1. Preface
Recent work requires the detection of keywords on the site to find sensitive words. This process requires the collection, decoding, detection, and logging of messages. At present, simply implement the function, according to the keyword to make a simple match, without the semantic analysis of the keyword. The result is that Java can match the sensitive keyword AV. Message detection In this regard, the open source project has done very well, I know there is snort, suircata, bro, these three are very good IDs (intrusion detection system). Since we did not have a deep understanding of bro, we compared snort and suricata, combined with suricata multithreading and modularity, fully compatible with snort rules, we chose suricata for keyword detection.
At the beginning of contact with the Suricata, do not know how to pronounce the word, and then hurriedly check the dictionary. Suircata is a system that supports IDs, IPs, and NSM. For more information about Suircata, you can refer to the official website: https://suricata-ids.org/.
Note:
IDS: English "intrusion Detection Systems" abbreviation, Chinese meaning is "intrusion detection system". According to a certain security strategy, through the software and hardware, the network, the system's health monitoring, as far as possible to identify various attack attempts, attacks or attack results, to ensure the confidentiality of network system resources, integrity and availability.
IPS is an abbreviation of English "Intrusion prevention system", Chinese meaning intrusion prevention systems. With the continuous improvement of network attack technology and the discovery of network security vulnerability, traditional firewall technology and traditional IDs technology have been unable to deal with some security threats. In this case, IPS technology came into being, IPs technology can deeply perceive and detect the flow of data flows, discard malicious messages to block attacks, and limit the abuse of packets to protect network bandwidth resources.
NSM: The abbreviation for "Network security Monitoring" in English, which means "cybersecurity monitoring".
2. Overall architecture
Message detection system is usually the four parts, message acquisition, message decoding, message detection, logging; suricata different function installation modules, the output of one module is the input of another module, suricata the module in series by Thread.
Then take the example of IDs to illustrate how suircata threads are connected to modules.
First registers the runmods, the operation Way specifies Suricata obtains the message the way, for example Libpcap, Netmap, Af-packet and so on, the code as follows:
Then, according to the working mode of setting suricata, we can find the processing module of the corresponding acquiring message. Suircata By default is to obtain the message via the Af-packet mmap, and then call the Get message module of course entrance function,
The function of the entrance function adds the decoding module, the Stream processing module (detection message) and the log processing module. Concatenated by slot chain installation registration sequence. Each thread contains a list of slots, each of which hangs from a different module, and when the program executes, it traverses the slot list, following the familiar execution module that joins the list.
The process code for creating threads and adding modules to the slot list is as follows:
1 /*Create the Threads*/2 for(thread =0; Thread < Threads_count; thread++) {3 CharTname[tm_thread_name_max];4Threadvars *TV =NULL;5Tmmodule *tm_module =NULL;6 Const Char*visual_devname =Livegetshortname (Live_dev);7 8 if(single_mode) {9snprintf (Tname,sizeof(Tname),"%s#01-%s", Thread_name, visual_devname);Ten}Else { Onesnprintf (Tname,sizeof(Tname),"%s#%02d-%s", Thread_name, AThread+1, visual_devname); - } -TV =Tmthreadcreatepackethandler (Tname, the "Packetpool","Packetpool", - "Packetpool","Packetpool", - "Pktacqloop"); - if(TV = =NULL) { +Sclogerror (Sc_err_thread_create,"Tmthreadscreate failed"); - exit (exit_failure); + } A at //Add an envelope module -Tm_module =Tmmodulegetbyname (recv_mod_name); - if(Tm_module = =NULL) { -Sclogerror (Sc_err_invalid_value,"Tmmodulegetbyname failed for%s", recv_mod_name); - exit (exit_failure); - } in tmslotsetfuncappend (TV, Tm_module, aconf); - //Add Unpacking module toTm_module =Tmmodulegetbyname (decode_mod_name); + if(Tm_module = =NULL) { -Sclogerror (Sc_err_invalid_value,"Tmmodulegetbyname%s failed", decode_mod_name); the exit (exit_failure); * } $ tmslotsetfuncappend (TV, Tm_module, NULL);Panax Notoginseng //add a stream processing module for detecting messages -Tm_module = Tmmodulegetbyname ("Flowworker"); the if(Tm_module = =NULL) { +Sclogerror (Sc_err_runmode,"Tmmodulegetbyname for Flowworker failed"); A exit (exit_failure); the } + tmslotsetfuncappend (TV, Tm_module, NULL); - //Add blocking Module $Tm_module = Tmmodulegetbyname ("Respondreject"); $ if(Tm_module = =NULL) { -Sclogerror (Sc_err_runmode,"tmmodulegetbyname Respondreject failed"); - exit (exit_failure); the } - tmslotsetfuncappend (TV, Tm_module, NULL);Wuyi //adding a log processing module the setupoutputs (TV); - Wu TMTHREADSETCPU (TV, worker_cpu_set); - About if(Tmthreadspawn (TV)! =TM_ECODE_OK) { $Sclogerror (Sc_err_thread_spawn,"Tmthreadspawn failed"); - exit (exit_failure); - } - } A
Three modes of operation are available in Af-packet mode of operation:
You can refer to the way of working: http://blog.csdn.net/firedb/article/details/7581853.
At the moment I've only worked with worker mode, and the whole process is handled by a thread.
3. Summary
This is the current understanding of the Suricata, and the next step is to examine how each module interacts. Need to learn more about how Suricata collects messages, how to pass the collected messages to the decoding module, what the decoding module does, and what the output is.
Suricata Learning notes in a preliminary understanding