解压:
unzip -o run_poc.zip
执行:
1. suricata直接触发告警:
# 默认执行
python run_poc.py
# 大部分用例fail时, 如下执行看结果(rules文件是测试环境验证的入侵检测规则库)
python run_poc.py -r suricata.rules
使用说明usage
warning: unexcept args: ['-h']
usage: python run_poc.py
python run_poc.py -r suricata.rules -t default
python run_poc.py -t ioc,http
python run_poc.py -r suricata.rules
-r, --rules : suricata's rules file
-t, --tags : **internal tag**: "default", "all", multi-tags split with ","
**隐藏说明**
单独执行具体pcap: python run_poc_ex.py -r suricata.rules -t ids --pcap alert_trojan_udp.pcap
执行效果
批量默认
[root@isa4 v2]# python run_poc_ex.py -r suricata.rules -t ids rules: 'suricata.rules', tags: ids [+]pcap:alert_VulAttack_LateralPenetration_Attempt_openssl_heartbleed.pcap, result:pass [+]pcap:alert_VulAttack_LateralPenetration_Success_openssl_heartbleed.pcap, result:pass [+]pcap:alert_VulAttack_LateralPenetration_Attempt_php_longflow.pcap, result:pass [+]pcap:alert_VulAttack_LateralPenetration_Fail_phpunit.pcap, result:pass [+]pcap:alert_WebAttack_LateralPenetration_Attempt_http-post-webshell-php-404.pcap, result:pass [+]pcap:alert_WebAttack_NetworkIntrusion_Attempt_cve-2012-1823_phpcgi.pcap, result:pass [+]pcap:alert_mysql_load_file.pcap, result:pass [+]pcap:alert_ransonware_udp.pcap, result:pass [+]pcap:alert_trojan_udp.pcap, result:pass [+]pcap:alert_backdoor_134echo.pcap, result:pass END: the detail log see:/home/test/poc/v2/tmp.log
单个执行
[root@isa4 v2]# python run_poc_ex.py -r suricata.rules -t ids --pcap alert_trojan_udp.pcap notice: only run pcap: alert_trojan_udp.pcap rules: 'suricata.rules', tags: ids [+] pcap:alert_trojan_udp.pcap, result:pass
2. tcpreplay 触发告警:
- pcap 目录:
pcaps/tcpreplay
预置条件:
1.额外一台服务器,简称G 或者 PC,安装CentosOS 7.x系统 和tcpreplay工具。
2.Web端,系统设置-数据接入-流量探针配置,内网网段:192.168.0.0/16,10.0.0.0/8,172.16.0.0/12
3.探针监控网口 直连 服务器G的流量回放网口,代号em100(具体看实际网卡名称 ifconfig, ip address等)
- 执行操作:
1. tcpreplay -i em1 -K -M 10 --duration=30 --loop=0 --unique-ip alert_Scanports_InternalDetection_Attempt_nmap_sS.pcap
2. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_ssh_fail.pcap
3. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_ftp_fail.pcap
4. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_mysql_fail.pcap
5. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_telnet_fail.pcap
6. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_pop3_fail.pcap