可靠的企业战略,数字化转型,智能化转型和企业架构智库

【安全工具】Suricata完整的功能列表

引擎

  1. 网络入侵检测系统(NIDS)引擎
  2. 网络入侵防御系统(NIPS)引擎
  3. 网络安全监控(NSM)引擎
  4. 离线分析PCAP文件
  5. 使用pcap记录器记录流量
  6. Unix套接字模式,用于自动PCAP文件处理
  7. 与Linux Netfilter防火墙的高级集成

操作系统支持

  1. Linux
  2. FreeBSD
  3. OpenBSD
  4. macOS / Mac OS X
  5. Windows

配置

  1. 配置文件-人和机器可读
  2. 良好的注释和文档
  3. 支持包括其他文件

TCP / IP引擎

  1. Scalable flow engine
  2. Full IPv6 support
  3. Tunnel decoding
    • Teredo
    • IP-IP
    • IP6-IP4
    • IP4-IP6
    • GRE
  4. TCP stream engine
    • tracking sessions
    • stream reassembly
    • target based stream reassembly
  5. IP Defrag engine
    • target based reassembly

协议解析器

  1. 支持数据包解码
    1. IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE
    2. 以太网,PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN
  2. App层解码:
    1. HTTP、SSL、TLS、SMB、DCERPC、SMTP、FTP、SSH、DNS、Modbus、ENIP/CIP、DNP3、NFS、NTP、DHCP、TFTP、KRB5、IKEv2
    2. 使用Rust语言开发的新协议,用于安全快速的解码。

HTTP引擎

  • Stateful HTTP parser built on libhtp
  • HTTP request logger
  • File identification, extraction and logging
  • Per server settings — limits, personality, etc
  • Keywords to match on (normalized) buffers:
    • uri and raw uri
    • headers and raw headers
    • cookie
    • user-agent
    • request body and response body
    • method, status and status code
    • host
    • request and response lines
    • decompress flash files
    • and many more

探测引擎

  • Protocol keywords
  • Multi-tenancy per vlan or capture device
  • xbits – flowbits extension
  • PCRE support
    • substring capture for logging in EVE
  • fast_pattern and prefilter support
  • Rule profiling
  • File matching
    • file magic
    • file size
    • file name and extension
    • file MD5/SHA1/SHA256 checksum — scales up to millions of checksums
  • multiple pattern matcher algorithms that can be selected
  • extensive tuning options
  • live rule reloads — use new rules w/o restarting Suricata
  • delayed rules initialization
  • Lua scripting for custom detection logic
  • Hyperscan integration

输出

  • Eve log, all JSON alert and event output
  • Lua output scripts for generating your own output formats
  • Redis support
  • HTTP request logging
  • TLS handshake logging
  • Unified2 output — compatible with Barnyard2
  • Alert fast log
  • Alert debug log — for rule writers
  • Traffic recording using pcap logger
  • Prelude support
  • drop log — netfilter style log of dropped packets in IPS mode
  • syslog — alert to syslog
  • stats — engine stats at fixed intervals
  • File logging including MD5 checksum in JSON format
  • Extracted file storing to disk, with deduplication in the v2 format
  • DNS request/reply logger, including TXT data
  • Signal based Log rotation
  • Flow logging

报警/事件过滤

  • per rule alert filtering and thresholding
  • global alert filtering and thresholding
  • per host/subnet thresholding and rate limiting settings

包获取

  • High performance capture
    • AF_PACKET
      • experimental eBPF and XDP modes available
    • PF_RING
    • NETMAP
  • Standard capture
    • PCAP
    • NFLOG (netfilter integration)
  • IPS mode
    • Netfilter based on Linux (nfqueue)
      • fail open support
    • ipfw based on FreeBSD and NetBSD
    • AF_PACKET based on Linux
    • NETMAP
  • Capture cards and specialized devices
    • Endace
    • Napatech
    • Tilera

多线程

完全可配置线程——从单线程到几十个线程

预煮的“runmodes”

可选CPU关联设置

使用细粒度锁定和原子操作获得最佳性能

可选锁分析

IP的声誉

  • loading of large amounts host based reputation data
  • matching on reputation data in the rule language using the “iprep” keyword
  • live reload support
  • supports CIDR ranges

工具

  • Suricata-Update for easy rule update management
  • Suricata-Verify for QA during development

原文:https://suricata-ids.org/features/all-features/

本文:

讨论:请加入知识星球或者小红圈【首席架构师圈】