vvent0/Offline-Pcap-Analyser
GitHub: vvent0/Offline-Pcap-Analyser
Stars: 0 | Forks: 0
# PCAP IDS 分析器
一款轻量级、离线的入侵检测系统 (IDS) 分析器,使用 Python 和 Scapy 从 PCAP/PCAPNG 文件中检测基于 TCP 的攻击。
## 功能特性
- **TCP SYN 扫描检测**:识别潜在的端口扫描行为
- **高频连接检测**:标记来自单一来源的过量连接尝试
- **双重输出格式**:
- Snort 风格的控制台警报
- 用于进一步处理的 JSON 输出
- **自定义规则系统**:通过可配置的规则扩展检测能力
- **跨平台**:无需修改即可在 Windows 和 Linux 上运行
- **内存高效**:流式处理大型 PCAP 文件,无需完全加载到内存中
## 快速开始
### 安装说明
#### Windows (PowerShell)
```
# Create and activate virtual environment
python -m venv .venv
.venv\Scripts\Activate.ps1
# Install dependencies
python -m pip install --upgrade pip
python -m pip install -r requirements.txt
```
#### Linux (Bash)
```
# Create and activate virtual environment
python3 -m venv .venv
source .venv/bin/activate
# Install dependencies
python -m pip install --upgrade pip
python -m pip install -r requirements.txt
```
#### 基本用法
```
# 分析 PCAP 文件并将警报保存到 JSON
python pcap_ids.py capture.pcapng --json-out alerts.json
# 调整检测阈值
python pcap_ids.py capture.pcapng --syn-scan-threshold 30 --rate-threshold 80 --rate-window 2.0
# 使用自定义规则
python pcap_ids.py capture.pcapng --rules-config my_rules.json --json-out alerts.json
```
## 文档
### 项目结构
```
├── pcap_ids.py # Main analyzer implementation
├── alerts.json # Logs alerts after each scan
├── rules_config.example.json # Example of custom rules
```
#### 内置检测规则
您可以通过创建自定义规则文件来扩展检测功能。
**选项 A** 包含 "rules" 数组的对象 ``` { "rules": [ { "type": "tcp_syn_scan", "sid": 1100001, "rev": 1, "msg": "Custom SYN scan rule", "priority": 1, "proto": "TCP", "unique_syn_targets_threshold": 50 } ] } ``` **选项 B** 顶层数组 ``` [ { "type": "tcp_syn_scan", "sid": 1100001, "rev": 1, "msg": "Custom SYN scan rule", "priority": 1, "proto": "TCP", "unique_syn_targets_threshold": 50 } ] ``` ### 规则字段 **通用字段 (所有规则类型)** | Field | Required | Type | Description | | ------------- | ------------- | ------------- | ------------- | | type | Yes | String | 规则类型 (tcp_syn_scan 或 high_rate_connection_attempts) | | sid | No | Integer | 签名 ID (如果省略则自动分配) | | rev | No | Integer | 修订号 | | msg | No | String | 警报消息 | | priority | No | Integer | 警报优先级 (1 = 最高) | | proto | No | String | 协议 (例如 "TCP") | | enabled | No | Boolean | 启用/禁用规则 (默认值: true) | **TCP SYN 扫描特定字段** | Field | Required | Type | Description | | ------------- | ------------- | ------------- | ------------- | | unique_syn_targets_threshold | Yes | Integer | 触发警报的唯一目标数量 | **高频连接特定字段** | Field | Required | Type | Description | | ------------- | ------------- | ------------- | ------------- | | attempts_threshold | Yes | Integer | 触发警报的尝试次数 | | window_seconds | Yes | Float | 计算尝试次数的时间窗口 | ### 输出格式 **控制台输出 (Snort 风格) ``` 02/18-14:32:10.123456 [**] [1:1000001:1] Potential TCP SYN scan [**] [Priority: 2] {TCP} 10.0.0.5:45678 -> 192.168.1.10:80 ``` **JSON 输出** ``` { "type": "tcp_syn_scan", "timestamp": "2024-02-18T14:32:10.123456Z", "src_ip": "10.0.0.5", "rule": { "gid": 1, "sid": 1000001, "rev": 1, "msg": "Potential TCP SYN scan", "priority": 2, "proto": "TCP" }, "details": { "unique_targets": 25, "threshold": 20 } } ``` ### 高级用法 **完整命令示例** ``` # 使用自定义规则和阈值进行基本分析 python pcap_ids.py suspicious_traffic.pcapng \ --syn-scan-threshold 25 \ --rate-threshold 60 \ --rate-window 1.5 \ --rules-config my_rules.json \ --json-out detailed_alerts.json # 仅使用默认设置进行分析 python pcap_ids.py capture.pcap --json-out alerts.json ``` **创建自定义规则 - 分步指南** 1. 复制示例文件 ``` cp rules_config.example.json my_rules.json ``` 2. 编辑规则 ``` { "rules": [ { "type": "tcp_syn_scan", "sid": 1100001, "rev": 1, "msg": "Aggressive SYN scan detection", "priority": 1, "proto": "TCP", "unique_syn_targets_threshold": 100 }, { "type": "high_rate_connection_attempts", "sid": 1100002, "rev": 1, "msg": "Burst connection detection", "priority": 1, "proto": "TCP", "attempts_threshold": 200, "window_seconds": 1.0 } ] } ``` 3. 使用自定义规则运行 ``` python pcap_ids.py capture.pcapng --rules-config my_rules.json --json-out alerts.json ``` **性能注意事项** ``` Streaming Architecture: Processes packets one at a time, ideal for large captures Memory Cleanup: Periodic cleanup of stale connection tracking data Bounded Storage: Per-source tracking structures have size limits Efficient JSON Writing: Streams alerts directly to file, no in-memory accumulation ``` **限制** ``` Offline analysis only (no live capture support) TCP-based detection only (no UDP/ICMP analysis) No deep packet inspection Rule-based detection (no machine learning) ``` **系统要求** ``` Python 3.10+ scapy>=2.5.0 pip ``` ### 故障排除 问题:"Rules configuration error" 解决方案:验证您的 JSON 语法以及自定义规则中的必填字段 问题:No alerts generated 解决方案:降低阈值或验证 PCAP 是否包含 TCP SYN 流量 问题:Memory usage grows 解决方案:检查清理间隔是否正常工作;减小速率窗口大小
**选项 A** 包含 "rules" 数组的对象 ``` { "rules": [ { "type": "tcp_syn_scan", "sid": 1100001, "rev": 1, "msg": "Custom SYN scan rule", "priority": 1, "proto": "TCP", "unique_syn_targets_threshold": 50 } ] } ``` **选项 B** 顶层数组 ``` [ { "type": "tcp_syn_scan", "sid": 1100001, "rev": 1, "msg": "Custom SYN scan rule", "priority": 1, "proto": "TCP", "unique_syn_targets_threshold": 50 } ] ``` ### 规则字段 **通用字段 (所有规则类型)** | Field | Required | Type | Description | | ------------- | ------------- | ------------- | ------------- | | type | Yes | String | 规则类型 (tcp_syn_scan 或 high_rate_connection_attempts) | | sid | No | Integer | 签名 ID (如果省略则自动分配) | | rev | No | Integer | 修订号 | | msg | No | String | 警报消息 | | priority | No | Integer | 警报优先级 (1 = 最高) | | proto | No | String | 协议 (例如 "TCP") | | enabled | No | Boolean | 启用/禁用规则 (默认值: true) | **TCP SYN 扫描特定字段** | Field | Required | Type | Description | | ------------- | ------------- | ------------- | ------------- | | unique_syn_targets_threshold | Yes | Integer | 触发警报的唯一目标数量 | **高频连接特定字段** | Field | Required | Type | Description | | ------------- | ------------- | ------------- | ------------- | | attempts_threshold | Yes | Integer | 触发警报的尝试次数 | | window_seconds | Yes | Float | 计算尝试次数的时间窗口 | ### 输出格式 **控制台输出 (Snort 风格) ``` 02/18-14:32:10.123456 [**] [1:1000001:1] Potential TCP SYN scan [**] [Priority: 2] {TCP} 10.0.0.5:45678 -> 192.168.1.10:80 ``` **JSON 输出** ``` { "type": "tcp_syn_scan", "timestamp": "2024-02-18T14:32:10.123456Z", "src_ip": "10.0.0.5", "rule": { "gid": 1, "sid": 1000001, "rev": 1, "msg": "Potential TCP SYN scan", "priority": 2, "proto": "TCP" }, "details": { "unique_targets": 25, "threshold": 20 } } ``` ### 高级用法 **完整命令示例** ``` # 使用自定义规则和阈值进行基本分析 python pcap_ids.py suspicious_traffic.pcapng \ --syn-scan-threshold 25 \ --rate-threshold 60 \ --rate-window 1.5 \ --rules-config my_rules.json \ --json-out detailed_alerts.json # 仅使用默认设置进行分析 python pcap_ids.py capture.pcap --json-out alerts.json ``` **创建自定义规则 - 分步指南** 1. 复制示例文件 ``` cp rules_config.example.json my_rules.json ``` 2. 编辑规则 ``` { "rules": [ { "type": "tcp_syn_scan", "sid": 1100001, "rev": 1, "msg": "Aggressive SYN scan detection", "priority": 1, "proto": "TCP", "unique_syn_targets_threshold": 100 }, { "type": "high_rate_connection_attempts", "sid": 1100002, "rev": 1, "msg": "Burst connection detection", "priority": 1, "proto": "TCP", "attempts_threshold": 200, "window_seconds": 1.0 } ] } ``` 3. 使用自定义规则运行 ``` python pcap_ids.py capture.pcapng --rules-config my_rules.json --json-out alerts.json ``` **性能注意事项** ``` Streaming Architecture: Processes packets one at a time, ideal for large captures Memory Cleanup: Periodic cleanup of stale connection tracking data Bounded Storage: Per-source tracking structures have size limits Efficient JSON Writing: Streams alerts directly to file, no in-memory accumulation ``` **限制** ``` Offline analysis only (no live capture support) TCP-based detection only (no UDP/ICMP analysis) No deep packet inspection Rule-based detection (no machine learning) ``` **系统要求** ``` Python 3.10+ scapy>=2.5.0 pip ``` ### 故障排除 问题:"Rules configuration error" 解决方案:验证您的 JSON 语法以及自定义规则中的必填字段 问题:No alerts generated 解决方案:降低阈值或验证 PCAP 是否包含 TCP SYN 流量 问题:Memory usage grows 解决方案:检查清理间隔是否正常工作;减小速率窗口大小
标签:AMSI绕过, GUI应用, IP 地址批量处理, LangChain, PCAP分析, Python, Redis利用, Scapy, Snort规则, SYN扫描, TCP协议分析, 域名解析, 威胁检测, 密码管理, 异常检测, 插件系统, 无后门, 离线分析, 端口扫描检测, 网络安全, 轻量级, 逆向工具, 隐私保护