{"id":1221,"date":"2015-10-10T02:46:23","date_gmt":"2015-10-09T23:46:23","guid":{"rendered":"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/"},"modified":"2015-10-10T02:46:23","modified_gmt":"2015-10-09T23:46:23","slug":"saldiri-tespit-sistemleri-snort-suricata-bro","status":"publish","type":"post","link":"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/","title":{"rendered":"Sald\u0131r\u0131 Tespit Sistemleri (Snort, Suricata, Bro)"},"content":{"rendered":"<div id=\"post-body-95177040689262973\" itemprop=\"description articleBody\" readability=\"400.5\">\n<div style=\"text-align: justify;\" readability=\"14\">\nHayat\u0131m\u0131za akademik ama\u00e7l\u0131 bir ara\u015ft\u0131rma a\u011f\u0131 olarak giren internet,<br \/>\ng\u00fcn\u00fcm\u00fczde \u00f6nemli toplumsal d\u00f6n\u00fc\u015f\u00fcmlere altyap\u0131 sa\u011flar duruma gelmi\u015ftir. O<br \/>\n zamanlar internetin bu kadar kapsaml\u0131 ve etkili kullan\u0131labilece\u011fi<br \/>\n\u00f6ng\u00f6r\u00fclemedi\u011finden ya da \u00f6nemsiz bir konu olarak nitelendirildi\u011finden<br \/>\nolsa gerek internet ortam\u0131ndaki g\u00fcvenlik pek \u00f6nemsenmemi\u015f ve bu konuda<br \/>\nyeteri kadar \u00e7al\u0131\u015fma yap\u0131lmam\u0131\u015f. Fakat internet kullan\u0131m oran\u0131n\u0131n<br \/>\nartmas\u0131, internete ba\u011fl\u0131 kurum say\u0131s\u0131n\u0131n artmas\u0131, internet ortam\u0131nda<br \/>\nyap\u0131labilen i\u015flerin \u00e7e\u015fitlili\u011finin artmas\u0131 neticesinde g\u00fcvenlik konusu<br \/>\nister istemez ciddi bir problem haline gelmi\u015ftir. \u00d6zellikle 1988 y\u0131l\u0131nda<br \/>\n ortaya \u00e7\u0131kan Morris solucan\u0131n\u0131n [1], ba\u015far\u0131l\u0131 bir \u015fekilde binlerce<br \/>\nbilgisayar sistemine s\u0131zmay\u0131 ba\u015farmas\u0131 ve s\u0131zd\u0131\u011f\u0131 bilgisayar<br \/>\nsistemlerini \u00e7al\u0131\u015famaz hale getirmesi b\u00fcy\u00fck bir faciaya neden olmu\u015f ve<br \/>\nbu olaydan sonra internet ortam\u0131ndaki g\u00fcvenlik konusunda fark\u0131ndal\u0131k<br \/>\nolu\u015fmaya ba\u015flam\u0131\u015ft\u0131r. Bu olaydan sonra bilgi g\u00fcvenli\u011fi konusunda<br \/>\n\u00e7al\u0131\u015fmalar h\u0131z kazanm\u0131\u015f ve 90\u2019l\u0131 y\u0131llar\u0131n ba\u015flar\u0131nda ilk g\u00fcvenlik duvar\u0131<br \/>\n uygulamalar\u0131 ile bir tak\u0131m teknik g\u00fcvenlik \u00f6nlemlerinin al\u0131nmas\u0131<br \/>\nkonusunda referans \u00e7al\u0131\u015fmalar ba\u015flam\u0131\u015ft\u0131r.<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/networksecurity.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/networksecurity.jpg?resize=640%2C240&#038;ssl=1\" height=\"240\" width=\"640\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p><a name=\"more\"\/><\/div>\n<p><span style=\"text-align: justify;\">G\u00fcvenlikle ilgili tehditlerin say\u0131s\u0131n\u0131n ve t\u00fcrlerinin h\u0131zla artmas\u0131na<br \/>\nkar\u015f\u0131l\u0131k geli\u015ftirilen g\u00fcvenlik \u00f6nlemlerinde de h\u0131zl\u0131 bir geli\u015fim<br \/>\nya\u015fanmaktad\u0131r. Bu kapsamda bilgisayarlar\u0131n g\u00fcvenli\u011fini sa\u011flamak, yetkili<br \/>\nolmayan ki\u015filerin sistemlere eri\u015ferek bilgileri ele ge\u00e7irmelerini veya<br \/>\nde\u011fi\u015ftirmelerini engellemek i\u00e7in g\u00fcvenli\u011fin ilk basama\u011f\u0131 olarak kimlik<br \/>\ndo\u011frulama ve eri\u015fim kontrol\u00fc gibi g\u00fcvenlik mekanizmalar\u0131<br \/>\ngeli\u015ftirilmi\u015ftir. Fakat internet ve ileti\u015fimin artmas\u0131yla beraber k\u00f6t\u00fc<br \/>\nniyetli kullan\u0131c\u0131lar taraf\u0131ndan sald\u0131r\u0131l\u0131p zarar verilebilecek daha \u00e7ok<br \/>\nsistem ve elde edilebilecek daha \u00e7ok bilgi ortaya \u00e7\u0131kmaya ba\u015flam\u0131\u015f ve<br \/>\nbuna ba\u011fl\u0131 olarak ger\u00e7ekle\u015ftirilen sald\u0131r\u0131 say\u0131s\u0131nda ve kullan\u0131lan<br \/>\nsald\u0131r\u0131 y\u00f6ntemlerinde de ciddi art\u0131\u015flar g\u00f6zlemlenmi\u015ftir. \u00d6rne\u011fin bir yer<br \/>\nsa\u011flay\u0131c\u0131\u00a0firmas\u0131n\u0131n payla\u015ft\u0131\u011f\u0131 rapora g\u00f6re sadece o hosting firmas\u0131na kar\u015f\u0131 yap\u0131lan sald\u0131r\u0131lardan dolay\u0131 sald\u0131r\u0131 tespit sistemleri taraf\u0131ndan bir i\u015f g\u00fcn i\u00e7erisinde 190 milyon adet IDS alarm\u0131 \u00fcretilmektedir.<\/span><\/p>\n<p>\n<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_55 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\" role=\"button\"><label for=\"item-662f3a3713b1f\" ><span class=\"\"><span style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input aria-label=\"Toggle\" aria-label=\"item-662f3a3713b1f\"  type=\"checkbox\" id=\"item-662f3a3713b1f\"><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#1_SALDIRI_TESPIT_SISTEMLERI\" title=\"\n1. SALDIRI TESP\u0130T S\u0130STEMLER\u0130 \">\n1. SALDIRI TESP\u0130T S\u0130STEMLER\u0130 <\/a><ul class='ez-toc-list-level-3'><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#11_Nedir\" title=\"\n1.1 Nedir?\">\n1.1 Nedir?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#12_Arti_ve_Eksileri\" title=\"\n1.2 Art\u0131 ve Eksileri\">\n1.2 Art\u0131 ve Eksileri<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#13_Kullanim_Tipleri\" title=\"\n1.3 Kullan\u0131m Tipleri\">\n1.3 Kullan\u0131m Tipleri<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#14_Calisma_Mantigi\" title=\"\n1.4 \u00c7al\u0131\u015fma Mant\u0131\u011f\u0131\">\n1.4 \u00c7al\u0131\u015fma Mant\u0131\u011f\u0131<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#2_SALDIRI_TESPIT_SISTEMI_YAZILIMLARI\" title=\"\n2. SALDIRI TESP\u0130T S\u0130STEM\u0130 YAZILIMLARI\u00a0\">\n2. SALDIRI TESP\u0130T S\u0130STEM\u0130 YAZILIMLARI\u00a0<\/a><ul class='ez-toc-list-level-3'><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#21_SNORT_211_Gelisimi\" title=\"\n 2.1 SNORT 2.1.1 Geli\u015fimi\">\n 2.1 SNORT 2.1.1 Geli\u015fimi<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#212_Yapisi_ve_Ozellikleri\" title=\"\n2.1.2  Yap\u0131s\u0131 ve \u00d6zellikleri\">\n2.1.2  Yap\u0131s\u0131 ve \u00d6zellikleri<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#213_Calisma_Modlari\" title=\"\n2.1.3 \u00c7al\u0131\u015fma Modlar\u0131\">\n2.1.3 \u00c7al\u0131\u015fma Modlar\u0131<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#214_Kural_Yazimi\" title=\"\n2.1.4 Kural Yaz\u0131m\u0131\">\n2.1.4 Kural Yaz\u0131m\u0131<\/a><ul class='ez-toc-list-level-4'><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#alert_tcp_any_any_-%3E_156154701_80_msg_%E2%80%9DTest_Rule%E2%80%9D_sid_5000853_content_%E2%80%9DGET%E2%80%9D_content_%E2%80%9Dcgi-binphf%E2%80%9D\" title=\"\nalert tcp any any -&gt; 156.154.70.1 80 (msg:&#8221;Test Rule&#8221;; sid:5000853; content:&#8221;GET&#8221;; content:&#8221;cgi-bin\/phf&#8221;;)\">\nalert tcp any any -&gt; 156.154.70.1 80 (msg:&#8221;Test Rule&#8221;; sid:5000853; content:&#8221;GET&#8221;; content:&#8221;cgi-bin\/phf&#8221;;)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#22_SURICATA_221_Gelisimi\" title=\"\n2.2 SURICATA 2.2.1 Geli\u015fimi\">\n2.2 SURICATA 2.2.1 Geli\u015fimi<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#222_Ozellikleri\" title=\"\n2.2.2  \u00d6zellikleri\">\n2.2.2  \u00d6zellikleri<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#223_Yapisi\" title=\"\n2.2.3 Yap\u0131s\u0131\">\n2.2.3 Yap\u0131s\u0131<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#23_BRO_231_Gelisimi\" title=\"\n2.3 BRO 2.3.1  Geli\u015fimi\">\n2.3 BRO 2.3.1  Geli\u015fimi<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#232_Ozellikleri\" title=\"\n2.3.2 \u00d6zellikleri\">\n2.3.2 \u00d6zellikleri<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#233_Yapisi\" title=\"\n2.3.3 Yap\u0131s\u0131\">\n2.3.3 Yap\u0131s\u0131<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/furkansandal.com\/saldiri-tespit-sistemleri-snort-suricata-bro\/#SONUC\" title=\"\nSONU\u00c7\">\nSONU\u00c7<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"1_SALDIRI_TESPIT_SISTEMLERI\"><\/span>\n1. SALDIRI TESP\u0130T S\u0130STEMLER\u0130 <span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"11_Nedir\"><\/span>\n1.1 Nedir?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Genel olarak yap\u0131lan sald\u0131r\u0131lar\u0131n b\u00fcy\u00fck bir \u00e7o\u011funlu\u011fu kullan\u0131lan<br \/>\nsistemlerin zaaflar\u0131 ve\/veya a\u00e7\u0131kl\u0131klar\u0131ndan faydalan\u0131larak<br \/>\nger\u00e7ekle\u015ftirilmektedir. Bu t\u00fcr sald\u0131r\u0131lar\u0131 engellemenin iki t\u00fcrl\u00fc<br \/>\ny\u00f6ntemi vard\u0131r. Birincisi tamamen g\u00fcvenli bir sistem ve ortam<br \/>\nolu\u015fturmak, ikincisi ise en k\u0131sa zamanda sald\u0131r\u0131lar\u0131n tespit edilip<br \/>\ngerekli \u00f6nlemlerin al\u0131nmas\u0131n\u0131n sa\u011flanmas\u0131d\u0131r. \u0130lk y\u00f6ntem bu g\u00fcne kadar<br \/>\npek m\u00fcmk\u00fcn olmad\u0131 ve olas\u0131 da g\u00f6r\u00fcnm\u00fcyor. Onun i\u00e7in bir sistemin<br \/>\ng\u00fcvenli\u011fi, sistem g\u00fcvenlik sorumlular\u0131 taraf\u0131ndan rutin kontrolleri<br \/>\nyap\u0131lmak kayd\u0131 ile sald\u0131r\u0131 gelene kadar bekleme pozisyonunda kalarak,<br \/>\nsald\u0131r\u0131 geldi\u011finde olabildi\u011fince h\u0131zl\u0131 bir \u015fekilde sald\u0131r\u0131y\u0131 tespit edip<br \/>\n gerekli \u00f6nlemi alabilmeyi m\u00fcmk\u00fcn k\u0131lacak \u015fekilde tasarlanmal\u0131d\u0131r. \u0130\u015fte<br \/>\nbu a\u015famada da devreye sald\u0131r\u0131 tespit sistemleri girmektedir. En genel<br \/>\nanlam\u0131yla, sald\u0131r\u0131 tespiti i\u015fini yapmak i\u00e7in geli\u015ftirilen sistemlere<br \/>\n\u201csald\u0131r\u0131 tespit sistemleri\u201d denilmektedir. 1980 y\u0131l\u0131nda James<br \/>\nAnderson\u2019\u0131n yapt\u0131\u011f\u0131 tan\u0131mdan [2] g\u00fcn\u00fcm\u00fcze kadar yap\u0131lan ara\u015ft\u0131rmalar ve<br \/>\n\u00e7al\u0131\u015fmalar neticesinde sald\u0131r\u0131 tespit sistemleri i\u00e7in farkl\u0131 tan\u0131mlar<br \/>\nyap\u0131lm\u0131\u015ft\u0131r. Bu tan\u0131mlar yanl\u0131\u015f olmamakla birlikte sadece g\u00fcn\u00fcm\u00fczdeki<br \/>\nsald\u0131r\u0131 tespit sistemleri tan\u0131m\u0131n\u0131n yan\u0131nda biraz eksik kalmaktad\u0131r.<br \/>\n\u00d6rne\u011fin yap\u0131lan tan\u0131mlardan baz\u0131lar\u0131 \u015f\u00f6yledir:<\/p>\n<ul readability=\"0\">\n<li readability=\"1\">\n<p>\nBilgisayar sistemlerine yap\u0131lan ataklar\u0131 ve k\u00f6t\u00fcye kullan\u0131mlar\u0131 belirlemek i\u00e7in tasarlanm\u0131\u015f sistemlerdir,\n <\/p>\n<\/li>\n<li style=\"text-align: justify;\">\n<p> Tercihen ger\u00e7ek zamanl\u0131 olarak, bilgisayar sistemlerinin yetkisiz ve<br \/>\nk\u00f6t\u00fcye kullan\u0131m\u0131 ve suiistimalini tespit etmek i\u00e7in kullan\u0131l\u0131rlar,<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> Kullan\u0131m alan\u0131 ve t\u00fcr\u00fcne ba\u011fl\u0131 olarak sald\u0131r\u0131y\u0131 engelleyebilen veya<br \/>\nsald\u0131r\u0131y\u0131 durdurma giri\u015fiminde bulunmayan, olas\u0131 g\u00fcvenlik ihlali<br \/>\ndurumlar\u0131nda sistem g\u00fcvenlik \u00e7al\u0131\u015fanlar\u0131na uyar\u0131 mesaj\u0131 veren<br \/>\nsistemlerdir,<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> Bilgisayar sistemlerinin kaynaklar\u0131na veya verilerine yetkisiz eri\u015fimleri tespit edebilen sistemlerdir,<br \/>\n <\/li>\n<li readability=\"-1\">\n<p>\nBilgisayar ortam\u0131ndaki \u201ch\u0131rs\u0131z alarm\u201dlar\u0131d\u0131r.\n <\/p>\n<\/li>\n<\/ul>\n<p>\nG\u00fcn\u00fcm\u00fczde kullan\u0131lan tan\u0131m\u0131 ise t\u00fcm bu yap\u0131lan tan\u0131mlar\u0131 kapsamaktad\u0131r.<br \/>\nSald\u0131r\u0131 tespit sistemleri, bilginin elektronik ortamlarda ta\u015f\u0131n\u0131rken,<br \/>\ni\u015flenirken veya depolan\u0131rken ba\u015f\u0131na gelebilecek tehlike ve tehditlerin<br \/>\nortadan kald\u0131r\u0131lmas\u0131 veya bunlara kar\u015f\u0131 tedbir al\u0131nmas\u0131 amac\u0131yla,<br \/>\nbilgiye yetkisiz eri\u015fim ve bilginin k\u00f6t\u00fcye kullan\u0131lmas\u0131 gibi internet<br \/>\nveya yerel a\u011fdan gelebilecek \u00e7e\u015fitli paket ve verilerden olu\u015fan<br \/>\ngiri\u015fimleri tespit edebilme, bu tespitleri sms, e-posta veya SNMP<br \/>\nmesajlar\u0131 ile sistem g\u00fcvenli\u011finden sorumlu ki\u015filere iletebilme ve<br \/>\ngerekti\u011finde paketi\/eri\u015fimi d\u00fc\u015f\u00fcrebilme \u00f6zelli\u011fine sahip yaz\u0131l\u0131msal<br \/>\nve\/veya donan\u0131msal g\u00fcvenlik ara\u00e7lar\u0131 olarak tan\u0131mlanabilir.\u00a0<\/p>\n<p>\nSald\u0131r\u0131 Tespit Sistemleri, internet d\u00fcnyas\u0131n\u0131n geli\u015fim s\u00fcrecinde<br \/>\n\u00f6zellikle t\u00fcm d\u00fcnyada kullan\u0131lan web trafi\u011finin artmas\u0131 ve de web<br \/>\nsayfalar\u0131n\u0131n pop\u00fcler hale gelmesi ile birlikte ki\u015fisel ya da t\u00fczel<br \/>\nsayfalara yap\u0131lan sald\u0131r\u0131lar sonucu ihtiya\u00e7 duyulan en \u00f6nemli konulardan<br \/>\n biri haline gelmi\u015ftir. Bununla birlikte kurum ya da kurulu\u015flar\u0131n sahip<br \/>\nolduklar\u0131 ve t\u00fcm d\u00fcnyaya a\u00e7\u0131k tuttuklar\u0131 Mail, DNS ve Web gibi<br \/>\nsunucular\u0131n\u0131n benzeri sald\u0131r\u0131lara maruz kalabilecekleri ihtimali yine<br \/>\nsald\u0131r\u0131 tespit sistemlerini internet g\u00fcvenli\u011fi alan\u0131n\u0131n vazge\u00e7ilmez bir<br \/>\npar\u00e7as\u0131 haline getirmi\u015ftir. Yine kurumlar\u0131n sahip olduklar\u0131 \u00e7al\u0131\u015fanlar\u0131n<br \/>\n kendi kurumlar\u0131ndaki kritik de\u011fer ta\u015f\u0131yan yap\u0131lara\/verilere<br \/>\nsald\u0131rabilme\/zarar verme ihtimalleri d\u00fc\u015f\u00fcn\u00fcl\u00fcnce i\u00e7 a\u011f\u0131n ya da tek tek<br \/>\nkritik sunucular\u0131n kontrol alt\u0131nda tutulma gereklili\u011fi de sald\u0131r\u0131 tespit<br \/>\n sistemlerinin kullan\u0131m\u0131n\u0131 ka\u00e7\u0131n\u0131lmaz k\u0131lm\u0131\u015ft\u0131r.\u00a0<\/p>\n<p>\nBilgi g\u00fcvenli\u011fi alan\u0131nda 4 kitap ve 140&#8217;tan fazla da makale yazm\u0131\u015f olan<br \/>\nba\u015far\u0131l\u0131 ara\u015ft\u0131rmac\u0131 Denning, sald\u0131r\u0131 tespit sistemlerinin gereklili\u011fi<br \/>\nkonusunda yapt\u0131\u011f\u0131 \u00e7al\u0131\u015fmalar neticesinde 1986 y\u0131l\u0131nda yay\u0131nlam\u0131\u015f oldu\u011fu<br \/>\nmakalesinde bu durumlar\u0131 \u00f6zetler nitelikte \u015funlar\u0131 s\u00f6ylemektedir: [3]\n<\/p>\n<ul readability=\"1.5\">\n<li style=\"text-align: justify;\" readability=\"3\">\n<p>\nMevcut sistemlerin \u00e7o\u011funda sald\u0131r\u0131ya, s\u0131zmaya ve muhtelif di\u011fer<br \/>\nbi\u00e7imlerde zarar verilmesine imk\u00e2n verecek zaaflar bulunmaktad\u0131r; t\u00fcm bu<br \/>\n zaaflar\u0131n bulunmas\u0131 ve d\u00fczeltilmesi teknik ve\/veya ekonomik nedenlerden<br \/>\n \u00f6t\u00fcr\u00fc m\u00fcmk\u00fcn olamamaktad\u0131r,\n <\/p>\n<\/li>\n<li style=\"text-align: justify;\">\n<p> Bilindik zaaflar\u0131 olan mevcut sistemler, daha y\u00fcksek g\u00fcvenlik sa\u011flayan<br \/>\nalternatifleri ile de\u011fi\u015ftirilememektedir. Bunun ana nedeni ya mevcut<br \/>\nsistemlerde var olan baz\u0131 \u00f6zelliklerin daha y\u00fcksek g\u00fcvenlik sa\u011flayan<br \/>\nalternatiflerinde var olmamas\u0131 ya da ekonomik nedenlerle<br \/>\nde\u011fi\u015ftirilememesidir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> Mutlak g\u00fcvenli\u011fe sahip sistemlerin geli\u015ftirilmesi imk\u00e2ns\u0131z de\u011filse bile son derece g\u00fc\u00e7t\u00fcr,<br \/>\n <\/li>\n<li readability=\"0\">\n<p>\nEn y\u00fcksek g\u00fcvenlik d\u00fczeyine sahip sistemler bile yetkilerini k\u00f6t\u00fcye<br \/>\nkullanan kullan\u0131c\u0131lar\u0131n zarar verebilmesine imk\u00e2n tan\u0131r durumdad\u0131r.\n <\/p>\n<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"12_Arti_ve_Eksileri\"><\/span>\n1.2 Art\u0131 ve Eksileri<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<div style=\"text-align: justify;\" readability=\"9\">\nSald\u0131r\u0131 tespit sistemlerinin <i><b>avantajlar\u0131 <\/b><\/i>olarak \u015funlar s\u00f6ylenebilir:<\/div>\n<p>\n<u><i><b>Erken Tespit:<\/b><\/i><\/u> Sald\u0131r\u0131 tespit sistemleri, ger\u00e7ekle\u015fen bir<br \/>\nsald\u0131r\u0131y\u0131 sistem g\u00fcvenlik sorumlular\u0131ndan \u00e7ok daha \u00f6nce tespit ederek<br \/>\nsald\u0131r\u0131 ile ilintili olarak sms veya e-posta gibi farkl\u0131 yollarla<br \/>\nsorumlu ki\u015fileri an\u0131nda uyarabilir ve olu\u015fabilecek zarar\u0131n etkisinin<br \/>\nminimize edilmesine katk\u0131da bulunurlar.\u00a0<\/p>\n<p>\n<b><i><u>Detayl\u0131 Bilgi Toplanmas\u0131:<\/u><\/i> <\/b>Sald\u0131r\u0131 tespit sistemleri<br \/>\nsayesinde devam etmekte olan veya ge\u00e7mi\u015fte ger\u00e7ekle\u015ftirilmi\u015f olan<br \/>\nsald\u0131r\u0131larla ilgili, sald\u0131r\u0131n\u0131n kayna\u011f\u0131, b\u00fcy\u00fckl\u00fc\u011f\u00fc ve hedeflerinin<br \/>\nsaptanmas\u0131 noktas\u0131nda son derece de\u011ferli bilgiler elde edilebilir.\u00a0<\/p>\n<p><b><br \/><\/b><\/p>\n<p>\n<u><i><b>Kan\u0131t Niteli\u011fi:<\/b><\/i><\/u> Sald\u0131r\u0131 tespit sistemleri taraf\u0131ndan toplanan bilgiler hukuki yollara ba\u015fvuruldu\u011funda kan\u0131t olarak kullan\u0131labilir.\u00a0<\/p>\n<div style=\"text-align: justify;\" readability=\"9\">\nSald\u0131r\u0131 tespit sistemlerinin <i><b>zay\u0131fl\u0131klar\u0131 <\/b><\/i>olarak ise \u015funlar s\u00f6ylenebilir:\n<\/div>\n<p>\n<i><u><b>Paket Par\u00e7alama ve Zamanlama Sald\u0131r\u0131lar\u0131:<\/b><\/u><\/i> Sald\u0131r\u0131 tespit<br \/>\nsistemleri, paketleri analiz etmek i\u00e7in par\u00e7alanm\u0131\u015f paketleri tekrar<br \/>\nbirle\u015ftirmek zorundad\u0131r. Uzun zaman aral\u0131klar\u0131 ile k\u00fc\u00e7\u00fck par\u00e7alar<br \/>\nhalinde g\u00f6nderilen paketler trafi\u011fin aksamamas\u0131 i\u00e7in bu sistemler<br \/>\ntaraf\u0131ndan tam olarak analiz edilememektedir.\u00a0<\/p>\n<p>\n<b><i><u>Tarama S\u0131ras\u0131n\u0131n Kar\u0131\u015ft\u0131r\u0131lmas\u0131:<\/u><\/i> <\/b>S\u0131ra ile IP adreslerine<br \/>\nveya portlara ger\u00e7ekle\u015ftirilecek bir tarama, sald\u0131r\u0131 tespit sistemleri<br \/>\ntaraf\u0131ndan hemen tespit edilir. Fakat bu taramalar rastgele s\u0131rada<br \/>\nyap\u0131l\u0131rsa analizi zorla\u015fabilir ve hatta bu y\u00f6ntemle sald\u0131r\u0131 tespit<br \/>\nsistemleri atlat\u0131labilir.\u00a0<\/p>\n<p>\n<b><i><u>Paket Ka\u00e7\u0131rma (False Positive, False Negative):<\/u><\/i> <\/b>Genel<br \/>\nolarak sald\u0131r\u0131 tespit sistemlerinin hatalar\u0131 uyar\u0131lar vermesi sonucu<br \/>\npaket ka\u00e7\u0131rmas\u0131 olarak g\u00f6r\u00fclebilir. Zararl\u0131 olmayan normal bir davran\u0131\u015f<br \/>\ni\u00e7in uyar\u0131 vermesi false pozitif; \u015f\u00fcpheli olan bir davran\u0131\u015f i\u00e7in uyar\u0131<br \/>\nvermeyerek paketin sorunsuz ge\u00e7i\u015fine izin vermesi false negative\u2019dir.\n<\/p>\n<h3><span class=\"ez-toc-section\" id=\"13_Kullanim_Tipleri\"><\/span>\n1.3 Kullan\u0131m Tipleri<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\nSald\u0131r\u0131 tespit sistemleri genel olarak Sunucu Tabanl\u0131 ve A\u011f Tabanl\u0131<br \/>\nolmak \u00fczere iki farkl\u0131 tipte olmaktad\u0131rlar. Sunucu tabanl\u0131 sald\u0131r\u0131<br \/>\ntespit sistemlerinin g\u00f6revi; kurulu bulundu\u011fu sunucunun trafi\u011fini, kay\u0131t<br \/>\n dosyalar\u0131n\u0131 ve i\u015flemlerini sunucu \u00fczerinde bulunan ve o sunucuya g\u00f6re<br \/>\n\u00f6zelle\u015ftirilmi\u015f olan atak\/imza veritaban\u0131 temel al\u0131narak dinlemek ve<br \/>\nataklar\u0131 sezerek cevap vermektir. A\u011f tabanl\u0131 sald\u0131r\u0131 tespit sistemlerin<br \/>\ng\u00f6revi ise a\u011f kart\u0131n\u0131n ge\u00e7irgen (promiscuous) moda getirilmesi ile a\u011f ya<br \/>\n da a\u011flara y\u00f6nlenmi\u015f olan t\u00fcm trafi\u011fin dinlenmesi, bu a\u011fdan ge\u00e7en her<br \/>\nbir veri paketi i\u00e7eri\u011finin sorgulanarak mevcut imzalarla kar\u015f\u0131la\u015ft\u0131r\u0131l\u0131p<br \/>\n bir atak olup olmad\u0131\u011f\u0131na karar vererek kayd\u0131n\u0131 alabilmek, gerekti\u011finde<br \/>\nataklar\u0131 kesmek, sistem y\u00f6neticisini bilgilendirmek ve ilgili raporlar\u0131<br \/>\nolu\u015fturabilmektir.\n<\/p>\n<h3><span class=\"ez-toc-section\" id=\"14_Calisma_Mantigi\"><\/span>\n1.4 \u00c7al\u0131\u015fma Mant\u0131\u011f\u0131<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\nSald\u0131r\u0131 tespit sistemleri i\u00e7erik olarak bilgi\/\u00f6\u011frenme tabanl\u0131<br \/>\n(anormallik tespiti) ve imza(k\u00f6t\u00fcye kullan\u0131m tespiti) tabanl\u0131 olmak<br \/>\n\u00fczere iki farkl\u0131 mant\u0131\u011fa g\u00f6re \u00e7al\u0131\u015fmaktad\u0131rlar. \u0130lk yap\u0131da sistemlerin<br \/>\nve a\u011f\u0131n i\u015fleyi\u015fi belirli bir d\u00fczenle \u00f6zde\u015fle\u015ftirilerek tan\u0131ml\u0131 a\u011f veya<br \/>\nkullan\u0131c\u0131 i\u00e7in e\u015fik de\u011ferleri tan\u0131mlan\u0131r. Daha sonra takip edilen trafik<br \/>\n bu e\u015fik de\u011ferlerine g\u00f6re de\u011ferlendirilerek, olu\u015facak herhangi bir<br \/>\nnormal d\u0131\u015f\u0131 hareket ile sald\u0131r\u0131n\u0131n tan\u0131mlanmas\u0131 hedeflenir. Yani<br \/>\nbilgi\/\u00f6\u011frenme tabanl\u0131 sald\u0131r\u0131 tespitinde ise, sistem kullan\u0131c\u0131lar\u0131n\u0131n,<br \/>\nnormal davran\u0131\u015flar\u0131ndan farkl\u0131 olarak g\u00f6sterdikleri davran\u0131\u015f \u015fekillerine<br \/>\n g\u00f6re \u00e7al\u0131\u015fma yap\u0131l\u0131r. Bu y\u00f6ntem, tahmine dayal\u0131 bir sistemdir ve<br \/>\ngenellikle \u201cuzman sistemler\u201d ve \u201cbulan\u0131k mant\u0131k\u201d teknolojilerinden<br \/>\nfaydalan\u0131l\u0131r. Bir sald\u0131r\u0131 tespit sisteminin, a\u011f \u00fczerindeki faaliyetleri<br \/>\nizlemek i\u00e7in a\u011f \u00fczerindeki farkl\u0131 noktalarda al\u0131c\u0131 cihazlar\u0131n\u0131 ve<br \/>\nyaz\u0131l\u0131mlar\u0131n\u0131 kurmak gerekebilir. Bu cihaz ve yaz\u0131l\u0131mlar\u0131n g\u00f6revi,<br \/>\nsorumlu olduklar\u0131 a\u011f b\u00f6l\u00fcm\u00fc \u00fczerinde ger\u00e7ekle\u015fen faaliyet bilgilerini,<br \/>\nsald\u0131r\u0131 tespit sistemi merkezine aktarmakt\u0131r. \u00d6rne\u011fin, web sunucusuna<br \/>\ngelen isteklerin %99\u2019u \u201cindex.html\u201d dosyas\u0131n\u0131 \u00e7a\u011f\u0131r\u0131yor ise cmd.exe<br \/>\ndosyas\u0131n\u0131 \u00e7a\u011f\u0131ran bir istek geldi\u011finde bu hemen fark edilecek ve bunun<br \/>\ni\u00e7in uyar\u0131 mesaj\u0131 \u00fcretilecektir. \u00c7ok daha mant\u0131kl\u0131 bir \u00e7al\u0131\u015fma prensibi<br \/>\nolmas\u0131na kar\u015f\u0131n bu t\u00fcr sistemlerin normal olarak nitelendirilebilecek<br \/>\nhareketleri \u00f6\u011frenmeleri olduk\u00e7a fazla zaman almaktad\u0131r. Bundan dolay\u0131 bu<br \/>\n hareketlerin zaman i\u00e7erisinde de\u011fi\u015febilirli\u011fi, kuruldu\u011fu sistemlerin<br \/>\nyeniden yap\u0131land\u0131r\u0131lmas\u0131 veya a\u011fa yeni sistemlerin eklenmesi i\u015fleri daha<br \/>\n da zorla\u015ft\u0131rmakta ve sald\u0131r\u0131 tespit sistemlerinin paket ka\u00e7\u0131rma<br \/>\nolas\u0131l\u0131\u011f\u0131n\u0131 daha da artt\u0131rmaktad\u0131r.<br \/>\n\u0130kinci yani imza tabanl\u0131 yap\u0131da ise anti vir\u00fcs sistemlerinde oldu\u011fu gibi<br \/>\n olu\u015fturulmu\u015f \u00e7e\u015fitli imzalar ile<br \/>\npaketler incelenir ve sald\u0131r\u0131lar\u0131n bu \u015fekilde saptanmas\u0131 hedeflenir.<br \/>\nDaha \u00f6nce kar\u015f\u0131la\u015f\u0131lan sald\u0131r\u0131 \u015fekilleri ayr\u0131nt\u0131l\u0131 olarak analiz<br \/>\nedilerek elde edilen bilgiler, yani sald\u0131r\u0131n\u0131n imzas\u0131, sald\u0131r\u0131 tespit<br \/>\nsisteminin bilgi taban\u0131na kaydedilir. Her tan\u0131mlanm\u0131\u015f sald\u0131r\u0131n\u0131n bir<br \/>\nimzas\u0131 vard\u0131r. Sald\u0131r\u0131 imzalar\u0131 d\u0131\u015f\u0131nda kalan her faaliyet, normal<br \/>\nolarak alg\u0131lan\u0131r. Bu \u015fekilde \u00e7al\u0131\u015fan bir sald\u0131r\u0131 tespit sisteminin<br \/>\nverimli \u00e7al\u0131\u015fmas\u0131 i\u00e7in, s\u00fcrekli sald\u0131r\u0131 imzalar\u0131n\u0131 g\u00fcncelleyerek<br \/>\nsistemi, yeni sald\u0131r\u0131 tiplerini de tan\u0131y\u0131p tespit edebilecek \u015fekilde<br \/>\ng\u00fcncel tutmak gerekir.\n<\/p>\n<h2><span class=\"ez-toc-section\" id=\"2_SALDIRI_TESPIT_SISTEMI_YAZILIMLARI\"><\/span>\n2. SALDIRI TESP\u0130T S\u0130STEM\u0130 YAZILIMLARI\u00a0<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"21_SNORT_211_Gelisimi\"><\/span>\n 2.1 SNORT<br \/>2.1.1 Geli\u015fimi<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\nGNU lisans\u0131 ile da\u011f\u0131t\u0131lan, a\u00e7\u0131k kaynak kodlu ve \u00fccretsiz bir yaz\u0131l\u0131m<br \/>\nolan Snort, 1988 y\u0131l\u0131nda Martin Roesch taraf\u0131ndan geli\u015ftirilmi\u015ftir. \u015eu<br \/>\nanda da Martin Roesch&#8217;un kurmu\u015f oldu\u011fu Sourcefire firmas\u0131 taraf\u0131ndan<br \/>\ngeli\u015ftirilmesine devam edilen, d\u00fcnya genelinde en \u00e7ok kullan\u0131lan, Linux,<br \/>\n Windows, MAC ve FreeBSD gibi bir\u00e7ok farkl\u0131 platformda sorunsuz olarak<br \/>\n\u00e7al\u0131\u015fabilen, IP a\u011flar\u0131 \u00fczerinde ger\u00e7ek zamanl\u0131 trafik analizi ve paket<br \/>\nloglamas\u0131 yapabilen bir sald\u0131r\u0131 tespit ve \u00f6nleme sistemi yaz\u0131l\u0131m\u0131d\u0131r.<br \/>\nGenel olarak imza tabanl\u0131 olarak \u00e7al\u0131\u015fan Snort, protokol ve anomali<br \/>\nanalizi yapabilme yetene\u011fine de sahiptir. Kullan\u0131c\u0131lar\u0131n kendi<br \/>\nkurallar\u0131n\u0131 yazabilmesine imk\u00e2n sa\u011flayan esnek bir kural diline sahip<br \/>\nolmas\u0131n\u0131n yan\u0131nda snort.org ve emergingtreats.com adreslerinden<br \/>\nindirilebilen \u00fccretli veya \u00fccretsiz kural setleri kullan\u0131larak; yaz\u0131l\u0131m<br \/>\nprotokol analizi, i\u00e7erik tarama\/e\u015fleme, arabellek ta\u015fmas\u0131, port<br \/>\ntaramas\u0131, CGI sald\u0131r\u0131s\u0131, i\u015fletim sistemi parmak izi denemesi gibi pek<br \/>\n\u00e7ok sald\u0131r\u0131 ve zararl\u0131\/\u015f\u00fcpheli yaz\u0131l\u0131m \u00e7e\u015fitlerini tespit<br \/>\nedebilmektedir.<\/p>\n<p>\nSnort\u2019un Sald\u0131r\u0131 Tespit Sistemi (STS) olarak kullan\u0131ld\u0131\u011f\u0131 durumlarda<br \/>\ngenellikle iki a\u011f aray\u00fcz kart\u0131 kullan\u0131l\u0131r. Bu aray\u00fczlerinden birisi a\u011f\u0131<br \/>\ndinlemek i\u00e7in, di\u011feri ise Snort\u2019a uzaktan eri\u015fip Snort\u2019un<br \/>\nyap\u0131land\u0131r\u0131lmas\u0131nda kullan\u0131l\u0131r. A\u011f\u0131 dinleyen aray\u00fcze genellikle IP<br \/>\nadresi atanmaz ve ba\u011fl\u0131 oldu\u011fu anahtar\u0131n(switch) t\u00fcm portlar\u0131 bu aray\u00fcze<br \/>\n aynalan\u0131r (mirroring). Bu y\u00f6ntemle, anahtar \u00fczerinden ge\u00e7en t\u00fcm<br \/>\npaketlerin Snort taraf\u0131ndan dinlenilmesi sa\u011flanm\u0131\u015f olur.\n<\/p>\n<h3><span class=\"ez-toc-section\" id=\"212_Yapisi_ve_Ozellikleri\"><\/span>\n2.1.2  Yap\u0131s\u0131 ve \u00d6zellikleri<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\nSnort&#8217;un mimarisi performans, basitlik ve esnekli\u011fe dayal\u0131d\u0131r. Paket<br \/>\n\u00e7\u00f6z\u00fcc\u00fc, \u00f6n i\u015fleyici, tespit motoru ve g\u00fcnl\u00fckleme\/alarm olmak \u00fczere 4<br \/>\ntemel bile\u015fen \u00fczerine in\u015fa edilmi\u015ftir.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n<\/p>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"snort_mimari.gif\" height=\"428\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/snort_mimari.gif?resize=500%2C428&#038;ssl=1\" style=\"border: 0px solid rgb(0, 0, 0); height: 428px; margin: 5px; width: 500px;\" title=\"snort_mimari.gif\" width=\"500\" data-recalc-dims=\"1\" \/><\/div>\n<p>\n\u00a0\u015eekil 1 &#8211; Snort Mimarisi\n<\/p>\n<p>\n\u00a0\n<\/p>\n<p>\n<i><u><b>Libpcap (Packet Capture Library):<\/b><\/u><\/i> Snort\u2019un a\u011f kart\u0131ndan<br \/>\npaketleri \u00e7ekmek i\u00e7in Linux\/Unix sistemlerde libpcap, Windows<br \/>\nsistemlerde ise WinPcap olarak kulland\u0131\u011f\u0131 paket yakalama k\u00fct\u00fcphanesidir.\u00a0<\/p>\n<p>\n<i><u><b>Paket \u00c7\u00f6z\u00fcmleyici (Decoder):<\/b><\/u> <\/i>Paket yakalama k\u00fct\u00fcphanesinin<br \/>\n yakalay\u0131p g\u00f6nderdi\u011fi veri ba\u011f\u0131 yani 2. katman verisini al\u0131r ve<br \/>\nayr\u0131\u015ft\u0131rarak (2.katman i\u00e7in Ethernet\/802.11, 3. katman i\u00e7in IP\/ICMP , 4.<br \/>\n katman i\u00e7in tcp\/udp gibi) sonraki a\u015famalarda i\u015flenmek \u00fczere ya da direk<br \/>\n tespit motoruna g\u00f6nderilmek \u00fczere haz\u0131r hale getirir.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0<br \/>\n \u00a0\n<\/p>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"snort_decoder.png\" height=\"259\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/snort_decoder.png?resize=354%2C259&#038;ssl=1\" style=\"border: 0px solid #000000; height: 259px; margin: 5px; width: 354px;\" title=\"snort_decoder.png\" width=\"354\" data-recalc-dims=\"1\" \/><\/div>\n<p>\n\u00a0\u015eekil 2 &#8211; Snort Paket \u00c7\u00f6z\u00fcmleyici Veri Ak\u0131\u015f\u0131\n<\/p>\n<p>\n\u00a0\n<\/p>\n<p>\n<i><u><b>\u00d6n i\u015fleyici (preprocessor):<\/b><\/u><\/i> Yakalanan bir paketin tespit<br \/>\nmotorunda ger\u00e7ekle\u015ftirilecek olan kural uygulamalar\u0131 \u00f6ncesinde i\u015flenmeye<br \/>\n haz\u0131r hale getirilmesi gereklidir. \u00d6rne\u011fin, paket par\u00e7alanm\u0131\u015f bir<br \/>\nyap\u0131da ise paketin boyutunun tespitinden \u00f6nce t\u00fcm par\u00e7alar\u0131n yeniden bir<br \/>\n araya getirilmesi gereklidir. \u0130\u015fte \u00f6n i\u015fleyiciler, paket \u00e7\u00f6z\u00fcmleyicisi<br \/>\ntaraf\u0131ndan \u00e7\u00f6z\u00fcmlenmi\u015f olan paketlerin Snort taraf\u0131ndan daha kolay<br \/>\nkavranabilmesi ve anla\u015f\u0131labilmesi ad\u0131na daha anlaml\u0131 par\u00e7alar haline<br \/>\ngetirir. Snort yap\u0131land\u0131rma dosyas\u0131ndan aktif edilebilir ya da devre<br \/>\nd\u0131\u015f\u0131 b\u0131rak\u0131labilir bir yap\u0131dad\u0131r. \u00d6rne\u011fin, port tarama \u00f6n i\u015fleyicisi<br \/>\naktif hale getirilirse, sistem \u00fczerinde yap\u0131lacak olan herhangi bir port<br \/>\n tarama i\u015flemi Snort taraf\u0131ndan ba\u015far\u0131 ile yakalayacakt\u0131r.\u00a0<\/p>\n<p>\n<i><u><b>Tespit Motoru (Detection Engine):<\/b><\/u><\/i> Tespit motoru bile\u015feni<br \/>\nSnort\u2019un en \u00f6nemli k\u0131sm\u0131, kalbi olarakta nitelendirilmektedir. Tespit<br \/>\nmotorunun g\u00f6revi, paket \u00e7\u00f6z\u00fcmleyicisi ve \u00f6n i\u015fleyici bile\u015fenlerinden<br \/>\ngelen paketlerde sald\u0131r\u0131 faaliyeti mevcut ise tespit etmektir. Bu ama\u00e7la<br \/>\n tespit motoru Snort kurallar\u0131n\u0131 kullanmaktad\u0131r. Snort, t\u00fcm kurallar\u0131<br \/>\nba\u015flang\u0131\u00e7ta okur ve a\u011fa\u00e7 d\u00fc\u011f\u00fcm yap\u0131s\u0131n\u0131 a\u011fdan toplanan paketlere<br \/>\nuygulamak \u00fczere olu\u015fturur. E\u011fer bir paket herhangi bir kural ile<br \/>\ne\u015fle\u015firse, uygun eylem ger\u00e7ekle\u015ftirilir aksi takdirde paket d\u00fc\u015f\u00fcr\u00fcl\u00fcr.<br \/>\nUygun eylem, paketin kaydedilmesi ya da alarm verme olabilmektedir.\u00a0<\/p>\n<p>\n<i><u><b>Kay\u0131t ve Alarm Verme Sistemi, \u00c7\u0131kt\u0131 Mod\u00fclleri:<\/b><\/u><\/i> Tespit<br \/>\nmotoru, a\u011f i\u00e7inde akan paketler i\u00e7erisinde yapm\u0131\u015f oldu\u011fu tespitlere<br \/>\nba\u011fl\u0131 olarak sald\u0131r\u0131 olarak \u00f6ng\u00f6rd\u00fc\u011f\u00fc paketler i\u00e7in uyar\u0131 mesajlar\u0131<br \/>\n\u00fcretir ve bunlarla ilgili olarak da basit bir metin dosyas\u0131nda, tcpdump<br \/>\nformat\u0131nda veya di\u011fer kaydetme formatlar\u0131nda log tutabilir. \u0130\u015fte \u00e7\u0131kt\u0131<br \/>\nmod\u00fclleri de bu uyar\u0131lar\u0131n nas\u0131l olaca\u011f\u0131 ve nereye ne bi\u00e7imde<br \/>\nkaydedilece\u011fi konusunu y\u00f6netirler.\n<\/p>\n<h3><span class=\"ez-toc-section\" id=\"213_Calisma_Modlari\"><\/span>\n2.1.3 \u00c7al\u0131\u015fma Modlar\u0131<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\nSnort temel olarak paket izleme (packet sniffer), paket g\u00fcnl\u00fckleme (packet<br \/>\n logger) ve s\u0131zma tespit\/engellenme (IDS\/IPS) olmak \u00fczere \u00fc\u00e7 farkl\u0131 modda<br \/>\n \u00e7al\u0131\u015fabilecek \u015fekilde yap\u0131land\u0131r\u0131labilmektedir.\u00a0<\/p>\n<p>\n<i><u><b>Paket \u0130zleyici Modu (packet sniffer):<\/b><\/u><\/i> Snort\u2019un sadece<br \/>\nge\u00e7en paketleri izlemesi isteniyorsa bu modda \u00e7al\u0131\u015ft\u0131r\u0131l\u0131r. Bu mod<br \/>\ntcpdump paket izleyici program\u0131 gibi basit bir \u015fekilde a\u011fdan paketleri<br \/>\nokuyup s\u00fcrekli bir \u015fekilde konsolda g\u00f6stermektedir.\u00a0<\/p>\n<p>\n<i><u><b>Paket G\u00fcnl\u00fckleme Modu (packet logger):<\/b><\/u><\/i> Snort, belirtilen parametrelere g\u00f6re paketlerin istenilen formatta diske yaz\u0131lmas\u0131 istendi\u011finde bu modda \u00e7al\u0131\u015ft\u0131r\u0131l\u0131r.\u00a0<\/p>\n<p>\n<i><u><b>A\u011f S\u0131zma Tespit\/Engelleme Sistemi (NIDS\/NIPS) Modu:<\/b><\/u><\/i><br \/>\nSnort&#8217;un genel olarak kullan\u0131ld\u0131\u011f\u0131 s\u0131zma giri\u015fimlerini tespit etme<br \/>\nmodudur. Snort bu modda temel olarak trafi\u011fi analiz ederek kullan\u0131c\u0131<br \/>\ntaraf\u0131ndan daha \u00f6nceden tan\u0131mlanm\u0131\u015f olan kurallarla kar\u015f\u0131la\u015ft\u0131rma<br \/>\nyaparak ilgili kurallarda belirtilmi\u015f olan eylemlerin uygulanmas\u0131n\u0131<br \/>\nsa\u011flar.\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\n<\/p>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"snort_topology.png\" height=\"408\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/snort_topology.png?resize=500%2C408&#038;ssl=1\" style=\"border: 0px solid #000000; height: 408px; margin: 5px; width: 500px;\" title=\"snort_topology.png\" width=\"500\" data-recalc-dims=\"1\" \/><\/div>\n<p>\n\u015eekil 3 &#8211;\u00a0 Snort&#8217;un A\u011f Topolojisinde Konumland\u0131r\u0131lmas\u0131\u00a0<\/p>\n<h3><span class=\"ez-toc-section\" id=\"214_Kural_Yazimi\"><\/span>\n2.1.4 Kural Yaz\u0131m\u0131<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\nSnort kurallar\u0131, kural ba\u015fl\u0131\u011f\u0131 ve kural se\u00e7enekleri olmak \u00fczere mant\u0131ksal olarak iki k\u0131sma ayr\u0131lmaktad\u0131r:\u00a0<\/p>\n<p>\n<u>Kural ba\u015fl\u0131\u011f\u0131<\/u><br \/>\u00a0\u00a0\u00a0\u00a0<br \/>\n\u2022\u00a0\u00a0\u00a0 Kural eylemi, <br \/>\u00a0\u00a0\u00a0\u00a0<br \/>\n\u2022\u00a0\u00a0\u00a0 Protokol, <br \/>\u00a0\u00a0\u00a0\u00a0<br \/>\n\u2022\u00a0\u00a0\u00a0 Kaynak IP adresi, <br \/>\u00a0\u00a0\u00a0\u00a0<br \/>\n\u2022\u00a0\u00a0\u00a0 Hedef IP adresi, <br \/>\u00a0\u00a0\u00a0\u00a0<br \/>\n\u2022 \u00a0\u00a0 Alt a\u011f maskesi,<br \/>\u00a0\u00a0\u00a0\u00a0<br \/>\n\u2022\u00a0\u00a0\u00a0 Kaynak ve Hedef port bilgilerini i\u00e7erir.\u00a0<\/p>\n<p>\n<u>Kural se\u00e7enekleri <\/u><br \/>\u00a0\u00a0\u00a0\u00a0<br \/>\n\u2022\u00a0\u00a0\u00a0 Uyar\u0131 mesajlar\u0131 ve paketin hangi b\u00f6l\u00fcm\u00fcn\u00fcn incelenece\u011fini bilgisini i\u00e7erir.\n<\/p>\n<p>\nA\u015fa\u011f\u0131da \u00f6rnek olarak Snort i\u00e7in yaz\u0131lm\u0131\u015f bir alarm kural\u0131 g\u00f6sterilmi\u015ftir:\n<\/p>\n<h4><span class=\"ez-toc-section\" id=\"alert_tcp_any_any_-%3E_156154701_80_msg_%E2%80%9DTest_Rule%E2%80%9D_sid_5000853_content_%E2%80%9DGET%E2%80%9D_content_%E2%80%9Dcgi-binphf%E2%80%9D\"><\/span>\nalert tcp any any -&gt; 156.154.70.1 80 (msg:&#8221;Test Rule&#8221;; sid:5000853; content:&#8221;GET&#8221;; content:&#8221;cgi-bin\/phf&#8221;;)<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\n<i>alert <\/i>-&gt; kural eylemini belirtir; alarm ver<br \/><i>tcp <\/i>-&gt; hangi protokol kullan\u0131larak ger\u00e7ekle\u015fen giri\u015fimlerde ge\u00e7erli olaca\u011f\u0131 belirtilir<br \/><i>any <\/i>-&gt; kaynak IP adresini tan\u0131mlar, any herhangi bir IP adresi olabilece\u011fi belirtilir<br \/><i>any <\/i>-&gt; kaynak port, any ile herhangi bir port olabilece\u011fi belirtilmi\u015f<br \/><i>156.154.70.1 <\/i>-&gt; sald\u0131r\u0131n\u0131n ger\u00e7ekle\u015fti\u011fi hedef IP adresi<br \/><i>80<\/i> -&gt; hedef port <br \/><i>msg:\u201cTest Rule\u201d<\/i> -&gt; Bu alarm \u00fcretildi\u011finde g\u00f6sterilecek bilgi mesaj\u0131<br \/><i>sid:5000853<\/i> -&gt; Bu kural i\u00e7in atanm\u0131\u015f tan\u0131mlay\u0131c\u0131 numara<br \/><i>content:&#8221;cgi-bin\/phf&#8221;<\/i> -&gt; paket\/mesaj i\u00e7eri\u011finde &#8220;cgi-bin\/phf&#8221; var ise bu alarm \u00e7al\u0131\u015ft\u0131r\u0131l\u0131r.\n<\/p>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"22_SURICATA_221_Gelisimi\"><\/span>\n2.2 SURICATA<br \/>2.2.1 Geli\u015fimi<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\nSuricata a\u00e7\u0131k kaynak kodlu, GPLv2 lisans\u0131 ile da\u011f\u0131t\u0131lan sald\u0131r\u0131 tespit<br \/>\nve \u00f6nleme sistemidir. Kar amac\u0131 g\u00fctmeyen bir topluluk olan OISF (Open<br \/>\nInformation Security Foundation) taraf\u0131ndan geli\u015ftirilmekte ve<br \/>\ndesteklenmektedir. \u0130lk olarak Aral\u0131k 2009 y\u0131l\u0131nda beta s\u00fcr\u00fcm, Haziran<br \/>\n2010\u2019da ise ilk kararl\u0131 s\u00fcr\u00fcm\u00fc yay\u0131nlanm\u0131\u015ft\u0131r [4]. Yakla\u015f\u0131k 10 y\u0131l \u00f6nce<br \/>\nduyurulan ve yayg\u0131n olarak kullan\u0131lan Snort sald\u0131r\u0131 tespit sistemi gibi<br \/>\nimza\/kural tabanl\u0131 \u00e7al\u0131\u015fmaktad\u0131r. Snort\u2019un kulland\u0131\u011f\u0131 kural setini<br \/>\ndesteklemesi k\u0131sa s\u00fcrede kabul g\u00f6rmesinde etkili olmu\u015ftur.\u00a0<\/p>\n<p>\nAd\u0131n\u0131 Afrika&#8217;ya \u00f6zg\u00fc etobur memeli bir hayvandan (mirket) alan Suricata<br \/>\nsald\u0131r\u0131 tespit alan\u0131nda \u00f6nemli yeniliklerle gelmi\u015ftir. Bunlardan ilki<br \/>\nHTP k\u00fct\u00fcphanesi olarak adland\u0131r\u0131lan ve Suricata proje tak\u0131m\u0131ndan Ivan<br \/>\nRistic taraf\u0131ndan geli\u015ftirilen yeni HTTP normalizasyon arac\u0131d\u0131r. HTTP<br \/>\ntrafi\u011finin ayr\u0131\u015ft\u0131r\u0131lmas\u0131n\u0131 sa\u011flayan bu yeni arac\u0131n en \u00f6nemli \u00f6zelli\u011fi<br \/>\n\u201csecurity-aware\u201d olarak tasarlanmas\u0131d\u0131r [5]. Yani sald\u0131rganlar\u0131n sald\u0131r\u0131<br \/>\n tespit sistemlerini atlatmak i\u00e7in kullanabilece\u011fi \u00e7e\u015fitli teknikleri<br \/>\nyakalama kapasitesine sahiptir. Bununla birlikte k\u00fct\u00fcphane HTTP<br \/>\nprotokol\u00fcyle ilgili istek sat\u0131r\u0131, istek ba\u015fl\u0131\u011f\u0131, URI, kullan\u0131c\u0131 etmeni,<br \/>\ncevap sat\u0131r\u0131, sunucu cevap sat\u0131r\u0131, \u00e7erez, \u201cbasic\u201d ve \u201cdigest\u201d kimlik<br \/>\ndo\u011frulama i\u015flemleri i\u00e7in farkl\u0131 ayr\u0131\u015ft\u0131r\u0131c\u0131lara sahiptir. Suricata\u2019n\u0131n<br \/>\ndi\u011fer \u00f6nemli \u00f6zelli\u011fi \u00e7oklu i\u015f par\u00e7ac\u0131klar\u0131 (multi-threaded) halinde<br \/>\n\u00e7al\u0131\u015fmay\u0131 desteklemesidir. Yani birden \u00e7ok i\u015flemci \u00fcnitesine sahip<br \/>\nmimarilerde paket i\u015fleme i\u015flemi farkl\u0131 i\u015f par\u00e7ac\u0131klar\u0131yla farkl\u0131<br \/>\n\u00fcnitelerde da\u011f\u0131t\u0131k olarak yap\u0131lmaktad\u0131r. Her CPU \u00fcnitesi tek i\u015f<br \/>\npar\u00e7ac\u0131\u011f\u0131yla \u00e7al\u0131\u015fan ayr\u0131 bir makine gibi davran\u0131r. B\u00f6ylece y\u00fck dengesi<br \/>\nsa\u011flan\u0131p, performans artt\u0131r\u0131lm\u0131\u015f olur [6].\n<\/p>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"suricata-workers-af-packet-en.png\" height=\"353\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/suricata-workers-af-packet-en.png?resize=500%2C353&#038;ssl=1\" style=\"border: 0px solid #000000; height: 353px; margin: 5px; width: 500px;\" title=\"suricata-workers-af-packet-en.png\" width=\"500\" data-recalc-dims=\"1\" \/><\/div>\n<p>\n\u015eekil 4 &#8211;\u00a0 Suricata&#8217;n\u0131n Multi-thread \u00c7al\u0131\u015fmas\u0131\n<\/p>\n<p>\n\u00a0\n<\/p>\n<p>\nTek i\u015f par\u00e7ac\u0131\u011f\u0131 (single-thread) ile \u00e7al\u0131\u015fan Snort maksimum 100-200<br \/>\nmegabit aras\u0131 trafi\u011fi i\u015flerken, Suricata 10 gigabit ger\u00e7ek trafi\u011fi<br \/>\ni\u015fleyebilmektedir.\n<\/p>\n<h3><span class=\"ez-toc-section\" id=\"222_Ozellikleri\"><\/span>\n2.2.2  \u00d6zellikleri<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\nSuricata\u2019n\u0131n \u00f6zellikleri \u015f\u00f6yle s\u0131ralanabilir [7]:\n<\/p>\n<ul readability=\"1\">\n<li style=\"text-align: justify;\">\n<p> Sald\u0131r\u0131 tespit sistemi (IDS) , sald\u0131r\u0131 engelleme sistemi (IPS) gibi \u00e7al\u0131\u015fma modlar\u0131nda kullan\u0131labilmektedir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> A\u011f trafi\u011fini izleyerek trafi\u011fin pcap format\u0131nda kaydedilmesini daha<br \/>\nsonra kaydedilen bu dosyalar\u0131n\u0131n offline olarak analiz edilmesini<br \/>\nsa\u011flamaktad\u0131r. Ayr\u0131ca pcap dosyalar\u0131n\u0131n analizi i\u00e7in Unix soket modunda<br \/>\nda \u00e7al\u0131\u015fmaktad\u0131r.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> Linux, FreeBSD, OpenBSD, Mac OS X, Windows gibi hemen hemen t\u00fcm i\u015fletim sistemlerinde \u00e7al\u0131\u015fabilmektedir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> Konfig\u00fcrasyon dosyas\u0131 kolay bir \u015fekilde anla\u015f\u0131lmay\u0131 sa\u011flayan YAML<br \/>\nformat\u0131ndad\u0131r. Bir\u00e7ok programlama dili taraf\u0131ndan desteklenmektedir.<br \/>\nSuricata 2.0 kararl\u0131 s\u00fcr\u00fcm\u00fcyle birlikte YAML dosyas\u0131 istenilen par\u00e7alara<br \/>\n ayr\u0131larak ana dosya i\u00e7erisinden \u00e7a\u011fr\u0131lmas\u0131 sa\u011flanm\u0131\u015ft\u0131r.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> IPv6 protokol\u00fc tamamen desteklenmektedir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> Teredo, GRE, IP4-IP6 t\u00fcnel protokolleri \u00e7\u00f6z\u00fcmlenebilmektedir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> TCP oturumlar\u0131 i\u00e7in oturum ba\u015ftan sona takip edilmesi, ak\u0131\u015f\u0131n s\u0131raya<br \/>\nkonulmas\u0131, gibi i\u015flemleri yapar. Par\u00e7alanmaya u\u011frayan paketlerin yeniden<br \/>\n bir araya getirilmesi i\u00e7in de ayr\u0131 bir mod\u00fcle sahiptir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> Ethernet, PPP; VLAN, QINQ vb. gibi bir\u00e7ok ikinci katman protokol\u00fcn\u00fc<br \/>\ndesteklemektedir. Ayr\u0131ca uygulama katman\u0131 protokollerinden HTTP, SSL,<br \/>\nTLS, SMB, SMB2, DCERPC, SMTP, FTP, SSH, DNS \u00e7\u00f6z\u00fcmlenebilmektedir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> Yaz\u0131lan kurallarda PCRE (Perl Compatible Regular Expressions)<br \/>\nkullan\u0131labilmekte, dosya t\u00fcr\u00fc, boyutu, MD5 \u00f6zet de\u011feri e\u015fle\u015ftirilmesi<br \/>\nyap\u0131labilmektedir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> \u00c7al\u0131\u015fma s\u0131ras\u0131nda yeni kural eklenmesi, silinmesi gibi kural g\u00fcncelleme<br \/>\n i\u015flemleri yap\u0131labilmektedir. Uygulaman\u0131n yeniden ba\u015flamas\u0131<br \/>\ngerekmemektedir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> NVIDIA taraf\u0131ndan geli\u015ftirilen ve GPU\u2019lar taraf\u0131ndan kullan\u0131lan CUDA<br \/>\n(Compute Unified Device Architecture) teknolojisini desteklemektedir.<br \/>\nDolay\u0131s\u0131yla b\u00f6yle bir donan\u0131m ve \u00e7oklu i\u015f par\u00e7ac\u0131klar\u0131yla \u00e7al\u0131\u015fmada<br \/>\ny\u00fcksek performans elde edilecektir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> HTTP istekleri, TLS el s\u0131k\u0131\u015fmalar\u0131, SSH ba\u011flant\u0131lar\u0131 kaydedebilir.<br \/>\nSuricata 2.0 ile birlikte DNS istek\/cevaplar\u0131 da kaydedilmeye ba\u015flanm\u0131\u015f<br \/>\nve t\u00fcm kay\u0131tlar\u0131n bir\u00e7ok programlama dili taraf\u0131ndan kolayca<br \/>\nanla\u015f\u0131labilen JSON format\u0131nda kaydedilmesi sa\u011flanm\u0131\u015ft\u0131r.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> Kurallara g\u00f6re \u00fcretilen alarmlar metin format\u0131nda kaydedilebilmekte ya<br \/>\nda syslog\u2019a g\u00f6nderilebilmektedir. Alarmlar\u0131n daha h\u0131zl\u0131 kaydedilmesini<br \/>\nsa\u011flayan Unified2 binary format\u0131n\u0131 kullanmaktad\u0131r. Bu formattaki<br \/>\ndosyalar Barnyard2 a\u00e7\u0131k kaynak kodlu arac\u0131 kullan\u0131larak metin haline<br \/>\nd\u00f6n\u00fc\u015ft\u00fcr\u00fclebilmekte veya istenilen bir veritaban\u0131na<br \/>\nkaydedilebilmektedir. Suricata 2.0\u2019dan sonra HTTP isteklerinin yan\u0131 s\u0131ra<br \/>\n Unified2 kay\u0131tlar\u0131 i\u00e7in de XFF (X-Forwarded-For) deste\u011fi gelmi\u015ftir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> HTTP trafi\u011finden ge\u00e7en t\u00fcm dosyalarla ilgili bilgileri MD5 \u00f6zet<br \/>\nde\u011ferleriyle birlikte JSON format\u0131nda kaydedilebilmekte, istenildi\u011fi<br \/>\ndurumda bu dosyalar trafikten \u00e7\u0131kar\u0131l\u0131p belirtilen bir dizinde<br \/>\nsaklanabilmektedir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> IPS modunda kullan\u0131lmas\u0131 durumunda d\u00fc\u015f\u00fcr\u00fclen paketlere ili\u015fkin<br \/>\nbilgiler, uygulaman\u0131n \u00e7al\u0131\u015fmas\u0131 ile ilgili istatistikler de<br \/>\nkaydedilebilmektedir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> IP itibar deste\u011fi vard\u0131r. Kural yaz\u0131m\u0131nda \u201ciprep\u201d anahtar s\u00f6zc\u00fc\u011f\u00fc<br \/>\nkullan\u0131larak istenilen verilerle e\u015fle\u015ftirme yap\u0131labilir. IP itibar<br \/>\ndeste\u011fi \u00e7al\u0131\u015fma an\u0131nda g\u00fcncellenebilir, yeniden ba\u015flatma gerektirmez.<br \/>\n <\/li>\n<li readability=\"5\">\n<p>\nPaket i\u015fleme performans\u0131n\u0131n artt\u0131r\u0131lmas\u0131 i\u00e7in AF_PACKET, PF_RING gibi<br \/>\nuygulamalar kullan\u0131labilmektedir. Ayr\u0131ca Endace, Napatech, Tilera gibi<br \/>\n\u00f6zelle\u015fmi\u015f donan\u0131mlarda da y\u00fcksek performansl\u0131 \u00e7al\u0131\u015fabilmektedir. 8<br \/>\nd\u00fc\u011f\u00fcmden olu\u015fan Tilera platformunda 80 gbps trafik Suricata ile<br \/>\ni\u015flenebilmektedir [8].<\/p>\n<\/li>\n<\/ul>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"suricata_tilera.png\" height=\"227\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/suricata_tilera.png?resize=500%2C227&#038;ssl=1\" style=\"border: 0px solid rgb(0, 0, 0); height: 227px; margin: 5px; width: 500px;\" title=\"suricata_tilera.png\" width=\"500\" data-recalc-dims=\"1\" \/><\/div>\n<p>\n\u015eekil 5 &#8211;\u00a0 Suricata i\u00e7in \u00d6zelle\u015ftirilmi\u015f TILE-GxDonan\u0131m\u0131\n<\/p>\n<ul readability=\"-0.5\">\n<li readability=\"2\">\n<p>\nSuricata \u201cSourcefire Vulnerability Research Team\u2122 (VRT) Rules\u201d ve<br \/>\n\u201cEmerging Threats Rules\u201d kural setleri ile uyumlu olarak \u00e7al\u0131\u015fmaktad\u0131r.<br \/>\nBunun yan\u0131nda Lua betik dili ile yaz\u0131lacak kurallarla imzalar\u0131n<br \/>\nyetenekleri geli\u015ftirilebilir. Lua betik dili desteklenen \u00f6rnek imza<br \/>\n\u015f\u00f6yledir [9]:\n <\/p>\n<\/li>\n<\/ul>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"rule.png\" height=\"25\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/rule.png?resize=500%2C25&#038;ssl=1\" style=\"border: 0px solid #000000; height: 25px; margin: 5px; width: 500px;\" title=\"rule.png\" width=\"500\" data-recalc-dims=\"1\" \/><\/div>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"lua_script.png\" height=\"213\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/lua_script.png?resize=500%2C213&#038;ssl=1\" style=\"border: 0px solid #000000; height: 213px; margin: 5px; width: 500px;\" title=\"lua_script.png\" width=\"500\" data-recalc-dims=\"1\" \/><\/div>\n<p>\n<span class=\"caption\">\u015eekil 6 &#8211;\u00a0 Lua betik dili\u011fle \u00e7al\u0131\u015fan Suricata Kural\u0131<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"223_Yapisi\"><\/span>\n2.2.3 Yap\u0131s\u0131<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\nBir\u00e7ok \u00e7al\u0131\u015fma moduna sahip olan Suricata\u2019n\u0131n hangi modda \u00e7al\u0131\u015faca\u011f\u0131<br \/>\nba\u015flang\u0131\u00e7ta verilen parametrelerle belirlenmektedir. Paketlerin<br \/>\ni\u015flenmesi i\u00e7in olu\u015fturulan kuyruk yap\u0131lar\u0131, paket i\u015fleyici i\u015f<br \/>\npar\u00e7ac\u0131klar\u0131 \u00e7al\u0131\u015fma modu belli olduktan sonra moda g\u00f6re d\u00fczenlenerek<br \/>\n\u00e7al\u0131\u015fmaya uygun hale getirilir. En \u00e7ok tercih edilen \u201cpcap device\u201d yani<br \/>\nsald\u0131r\u0131 tespit sistemi modunda bir paket s\u0131ras\u0131yla paket yakalama, paket<br \/>\n \u00e7\u00f6z\u00fcmleme, ak\u0131\u015f i\u015flemi ve tespit mod\u00fcllerinden ge\u00e7er. Bu i\u015flemlerin<br \/>\nsonucuna g\u00f6re paket ge\u00e7irilir ya da alarm \u00fcretilir. IPS modu i\u00e7in<br \/>\npaketlerin d\u00fc\u015f\u00fcr\u00fclmesi ve reddedilmesi i\u015flemleri de mevcuttur.\n<\/p>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"packet_pipeline.png\" height=\"168\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/packet_pipeline.png?resize=500%2C168&#038;ssl=1\" style=\"border: 0px solid #000000; height: 168px; margin: 5px; width: 500px;\" title=\"packet_pipeline.png\" width=\"500\" data-recalc-dims=\"1\" \/><\/div>\n<p>\n\u015eekil 7 &#8211;\u00a0 Suricata \u00c7al\u0131\u015fma Yap\u0131s\u0131\n<\/p>\n<p>\n\u00a0\n<\/p>\n<ul style=\"text-align: justify;\">\n<li>\n<p> <b><u>Paket \u00c7\u00f6z\u00fcmleme Mod\u00fcl\u00fc (Decoding Module):<\/u> <\/b>Paket \u00e7\u00f6z\u00fcmleme<br \/>\ni\u015flemi, paketlerin ara belle\u011fe al\u0131nmas\u0131 ve i\u00e7eri\u011finin Suricata\u2019n\u0131n<br \/>\ndestekledi\u011fi veri yap\u0131s\u0131na d\u00f6n\u00fc\u015ft\u00fcr\u00fclmesinden sorumludur. Paketler<br \/>\nburada veri linklerine (ethernet, ppp vb.) g\u00f6re s\u0131n\u0131fland\u0131r\u0131l\u0131p ona<br \/>\nuygun \u00e7\u00f6z\u00fcmleyicilerde i\u015flenir [10].<\/li>\n<li>\n<p> <u><b>Ak\u0131\u015f \u0130\u015flemleri Mod\u00fcl\u00fc (Stream Module):<\/b><\/u> Temel olarak 3 g\u00f6revi vard\u0131r:<br \/>\n <\/li>\n<\/ul>\n<p>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <b>1.<\/b> Do\u011fru, anla\u015f\u0131labilir bir a\u011f ba\u011flant\u0131s\u0131n\u0131n olmas\u0131 i\u00e7in ak\u0131\u015flar\u0131 takip eder.\n<\/p>\n<p>\n\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 <b>2. <\/b>TCP ba\u011flant\u0131lar\u0131 i\u00e7in ana ak\u015f\u0131n tekrar olu\u015fturulabilmesi i\u00e7in paketlerin s\u0131raya konulmas\u0131 i\u015flemini yapar.\n<\/p>\n<p>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0 <b>3.<\/b> Uygulama katman\u0131 denetimi yapar. HTTP ve DCERPC analiz edilir.\n<\/p>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"decomp-en.png\" height=\"354\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/decomp-en.png?resize=500%2C354&#038;ssl=1\" style=\"border: 0px solid rgb(0, 0, 0); height: 354px; margin: 5px; width: 500px;\" title=\"decomp-en.png\" width=\"500\" data-recalc-dims=\"1\" \/><\/div>\n<p>\n<span class=\"caption\">\u015eekil 8 &#8211;\u00a0 Stream Mod\u00fcl\u00fc \u00c7al\u0131\u015fma Mekanizmas\u0131<\/span>\u00a0<\/p>\n<ul readability=\"0\">\n<li readability=\"3\">\n<p>\n<b><u>Tespit Mod\u00fcl\u00fc (Detect Module):<\/u> <\/b>Konfig\u00fcrasyonda belirtilen t\u00fcm<br \/>\nkurallar\u0131n y\u00fcklenmesi, tespit eklentilerinin ba\u015flat\u0131lmas\u0131 ve paketlerin<br \/>\ngruplanarak kurallarla e\u015fle\u015ftirilmesi gibi \u00f6nemli i\u015flerden sorumludur.<br \/>\nKurallar\u0131 kendi i\u00e7erisinde grupland\u0131r\u0131r. \u00d6rne\u011fin TCP paketinin UDP<br \/>\nprotokol\u00fc i\u00e7in yaz\u0131lm\u0131\u015f kurallarla kar\u015f\u0131la\u015ft\u0131r\u0131lmas\u0131na gerek yoktur. BU<br \/>\ny\u00fczden TCP i\u00e7in yaz\u0131lm\u0131\u015f kurallar bir grup olarak d\u00fc\u015f\u00fcn\u00fclebilir [11]\n <\/p>\n<\/li>\n<\/ul>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"grouping_tree.png\" height=\"386\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/grouping_tree.png?resize=500%2C386&#038;ssl=1\" style=\"border: 0px solid #000000; height: 386px; margin: 5px; width: 500px;\" title=\"grouping_tree.png\" width=\"500\" data-recalc-dims=\"1\" \/><\/div>\n<p>\n\u015eekil 9 &#8211;\u00a0 Tespit Mod\u00fcl\u00fc ile Paketlerin Grupland\u0131r\u0131lmas\u0131\n<\/p>\n<p>\n\u00a0\n<\/p>\n<p>\nOlu\u015fturulacak gruplar\u0131n say\u0131s\u0131 kullan\u0131c\u0131 taraf\u0131ndan belirlenebilir.<br \/>\nGruplar\u0131n say\u0131s\u0131n\u0131 belirlemek bir haf\u0131za\/performans problemidir. Az<br \/>\nsay\u0131daki gruplar d\u00fc\u015f\u00fck performans az bellek kullan\u0131m\u0131na neden olurken<br \/>\ngrup say\u0131s\u0131n\u0131n artmas\u0131 performans ve bellek kullan\u0131m\u0131n\u0131n artmas\u0131na neden<br \/>\n olur. Suricata\u2019da tan\u0131ml\u0131 olarak \u201cy\u00fcksek, orta ve d\u00fc\u015f\u00fck\u201d olmak \u00fczere 3<br \/>\nprofil gelir, varsay\u0131lan profil bellek kullan\u0131m\u0131 ve performans aras\u0131nda<br \/>\nbir denge olu\u015fturan \u201corta\u201d d\u0131r.\n<\/p>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"23_BRO_231_Gelisimi\"><\/span>\n2.3 BRO<br \/>2.3.1  Geli\u015fimi<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\nBro a\u00e7\u0131k kaynak kodlu, UNIX tabanl\u0131, BSD lisans\u0131 ile da\u011f\u0131t\u0131lan sald\u0131r\u0131<br \/>\ntespit sistemi, a\u011f analiz ve izleme arac\u0131d\u0131r. \u0130lk olarak Lawrence<br \/>\nBerkeley National Laboratory (LBNL)\u2019de ara\u015ft\u0131rmac\u0131 olan Vern Paxson<br \/>\ntaraf\u0131ndan 1995 y\u0131l\u0131nda kodlanmaya ba\u015flanm\u0131\u015ft\u0131r. 1996 y\u0131l\u0131nda i\u015flevsel<br \/>\nolarak geli\u015ftirilmeye ba\u015flanm\u0131\u015f ve 1998 y\u0131l\u0131nda yay\u0131nlanan bir makale<br \/>\nile duyurulmu\u015ftur. 2003 y\u0131l\u0131na gelindi\u011finde National Science Foundation<br \/>\n(NSF) taraf\u0131ndan proje desteklenmeye ba\u015flanm\u0131\u015f ve g\u00fcn\u00fcm\u00fczde de<br \/>\nBerkeley\u2019deki International Computer Science Institute (ICSI)\u2019de<br \/>\ngeli\u015ftirilmeye devam edilmektedir [12].\u00a0<\/p>\n<p>\nBro klasik kural tabanl\u0131 IDS\u2019lerden farkl\u0131 olarak komple bir a\u011f trafi\u011fi<br \/>\nanaliz arac\u0131d\u0131r. Trafik analizi sadece g\u00fcvenlik alan\u0131nda de\u011fil,<br \/>\nperformans analizleri ve a\u011f sorunlar\u0131n\u0131n \u00e7\u00f6z\u00fcmlerini de i\u00e7ermektedir.\n<\/p>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"bro.png\" height=\"320\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/bro.png?resize=491%2C320&#038;ssl=1\" style=\"border: 0px solid #000000; height: 320px; margin: 5px; width: 491px;\" title=\"bro.png\" width=\"491\" data-recalc-dims=\"1\" \/><\/div>\n<p>\n\u015eekil 10 &#8211;\u00a0 Bro&#8217;nunKapsam\u0131\n<\/p>\n<p>\u00a0<\/p>\n<p>\nBro \u00e7al\u0131\u015fmas\u0131yla birlikte a\u011fdaki bir\u00e7ok aktiviteyle ilgili kay\u0131t<br \/>\nolu\u015fturur. Sadece a\u011fdaki t\u00fcm trafi\u011fin kaydedilmesi de\u011fil \u00f6zellikle<br \/>\nuygulama katman\u0131ndaki protokollerin \u00e7\u00f6z\u00fcmlenmesini sa\u011flar. Bro\u2019yu di\u011fer<br \/>\nsald\u0131r\u0131 tespit sistemlerinden ay\u0131ran en \u00f6nemli \u00f6zellik kendine ait bir<br \/>\nbetik dilinin olmas\u0131d\u0131r. Bu dil sayesinde \u00e7ok esnek ve geli\u015ftirilebilir<br \/>\nbir yap\u0131dad\u0131r. Her kullan\u0131c\u0131 yazaca\u011f\u0131 \u00f6zel betiklerle sistemin<br \/>\nfonksiyonelli\u011fini artt\u0131rabilir ve \u00f6zelle\u015ftirebilir [13]. Uygulamayla<br \/>\nbirlikte gelen bir\u00e7ok haz\u0131r k\u00fct\u00fcphane ve framework ile betik yaz\u0131m\u0131<br \/>\nkolayla\u015ft\u0131r\u0131lm\u0131\u015ft\u0131r. Farkl\u0131 yerlerde sisteme \u00f6zg\u00fc Python<br \/>\n(domain-specific Python) olarak adland\u0131r\u0131lmaktad\u0131r. Genel olarak bu<br \/>\nbetiklerle a\u011fdaki zararl\u0131 aktivitelerin tespiti, anomalilerin tespiti ve<br \/>\n davran\u0131\u015fsal analiz gibi i\u015flemler yap\u0131labilir. Bununla birlikte<br \/>\nvarsay\u0131lan ayarlarla da \u00e7ok geni\u015f yelpazede \u00f6zellikler sunmaktad\u0131r.\n<\/p>\n<h3><span class=\"ez-toc-section\" id=\"232_Ozellikleri\"><\/span>\n2.3.2 \u00d6zellikleri<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\nBro\u2019nun \u00f6zellikleri \u015f\u00f6yle s\u0131ralanabilir:\n<\/p>\n<ul readability=\"0\">\n<li style=\"text-align: justify;\">\n<p> Linux, FreeBSD, MacOS gibi UNIX tabanl\u0131 i\u015fletim sistemlerinde \u00e7al\u0131\u015fabilmektedir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> Ger\u00e7ek zamanl\u0131 ya da offline analiz yapabilmektedir.<br \/>\n <\/li>\n<li style=\"text-align: justify;\">\n<p> Paketlerin yakalanmas\u0131 i\u00e7in \u201clibpcap\u201d k\u00fct\u00fcphanesini kullanmaktad\u0131r.<br \/>\n <\/li>\n<li readability=\"3\">\n<p>\n\u00dcniversiteler, ara\u015ft\u0131rma laboratuvarlar\u0131, b\u00fcy\u00fck \u00f6l\u00e7ekli i\u015fletmeler gibi<br \/>\n trafi\u011fin yo\u011fun ve da\u011f\u0131t\u0131k oldu\u011fu yerlerde Bro kullan\u0131c\u0131lara k\u00fcme<br \/>\nyap\u0131s\u0131n\u0131 (\u201cBro Clusters\u201d) sunmaktad\u0131r [14]. Farkl\u0131 sunucularda Bro<br \/>\n\u00e7al\u0131\u015f\u0131r ve bunlar kendi aras\u0131nda ileti\u015fim kurabilirler.\n <\/p>\n<\/li>\n<\/ul>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"bro_cluster.png\" height=\"361\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/bro_cluster.png?resize=500%2C361&#038;ssl=1\" style=\"border: 0px solid #000000; height: 361px; margin: 5px; width: 500px;\" title=\"bro_cluster.png\" width=\"500\" data-recalc-dims=\"1\" \/><\/div>\n<p>\n\u015eekil 11 &#8211;\u00a0 Bro Cluster Yap\u0131s\u0131\u00a0<\/p>\n<ul>\n<li>T\u00fcm HTTP trafi\u011fini (sunucu\/istemci istek ve cevaplar\u0131, mime t\u00fcrleri, uri vb.), DNS istek ve cevaplar\u0131n\u0131, SSL sertifikalar\u0131n\u0131, SMTP oturumlar\u0131n\u0131, FTP trafi\u011fini \u00e7\u00f6z\u00fcmleyerek kaydedebilmektedir. Ayr\u0131ca a\u011f ak\u0131\u015f\u0131n\u0131 da kay\u0131t alt\u0131na almakatad\u0131r.\u00a0<\/li>\n<li>Kay\u0131tlar rahat\u00e7a okunabilir \u015fekilde (tab karakteriyle ayr\u0131lm\u0131\u015f), ASCII format\u0131nda metin dosyalar\u0131na kaydedilir.\u00a0<\/li>\n<li>Port ba\u011f\u0131ms\u0131z olarak uygulama katman\u0131 protokollerinden DNS, FTP, HTTP, IRC, SMTP, SSH, SSL \u00e7\u00f6z\u00fcmlenebilmektedir.\u00a0<\/li>\n<li>HTTP, FTP, SMTP, IRC trafi\u011finden ge\u00e7en t\u00fcm dosyalarla ilgili bilgileri MD5\/SHA1 \u00f6zet de\u011ferleriyle birlikte metin format\u0131nda kaydedilebilmekte, istenildi\u011fi durumda bu dosyalar trafikten \u00e7\u0131kar\u0131l\u0131p belirtilen bir dizinde saklanabilmektedir [15].\u00a0<\/li>\n<li>D\u0131\u015f kaynaklar kullanarak (\u00f6zet de\u011feri e\u015fle\u015ftirmeleri, IP itibar tablolar\u0131) \u00e7e\u015fitli zararl\u0131 yaz\u0131l\u0131mlar\u0131 tespit edebilmektedir [16].<\/li>\n<\/ul>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"bro_extermalsources.png\" height=\"214\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/bro_extermalsources.png?resize=500%2C214&#038;ssl=1\" style=\"border: 0px solid #000000; height: 214px; margin: 5px; width: 500px;\" title=\"bro_extermalsources.png\" width=\"500\" data-recalc-dims=\"1\" \/><\/div>\n<p>\n\u015eekil 12 &#8211;\u00a0 Bro&#8217;nun D\u0131\u015f Kaynaklarla Beslenmesi\u00a0<\/p>\n<ul>\n<li style=\"text-align: justify;\">A\u011f trafi\u011finde tespit edilen uygulamalar\u0131n (Java, Flash vb.) a\u00e7\u0131k bar\u0131nd\u0131ran versiyonlar\u0131, pop\u00fcler web uygulamalar\u0131 (Skype, Facebook vb.), SSH kaba kuvvet ataklar\u0131n\u0131 tespit edilebilmektedir.\u00a0<\/li>\n<li style=\"text-align: justify;\">Trafikteki SSL sertifikalar\u0131na ait t\u00fcm zincirin do\u011frulanmas\u0131 sa\u011flanmaktad\u0131r.\u00a0<\/li>\n<li style=\"text-align: justify;\">IPv6 protokol\u00fc kapsaml\u0131 bir \u015fekilde desteklenmektedir.\u00a0<\/li>\n<li style=\"text-align: justify;\">Ayiya, Teredo, GTPv1 gibi t\u00fcnel protokolleri tespit edilip analiz edilebilmektedir. Bro t\u00fcneli tespit ettikten sonra \u00e7\u00f6z\u00fcmleyerek sanki hi\u00e7 t\u00fcnel yokmu\u015f gibi analiz i\u015flemini ger\u00e7ekle\u015ftirmektedir.\u00a0<\/li>\n<li style=\"text-align: justify;\">Klasik IDS\u2019lerin kulland\u0131\u011f\u0131 desen e\u015fle\u015ftirmesi y\u00f6ntemini desteklemektedir.\u00a0<\/li>\n<li style=\"text-align: justify;\">Analiz i\u00e7in kullan\u0131lacak d\u0131\u015f kaynaklar ger\u00e7ek zamanl\u0131 olarak sisteme entegre edilebilmektedir.\u00a0<\/li>\n<li style=\"text-align: justify;\">Betik dili sayesinde tasarlanan senaryonun olu\u015fmas\u0131 durumunda e-mail g\u00f6nderme, anl\u0131k ba\u011flant\u0131n\u0131n sonland\u0131r\u0131lmas\u0131, y\u00f6nlendirici eri\u015fim kontrol listesine blok kay\u0131tlar\u0131n\u0131n girilmesi gibi farkl\u0131 bir d\u0131\u015f i\u015flemi tetikleyebilmektedir.\u00a0<\/li>\n<li style=\"text-align: justify;\">Uygulamalar\u0131n Bro ile konu\u015fmas\u0131n\u0131 sa\u011flayan Broccoli (The Bro Client Communications Library) [17], Bro kurulumu ve kullan\u0131m\u0131 i\u00e7in interaktif bir kabuk sunan BroControl [18], kay\u0131tlar\u0131n ayr\u0131\u015ft\u0131r\u0131lmas\u0131n\u0131 sa\u011flayan bro-cut vb [19], snort imzalar\u0131n\u0131n Bro imzalar\u0131na d\u00f6n\u00fc\u015ft\u00fcr\u00fclmesini sa\u011flayan \u201csnort2bro\u201d beti\u011fi vb. ara\u00e7lara da sahiptir.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"233_Yapisi\"><\/span>\n2.3.3 Yap\u0131s\u0131<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\nBro katmanl\u0131 bir yap\u0131dad\u0131r ve iki temel bile\u015fenden olu\u015fmaktad\u0131r. Bunlar \u201cevent engine\u201d ve \u201cpolicy script interpreter\u201d\u2019dir.\u00a0<\/p>\n<p>\n<u><i><b>Event Engine:<\/b><\/i><\/u> C++ programlama dilinde yaz\u0131lm\u0131\u015ft\u0131r. A\u011f<br \/>\nak\u0131\u015f\u0131ndaki paket serilerini anlam ifade eden \u00fcst seviye olaylara<br \/>\nd\u00f6n\u00fc\u015ft\u00fcr\u00fcr. \u00d6rne\u011fin a\u011fdaki herhangi bir HTTP iste\u011fi IP adresleri,<br \/>\nportlar\u0131, talep edilen URI, kullan\u0131lan HTTP versiyonu ile birlikte tek<br \/>\nbir \u201chttp_request\u201d olay\u0131na d\u00f6n\u00fc\u015ft\u00fcr\u00fcl\u00fcr. Daha basit bir ifadeyle a\u011fdaki<br \/>\nherhangi bir protokole ait aktivite Bro dili taraf\u0131ndan anla\u015f\u0131labilir<br \/>\nformata \u00e7evrilir. Ancak buradaki \u00f6rnekte HTTP iste\u011findeki IP ya da<br \/>\nURI\u2019\u0131n zararl\u0131 olup olmad\u0131\u011f\u0131 event engine\u2019in g\u00f6revi de\u011fildir. Bro\u2019nun<br \/>\nkulland\u0131\u011f\u0131 yakla\u015f\u0131k 320 tane olay t\u00fcr\u00fc vard\u0131r [20]. Bunlardan baz\u0131lar\u0131<br \/>\n\u015f\u00f6yledir; new_connection, new_packet, http_header, ssl_certificate_seen,<br \/>\n authentication_rejected, dns_PTR_reply, arp_reques.\u00a0<\/p>\n<div style=\"text-align: center;\">\n<img loading=\"lazy\" decoding=\"async\" alt=\"bro_architecture_ex.png\" height=\"318\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/bro_architecture_ex.png?resize=500%2C318&#038;ssl=1\" style=\"border: 0px solid #000000; height: 318px; margin: 5px; width: 500px;\" title=\"bro_architecture_ex.png\" width=\"500\" data-recalc-dims=\"1\" \/><\/div>\n<p>\n<span class=\"caption\">\u015eekil 13 &#8211;\u00a0 Bro \u00c7al\u0131\u015fma Yap\u0131s\u0131<\/span>\n<\/p>\n<p>\n\u00a0\n<\/p>\n<p>\n<u><i><b>Policy Script Interpreter:<\/b><\/i><\/u> Bro\u2019nun betik dilinde yaz\u0131lm\u0131\u015f<br \/>\nolay i\u015fleyicilerinin \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131ndan sorumlu yap\u0131d\u0131r. Betikler<br \/>\nkullan\u0131larak a\u011f trafi\u011fi i\u00e7in olu\u015fturulmu\u015f olay t\u00fcrleri analiz edilip<br \/>\nherhangi bir anomali olup olmad\u0131\u011f\u0131, olmas\u0131 durumunda hangi i\u015flemlerin<br \/>\nger\u00e7ekle\u015ftirilece\u011fi ve bunlar\u0131n nas\u0131l kay\u0131t alt\u0131na al\u0131naca\u011f\u0131 belirtilir.<br \/>\n Daha genel bir ifadeyle trafik ile ilgili istenilen \u00f6zellikler ve<br \/>\nistatistikler elde edilebilir.\n<\/p>\n<h2><span class=\"ez-toc-section\" id=\"SONUC\"><\/span>\nSONU\u00c7<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\nSistemleri s\u00fcrekli olarak izleyebilmeyi ve sald\u0131r\u0131lar\u0131 k\u0131sa s\u00fcre<br \/>\ni\u00e7erisinde fark etmeyi sa\u011flayan sald\u0131r\u0131 tespit sistemleri g\u00fcvenlik<br \/>\nsistemlerinin vazge\u00e7ilmez \u00fcr\u00fcnleri aras\u0131ndad\u0131r. G\u00fcn\u00fcm\u00fcz bilgi \u00e7a\u011f\u0131nda,<br \/>\nher kurumun internete ba\u011fl\u0131 oldu\u011fu d\u00fc\u015f\u00fcn\u00fcl\u00fcrse herkes bir Sald\u0131r\u0131 Tespit<br \/>\n Sistemi kurmal\u0131 ve gerekli imza g\u00fcncelle\u015ftirmelerini yaparak bu<br \/>\nsistemin \u00e7\u0131kt\u0131lar\u0131n\u0131 d\u00fczenli olarak takip etmelidir diyebiliriz. Bunun<br \/>\nfirewall kadar \u00f6nemli bir uygulama oldu\u011funun, bir ihtiya\u00e7 oldu\u011funun<br \/>\nbilinmesi gerekmektedir.\u00a0 Onun i\u00e7in a\u011fa gelmesi muhtemel davetsiz<br \/>\nmisafirleri fark edebilmek i\u00e7in maddi imk\u00e2nlar \u00f6l\u00e7e\u011finde sald\u0131r\u0131 tespit<br \/>\nsistemleri olu\u015fturulmal\u0131d\u0131r. Ticari \u00fcr\u00fcnler i\u00e7in yeterli b\u00fct\u00e7e<br \/>\nolu\u015fturulamam\u0131\u015f ise \u00fccretsiz \u00fcr\u00fcnler kullan\u0131larak da yeterli g\u00fcvenli\u011fi<br \/>\nsa\u011flamak \u00e7o\u011fu zaman m\u00fcmk\u00fcn olabilmektedir. Sunucu tabanl\u0131 sistemlerde<br \/>\nkurulacak port tarama saptay\u0131c\u0131lar\u0131, dosya b\u00fct\u00fcnl\u00fc\u011f\u00fcn\u00fc kontrol eden<br \/>\nyaz\u0131l\u0131mlar ya da snort, firestorm, pakemon gibi a\u011f tabanl\u0131 sald\u0131r\u0131<br \/>\ntespit sistemleri d\u00fc\u015f\u00fck maliyet ile belirli bir g\u00fcvenlik seviyesi<br \/>\nsa\u011flam\u0131\u015f olacakt\u0131r.\n<\/p>\n<\/div>\n<p><a href=\"https:\/\/furkansandal.com\">Ana Sayfa <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hayat\u0131m\u0131za akademik ama\u00e7l\u0131 bir ara\u015ft\u0131rma a\u011f\u0131 olarak giren internet, g\u00fcn\u00fcm\u00fczde \u00f6nemli toplumsal d\u00f6n\u00fc\u015f\u00fcmlere altyap\u0131 sa\u011flar duruma gelmi\u015ftir. O zamanlar internetin&#8230;<\/p>\n","protected":false},"author":1,"featured_media":1222,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","footnotes":""},"categories":[6,1,9,10,3,7,4],"tags":[103,109,76,104,105,59,22,108,102,107,101,84,86,106],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/10\/networksecurity.jpg?fit=960%2C360&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6BM7I-jH","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/1221"}],"collection":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/comments?post=1221"}],"version-history":[{"count":0,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/1221\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media\/1222"}],"wp:attachment":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media?parent=1221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/categories?post=1221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/tags?post=1221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}