├── README.md
├── attack3.py
├── demo.rules
├── local.rules
├── scanport.rules
├── start.bat
├── udp.rules
└── 在Windows环境下搭建Snort+BASE入侵检测系统 - 简书.pdf


/README.md:
--------------------------------------------------------------------------------
 1 | # IDS-basedSnort
 2 | 
 3 | 基于snort base mysql 的入侵检测系统
 4 | 
 5 | ## 大致思路
 6 | 
 7 | 1. 安装服务启动器 apache
 8 | 2. 安装数据库 mysql
 9 | 3. 下载php
10 | 4. 以上三步推荐使用Appserv集成度好，不需要动脑子
11 | 5. [相关资源](https://cloud.189.cn/web/share?code=VVNvemyiaaEf)（访问码：zqr7）
12 | 6. 将snort路径位于c:\snort中 ！！！,不然自己要配置路径，很麻烦
13 | 7. 启动appserv 登录localhost 按照pdf修改网页内容，`snort/etc/snort.conf`不要动，修改好的。
14 | 8. 可以到使用`c:\snort\bin\snort -i1 -c c:\snort\etc\snort.conf -l c:\snort\log -T`看一下是否有错
15 | 9. 主要-i 后面是网卡的索引号，使用到bin目录下的snort -W看下自己的index 一般来讲 看见网卡描述是厂商的名字的就选对应的index,但是此电脑中没有描述，一个个试过来。
16 | 10. `c:\snort\bin\snort -i1 -c c:\snort\etc\snort.conf -l c:\snort\log -A fast `可以将记录写入log\alert.ids里面可以看一下
17 | 11. `c:\snort\bin\snort -i1 -c c:\snort\etc\snort.conf -l c:\snort\log -dev` 刷新base看入侵尽量
18 | 
19 | ## 常见错误
20 | 1. 注意网卡的选择，要输入命令运行snort后，alert.ids没东西，大多数就是网卡有错。
21 | 2. debug的时候可以只保留一个规则，如local.rules 
22 | `alert icmp any any -> $HOME_NET any (msg:"SNORT：any host ping this host";sid:201900003; rev:1;)`看base是不是有icmp的alert
23 | ## Notice
24 | 启动脚本位于bin下，-i后设为自己的网卡索引
25 | attack3 默认获取的是本机ip，虚拟可以将ip赋值常量。
26 | 


--------------------------------------------------------------------------------
/attack3.py:
--------------------------------------------------------------------------------
 1 | # 获取获取本机ip
 2 | import socket
 3 | import threading
 4 | import os
 5 | hn=socket.gethostname()
 6 | ip=socket.gethostbyname(hn)
 7 | def testip(ip):
 8 |     c=f"ping {ip}"
 9 |     ret=os.system(c)
10 |     print(ret)
11 | # testip(ip)
12 | # 发起tcp连接
13 | def tcpattack(ip):
14 |     #第一步：创建一个socket
15 |     sc=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
16 |     #第二步：建立连接
17 |     try:
18 |         sc.connect((ip,8080))
19 |         #第三步：发送数据
20 |         sc.send(b'hello World!')
21 |         #第三步：接收数据
22 |         date=sc.recv(1024)
23 |         print(date.decode('utf-8'))
24 |     except:
25 |         return 0
26 | # 发起UDP连接
27 | def udpattack(ip):
28 |     s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)        # 创建一个基于UDP的socket对象
29 |     s.sendto('hello!'.encode(), (ip,80))            # 向指定服务器与端口号发送内容
30 |     try: 
31 |         s.recv(1024)                     
32 |         s.close()
33 |     except:
34 |         return 0
35 | def scan_poort(port,ip):
36 |     s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
37 |     try:
38 |         statu=s.connect_ex((ip,port))
39 |         if statu==0:
40 |             print(port,'is open')
41 |     except:
42 |         return 0
43 | # testip(ip)
44 | # # udpattack(ip)
45 | # tcpattack(ip)
46 | for i in range(80,800):
47 |     threading.Thread(target=scan_poort,args=(i,ip,)).start()
48 | 
49 | 
50 | 


--------------------------------------------------------------------------------
/demo.rules:
--------------------------------------------------------------------------------
1 | alert tcp any any -> $HOME_NET any (msg:"tcp attack any";  sid:201900001; rev:1;)


--------------------------------------------------------------------------------
/local.rules:
--------------------------------------------------------------------------------
1 | # $Id: local.rules,v 1.13 2005/02/10 01:11:04 bmc Exp $
2 | # ----------------
3 | # LOCAL RULES
4 | # ----------------
5 | # This file intentionally does not come with signatures.  Put your local
6 | # additions here.
7 | alert icmp any any -> $HOME_NET any (msg:"External host ping inner host!";sid:201900003; rev:1;)
8 | 


--------------------------------------------------------------------------------
/scanport.rules:
--------------------------------------------------------------------------------
1 | alert tcp any any -> ￥HOME_NET any (msg:"MSF SYN scanning detected"; flags:S; ttl:=32; ack:0; sid:2000002)


--------------------------------------------------------------------------------
/start.bat:
--------------------------------------------------------------------------------
1 | snort -i4 -dev -c c:\snort\etc\snort.conf -l c:\snort\log


--------------------------------------------------------------------------------
/udp.rules:
--------------------------------------------------------------------------------
1 | alert udp any any -> $HOME_NET any (msg:"udp alert";  sid:20220630; rev:1;)


--------------------------------------------------------------------------------
/在Windows环境下搭建Snort+BASE入侵检测系统 - 简书.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/feesec/IDS-basedSnort/a385411936f1eb343ae19bf6d17b37e231fbabe0/在Windows环境下搭建Snort+BASE入侵检测系统 - 简书.pdf


--------------------------------------------------------------------------------