joshuaguda281-stack/simple-ids

# Simple IDS - 入侵检测系统 [](https://opensource.org/licenses/MIT) [](https://www.python.org/downloads/) 一个轻量级、基于签名的入侵检测系统（IDS），用于检测常见的 Web 攻击，包括 SQL 注入、XSS、命令注入、路径遍历等。 ## 🚀 功能特性 ### 检测能力 | 攻击类型 | 检测规则 | 严重等级 | |-------------|-----------------|----------| | **SQL 注入** | UNION、OR/AND、注释、基于时间的、堆叠查询 | HIGH/CRITICAL | | **XSS** | 脚本标签、事件处理程序、JavaScript URI、SVG/图像 | MEDIUM/HIGH | | **命令注入** | 分号、管道、子 Shell、反向 Shell 模式 | CRITICAL | | **路径遍历** | Unix、Windows、URL 编码 | HIGH | | **侦察** | 安全扫描器 User-Agent、目录暴力破解 | LOW/MEDIUM | | **文件上传** | 恶意扩展名、双扩展名 | HIGH | | **Log4Shell** | JNDI 注入模式 | CRITICAL | | **XXE** | 外部实体声明 | HIGH | ### 分析模式 - **日志文件分析** - 扫描 Apache、Nginx 或自定义日志 - **PCAP 分析** - 使用 tshark 分析网络捕获 - **攻击模拟** - 测试检测能力 - **报告生成** - 带有统计信息的 JSON 输出 ## 🔧 安装 ``` # 克隆仓库 git clone https://github.com/joshuaguda281-stack/simple-ids.git cd simple-ids # 无需 Python 依赖 # 进行 PCAP 分析，请安装 tshark: sudo apt install tshark # Linux 1. Attack Simulation (Test Detection) python3 simple_ids.py simulate 2. Analyze Log File # Apache 访问日志 python3 simple_ids.py log /var/log/apache2/access.log # Nginx 访问日志 python3 simple_ids.py log /var/log/nginx/access.log # 自定义日志文件 python3 simple_ids.py log /path/to/custom.log 3. Analyze PCAP File python3 simple_ids.py pcap capture.pcap 4. Generate Report python3 simple_ids.py report 📊 Sample Output Attack Simulation ====================================================================== 🔬 IDS ATTACK SIMULATION ====================================================================== ✅ DETECTED: SQLi - UNION Rule: SQL Injection - UNION SELECT Matched: union select ✅ DETECTED: XSS - Script Rule: XSS - Script Tag Matched: ====================================================================== 📊 SIMULATION RESULTS Detected: 28/30 (93.3%) ====================================================================== Alert Format ╔══════════════════════════════════════════════════════════════════╗ ║ 🚨 SQL Injection - UNION SELECT ║ ╠══════════════════════════════════════════════════════════════════╣ ║ Source: access.log:1523 ║ ║ Severity: HIGH ║ ║ Category: SQL Injection ║ ║ Description: Detects UNION SELECT SQL injection attempts ║ ║ Matched: union select ║ ║ → Mitigation: Use parameterized queries and input validation ║ ║ Data: GET /page.php?id=1 UNION SELECT username,password FROM users ╚══════════════════════════════════════════════════════════════════╝ JSON Report { "timestamp": "2024-01-15T14:30:00", "total_alerts": 47, "alerts_by_category": { "SQL Injection": 23, "XSS": 12, "Command Injection": 5, "Path Traversal": 4, "Reconnaissance": 3 }, "alerts_by_severity": { "CRITICAL": 8, "HIGH": 25, "MEDIUM": 10, "LOW": 4 } } 📁 Rule Categories Category # Rules Description SQL Injection 5 UNION, OR/AND, Comments, Time-based, Stacked XSS 5 Script, Events, JavaScript URI, SVG, Data URI Command Injection 4 Semicolon, Pipe, Subshell, Redirect Path Traversal 3 Unix, Windows, Encoded Reconnaissance 2 Scanners, Directory bruteforce File Upload 2 Malicious extensions, Double extensions Log4Shell 1 JNDI injection XXE 1 External entities 🎯 Use Cases Web Application Firewall (WAF) - Complement existing security Log Analysis - Review historical attacks Incident Response - Investigate security events Security Testing - Validate detection rules Network Forensics - Analyze PCAP files ⚙️ Customization Add Custom Rules Edit the load_rules() method: self.rules.append({ 'name': 'Custom Rule Name', 'pattern': r'your_regex_pattern', 'severity': 'HIGH', # LOW, MEDIUM, HIGH, CRITICAL 'category': 'Custom Category', 'description': 'What this rule detects', 'mitigation': 'How to fix/prevent' }) Modify Existing Rules Adjust patterns, severity, or mitigation messages as needed. 📋 Requirements Python 3.6+ (no external dependencies) tshark (optional, for PCAP analysis) sudo apt install wireshark 🐛 Troubleshooting Issue Solution tshark: command not found Install wireshark: sudo apt install wireshark Permission denied reading log Use sudo or adjust file permissions No alerts on known attacks Verify log format matches expected patterns 📝 License MIT License - See LICENSE file for details. 👤 Author Joshua Guda GitHub: @joshuaguda281-stack LinkedIn: Joshua Guda ⭐ Support If this tool helps you detect attacks, please star the repository! python3 simple_ids.py report ```

标签：BurpSuite集成, CISA项目, DNS 反向解析, IP 地址批量处理, Log4Shell, PCAP分析, Python, tshark, Web安全防护, Web报告查看器, XSS, XXE, 严重等级, 入侵检测系统, 命令注入, 回调移除, 基于签名的检测, 安全数据湖, 开源安全工具, 攻击模拟, 文件上传, 无后门, 检测规则, 漏洞情报, 网络安全, 网络资产发现, 路径遍历, 逆向工具, 逆向工程平台, 隐私保护, 驱动签名利用