包数
capture mode不同,显示的数目有可能有差别:
In AF_PACKET mode: • kernel_packets is the number of packets correctly sent to userspace • kernel_drops is the number of packets that have been discarded instead of being sent to userspace In PF_RING mode: • kernel_packets is the total number of packets seen by pf_ring • kernel_drops is the number of packets that have been discarded instead of being sent to userspace
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。