杞欢瀹氫綅涓庡熀纭€璁ょ煡
鐙楀ご杞欢浣滀负涓€娆句笓娉ㄤ簬缃戠粶鏁版嵁鍖呭垎鏋愬強瀹夊叏瀹¤鐨勫紑婧愬伐鍏凤紝鍏舵牳蹇冧环鍊煎湪浜庢彁渚涗紒涓氱骇娴侀噺鐩戞帶涓庡▉鑳佹娴嬭兘鍔涖€傛湰杞欢鍩轰簬Linux鍐呮牳寮€鍙戯紝鏀寔璺ㄥ钩鍙伴儴缃诧紝鍏峰娣卞害鍗忚瑙f瀽銆佸疄鏃舵祦閲忓彲瑙嗗寲銆佸叆渚垫娴嬬郴缁燂紙IDS锛夐泦鎴愪笁澶ф牳蹇冨姛鑳芥ā鍧椼€傜敤鎴烽渶鏄庣‘鍏跺吀鍨嬪簲鐢ㄥ満鏅寘鎷細缃戠粶瀹夊叏闃插尽浣撶郴鏋勫缓銆佸簲鐢ㄥ眰鍗忚璋冭瘯銆佺綉缁滄€ц兘鐡堕瀹氫綅绛変笓涓氶鍩熴€�
鐜鍑嗗涓庡墠缃潯浠�
1. 纭欢瑕佹眰
鎺ㄨ崘閰嶇疆Intel i5浠ヤ笂澶勭悊鍣紙鏀寔AVX鎸囦护闆嗭級锛�16GB鍐呭瓨璧锋锛孲SD瀛樺偍绌洪棿涓嶄綆浜�100GB銆傚浜庡崈鍏嗙綉缁滅幆澧冪洃鎺э紝闇€閰嶅涓撶敤缃戝崱鏀寔娣锋潅妯″紡銆�
2. 绯荤粺渚濊禆
3. **鏉冮檺閰嶇疆
鎵ц`sudo sysctl -w net.core.rmem_max=16777216`璋冩暣鍐呮牳缃戠粶缂撳啿鍖猴紝閬垮厤鏁版嵁鍖呬涪澶便€傛案涔呯敓鏁堥渶鍦╜/etc/sysctl.conf`娣诲姞`net.core.rmem_max=16777216`閰嶇疆椤广€�
瀹夎閮ㄧ讲鍏ㄦ祦绋�
1. 婧愮爜缂栬瘧瀹夎锛堢敓浜х幆澧冩帹鑽愶級
```bash
git clone
cd doghead-core
mkdir build && cd build
cmake -DCMAKE_BUILD_TYPE=Release -DENABLE_IPSEC_DECODE=ON ..
make -j$(nproc)
sudo make install
```
鍏抽敭缂栬瘧鍙傛暟璇存槑锛�
2. 浜岃繘鍒跺寘蹇€熼儴缃�
```bash
wget
sudo apt install ./doghead-linux-amd64-3.2.1.deb
sudo systemctl enable dogheadd
```
鏍稿績閰嶇疆璇﹁В
1. 涓婚厤缃枃浠惰В鏋�
缂栬緫`/etc/doghead/doghead.yaml`锛�
```yaml
capture:
interface: eth0
buffer_size: 256MB
filter: "not port 22" # 鎺掗櫎SSH娴侀噺
analysis:
threat_detection:
enabled: true
ruleset: /etc/doghead/rules/emerging-threats.rules
logging:
level: info
rotation: 500MB
```
2. 瑙勫垯搴撶鐞�
浠庡畼鏂瑰▉鑳佹儏鎶ユ簮鍚屾瑙勫垯锛�
```bash
doghead-ctl update-rules --feed et_pro --feed alienvault
```
鑷畾涔夎鍒欑ず渚嬶紙淇濆瓨涓篳custom.rules`锛夛細
```
alert tcp any any -> 192.168.1.0/24 80 \\
(msg:"SQLi Detection"; content:"select%20"; nocase; threshold:3/60s;)
```
楂樼骇鍔熻兘瀹炵幇
1. 鍒嗗竷寮忛儴缃叉灦鏋�
鏋勫缓涓夎妭鐐归泦缇わ細
```bash
# 鎺у埗鑺傜偣
doghead-ctl cluster init --control-node 192.168.1.10
# 鏁版嵁鑺傜偣
doghead-node --join 192.168.1.10 --role capture --tags "dc=shanghai
# 鍒嗘瀽鑺傜偣
doghead-node --join 192.168.1.10 --role analysis --gpu-enabled
```
2. 鎬ц兘璋冧紭绛栫暐
`ethtool -L eth0 combined 8`
`echo 1024 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages`
`taskset -c 2-6 doghead-node --role capture`
杩愮淮鐩戞帶浣撶郴
1. Prometheus鎸囨爣閲囬泦
鏆撮湶鐩戞帶绔偣锛�
```yaml
monitoring:
prometheus:
enable: true
port: 9091
metrics: [packets, drops, alerts]
```
Grafana浠〃鐩樺鍏ュ畼鏂规ā鏉縛doghead-15932`锛屽疄鏃剁洃鎺т互涓嬪叧閿寚鏍囷細
2. 鏃ュ織鑱氬悎鍒嗘瀽
閰嶇疆Logstash绠¢亾锛�
```ruby
input {
syslog { port => 514 }
filter {
grok { match => { "message" => "%{DOGHEAD_LOG}" } }
output {
elasticsearch { hosts => ["es01:9200"] }
```
鏁呴殰鎺掓煡鎵嬪唽
1. 甯歌闂璇婃柇
`doghead-stat --live --show-drop-causes` 鏌ョ湅鍏蜂綋涓㈠寘鍘熷洜
浣跨敤`perf record -g -p
鎵ц`doghead-ctl test-rule custom.rules`楠岃瘉璇硶鏈夋晥鎬�
2. 搴旀€ユ仮澶嶆祦绋�
1. 鎵ц`doghead-ctl emergency-stop`绔嬪嵆鍋滄鏁版嵁鎹曡幏
2. 妫€鏌/var/log/doghead/crash.log`鑾峰彇鍫嗘爤璺熻釜
3. 鍥炴粴閰嶇疆锛歚doghead-ctl config rollback v1.2`
4. 鎻愪氦閿欒鎶ュ憡锛歚doghead-bugreport --include-core`
瀹夊叏鍔犲浐鏂规
1. 閫氫俊鍔犲瘑锛氬惎鐢═LS 1.3
鐢熸垚璇佷功锛歚openssl req -x509 -newkey rsa:4096 -nodes -out doghead.pem -keyout doghead.key -days 365`
2. 鏉冮檺闅旂锛�
鍒涘缓涓撶敤鐢ㄦ埛锛歚useradd -r -s /bin/false doghead`
3. 婕忔礊闃叉姢锛�
閰嶇疆SELinux绛栫暐锛�
`setsebool -P doghead_can_network 1`
鎸佺画闆嗘垚瀹炶返
閫氳繃Ansible瀹炵幇鑷姩鍖栭儴缃诧細
```yaml
hosts: doghead_nodes
roles:
vars:
node_role: "{{ capture_node | default('analysis') }}
```
鎶€鏈紨杩涙柟鍚�
1. 鏈哄櫒瀛︿範闆嗘垚锛氶儴缃睺ensorFlow妯″瀷瀹炵幇寮傚父娴侀噺璇嗗埆
2. eBPF鎶€鏈瀺鍚堬細浣跨敤XDP妗嗘灦瀹炵幇鍐呮牳灞傚寘澶勭悊
3. 浜戝師鐢熸敮鎸侊細寮€鍙慘ubernetes Operator瀹炵幇寮规€ф墿缂╁
閫氳繃鏈寚鍗楃殑绯荤粺瀛︿範锛岀敤鎴峰彲瀹屾垚浠庡熀纭€閮ㄧ讲鍒扮敓浜х骇杩愮淮鐨勫叏鐢熷懡鍛ㄦ湡绠$悊銆傚缓璁畾鏈熷叧娉ㄥ畼鏂瑰畨鍏ㄥ叕鍛婅幏鍙栨渶鏂版洿鏂帮紝鍚屾椂鍙備笌绀惧尯璁哄潧鐨勬妧鏈璁轰互鎺屾彙鍓嶆部鍔ㄦ€併€�
