【安全工具】Suricata完整的功能列表
Chinese, Simplified
引擎
- 网络入侵检测系统(NIDS)引擎
- 网络入侵防御系统(NIPS)引擎
- 网络安全监控(NSM)引擎
- 离线分析PCAP文件
- 使用pcap记录器记录流量
- Unix套接字模式,用于自动PCAP文件处理
- 与Linux Netfilter防火墙的高级集成
操作系统支持
- Linux
- FreeBSD
- OpenBSD
- macOS / Mac OS X
- Windows
配置
- 配置文件-人和机器可读
- 良好的注释和文档
- 支持包括其他文件
TCP / IP引擎
- Scalable flow engine
- Full IPv6 support
- Tunnel decoding
- Teredo
- IP-IP
- IP6-IP4
- IP4-IP6
- GRE
- TCP stream engine
- tracking sessions
- stream reassembly
- target based stream reassembly
- IP Defrag engine
- target based reassembly
协议解析器
- 支持数据包解码
- IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE
- 以太网,PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN
- App层解码:
- HTTP、SSL、TLS、SMB、DCERPC、SMTP、FTP、SSH、DNS、Modbus、ENIP/CIP、DNP3、NFS、NTP、DHCP、TFTP、KRB5、IKEv2
- 使用Rust语言开发的新协议,用于安全快速的解码。
HTTP引擎
- Stateful HTTP parser built on libhtp
- HTTP request logger
- File identification, extraction and logging
- Per server settings — limits, personality, etc
- Keywords to match on (normalized) buffers:
- uri and raw uri
- headers and raw headers
- cookie
- user-agent
- request body and response body
- method, status and status code
- host
- request and response lines
- decompress flash files
- and many more
探测引擎
- Protocol keywords
- Multi-tenancy per vlan or capture device
- xbits – flowbits extension
- PCRE support
- substring capture for logging in EVE
- fast_pattern and prefilter support
- Rule profiling
- File matching
- file magic
- file size
- file name and extension
- file MD5/SHA1/SHA256 checksum — scales up to millions of checksums
- multiple pattern matcher algorithms that can be selected
- extensive tuning options
- live rule reloads — use new rules w/o restarting Suricata
- delayed rules initialization
- Lua scripting for custom detection logic
- Hyperscan integration
输出
- Eve log, all JSON alert and event output
- Lua output scripts for generating your own output formats
- Redis support
- HTTP request logging
- TLS handshake logging
- Unified2 output — compatible with Barnyard2
- Alert fast log
- Alert debug log — for rule writers
- Traffic recording using pcap logger
- Prelude support
- drop log — netfilter style log of dropped packets in IPS mode
- syslog — alert to syslog
- stats — engine stats at fixed intervals
- File logging including MD5 checksum in JSON format
- Extracted file storing to disk, with deduplication in the v2 format
- DNS request/reply logger, including TXT data
- Signal based Log rotation
- Flow logging
报警/事件过滤
- per rule alert filtering and thresholding
- global alert filtering and thresholding
- per host/subnet thresholding and rate limiting settings
包获取
- High performance capture
- AF_PACKET
- experimental eBPF and XDP modes available
- PF_RING
- NETMAP
- AF_PACKET
- Standard capture
- PCAP
- NFLOG (netfilter integration)
- IPS mode
- Netfilter based on Linux (nfqueue)
- fail open support
- ipfw based on FreeBSD and NetBSD
- AF_PACKET based on Linux
- NETMAP
- Netfilter based on Linux (nfqueue)
- Capture cards and specialized devices
- Endace
- Napatech
- Tilera
多线程
完全可配置线程——从单线程到几十个线程
预煮的“runmodes”
可选CPU关联设置
使用细粒度锁定和原子操作获得最佳性能
可选锁分析
IP的声誉
- loading of large amounts host based reputation data
- matching on reputation data in the rule language using the “iprep” keyword
- live reload support
- supports CIDR ranges
工具
- Suricata-Update for easy rule update management
- Suricata-Verify for QA during development
原文:https://suricata-ids.org/features/all-features/
本文:
讨论:请加入知识星球或者小红圈【首席架构师圈】
本文地址
https://architect.pub/complete-list-suricata-features
- 987 次浏览
SEO Title
Complete list of Suricata Features