├── README.md ├── attack3.py ├── demo.rules ├── local.rules ├── scanport.rules ├── start.bat ├── udp.rules └── 在Windows环境下搭建Snort+BASE入侵检测系统 - 简书.pdf /README.md: -------------------------------------------------------------------------------- 1 | # IDS-basedSnort 2 | 3 | 基于snort base mysql 的入侵检测系统 4 | 5 | ## 大致思路 6 | 7 | 1. 安装服务启动器 apache 8 | 2. 安装数据库 mysql 9 | 3. 下载php 10 | 4. 以上三步推荐使用Appserv集成度好,不需要动脑子 11 | 5. [相关资源](https://cloud.189.cn/web/share?code=VVNvemyiaaEf)(访问码:zqr7) 12 | 6. 将snort路径位于c:\snort中 !!!,不然自己要配置路径,很麻烦 13 | 7. 启动appserv 登录localhost 按照pdf修改网页内容,`snort/etc/snort.conf`不要动,修改好的。 14 | 8. 可以到使用`c:\snort\bin\snort -i1 -c c:\snort\etc\snort.conf -l c:\snort\log -T`看一下是否有错 15 | 9. 主要-i 后面是网卡的索引号,使用到bin目录下的snort -W看下自己的index 一般来讲 看见网卡描述是厂商的名字的就选对应的index,但是此电脑中没有描述,一个个试过来。 16 | 10. `c:\snort\bin\snort -i1 -c c:\snort\etc\snort.conf -l c:\snort\log -A fast `可以将记录写入log\alert.ids里面可以看一下 17 | 11. `c:\snort\bin\snort -i1 -c c:\snort\etc\snort.conf -l c:\snort\log -dev` 刷新base看入侵尽量 18 | 19 | ## 常见错误 20 | 1. 注意网卡的选择,要输入命令运行snort后,alert.ids没东西,大多数就是网卡有错。 21 | 2. debug的时候可以只保留一个规则,如local.rules 22 | `alert icmp any any -> $HOME_NET any (msg:"SNORT:any host ping this host";sid:201900003; rev:1;)`看base是不是有icmp的alert 23 | ## Notice 24 | 启动脚本位于bin下,-i后设为自己的网卡索引 25 | attack3 默认获取的是本机ip,虚拟可以将ip赋值常量。 26 | -------------------------------------------------------------------------------- /attack3.py: -------------------------------------------------------------------------------- 1 | # 获取获取本机ip 2 | import socket 3 | import threading 4 | import os 5 | hn=socket.gethostname() 6 | ip=socket.gethostbyname(hn) 7 | def testip(ip): 8 | c=f"ping {ip}" 9 | ret=os.system(c) 10 | print(ret) 11 | # testip(ip) 12 | # 发起tcp连接 13 | def tcpattack(ip): 14 | #第一步:创建一个socket 15 | sc=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 16 | #第二步:建立连接 17 | try: 18 | sc.connect((ip,8080)) 19 | #第三步:发送数据 20 | sc.send(b'hello World!') 21 | #第三步:接收数据 22 | date=sc.recv(1024) 23 | print(date.decode('utf-8')) 24 | except: 25 | return 0 26 | # 发起UDP连接 27 | def udpattack(ip): 28 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # 创建一个基于UDP的socket对象 29 | s.sendto('hello!'.encode(), (ip,80)) # 向指定服务器与端口号发送内容 30 | try: 31 | s.recv(1024) 32 | s.close() 33 | except: 34 | return 0 35 | def scan_poort(port,ip): 36 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 37 | try: 38 | statu=s.connect_ex((ip,port)) 39 | if statu==0: 40 | print(port,'is open') 41 | except: 42 | return 0 43 | # testip(ip) 44 | # # udpattack(ip) 45 | # tcpattack(ip) 46 | for i in range(80,800): 47 | threading.Thread(target=scan_poort,args=(i,ip,)).start() 48 | 49 | 50 | -------------------------------------------------------------------------------- /demo.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> $HOME_NET any (msg:"tcp attack any"; sid:201900001; rev:1;) -------------------------------------------------------------------------------- /local.rules: -------------------------------------------------------------------------------- 1 | # $Id: local.rules,v 1.13 2005/02/10 01:11:04 bmc Exp $ 2 | # ---------------- 3 | # LOCAL RULES 4 | # ---------------- 5 | # This file intentionally does not come with signatures. Put your local 6 | # additions here. 7 | alert icmp any any -> $HOME_NET any (msg:"External host ping inner host!";sid:201900003; rev:1;) 8 | -------------------------------------------------------------------------------- /scanport.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> ¥HOME_NET any (msg:"MSF SYN scanning detected"; flags:S; ttl:=32; ack:0; sid:2000002) -------------------------------------------------------------------------------- /start.bat: -------------------------------------------------------------------------------- 1 | snort -i4 -dev -c c:\snort\etc\snort.conf -l c:\snort\log -------------------------------------------------------------------------------- /udp.rules: -------------------------------------------------------------------------------- 1 | alert udp any any -> $HOME_NET any (msg:"udp alert"; sid:20220630; rev:1;) -------------------------------------------------------------------------------- /在Windows环境下搭建Snort+BASE入侵检测系统 - 简书.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/feesec/IDS-basedSnort/a385411936f1eb343ae19bf6d17b37e231fbabe0/在Windows环境下搭建Snort+BASE入侵检测系统 - 简书.pdf --------------------------------------------------------------------------------