解压：

unzip -o run_poc.zip

执行:

1. suricata直接触发告警：

# 默认执行
python run_poc.py

# 大部分用例fail时, 如下执行看结果（rules文件是测试环境验证的入侵检测规则库）
python run_poc.py -r suricata.rules 

使用说明usage

warning: unexcept args: ['-h']
        usage: python run_poc.py
               python run_poc.py -r suricata.rules -t default
               python run_poc.py -t ioc,http
               python run_poc.py -r suricata.rules
        -r, --rules : suricata's rules file
        -t, --tags  : **internal tag**: "default", "all",  multi-tags split with ","

**隐藏说明**
单独执行具体pcap: python run_poc_ex.py  -r suricata.rules -t ids --pcap alert_trojan_udp.pcap

执行效果

• 批量默认

  [root@isa4 v2]# python run_poc_ex.py -r suricata.rules -t ids
  rules: 'suricata.rules', tags: ids
  [+]pcap:alert_VulAttack_LateralPenetration_Attempt_openssl_heartbleed.pcap,      result:pass
  [+]pcap:alert_VulAttack_LateralPenetration_Success_openssl_heartbleed.pcap,      result:pass
  [+]pcap:alert_VulAttack_LateralPenetration_Attempt_php_longflow.pcap,    result:pass
  [+]pcap:alert_VulAttack_LateralPenetration_Fail_phpunit.pcap,    result:pass
  [+]pcap:alert_WebAttack_LateralPenetration_Attempt_http-post-webshell-php-404.pcap,      result:pass
  [+]pcap:alert_WebAttack_NetworkIntrusion_Attempt_cve-2012-1823_phpcgi.pcap,      result:pass
  [+]pcap:alert_mysql_load_file.pcap,      result:pass
  [+]pcap:alert_ransonware_udp.pcap,       result:pass
  [+]pcap:alert_trojan_udp.pcap,   result:pass
  [+]pcap:alert_backdoor_134echo.pcap,     result:pass
  END: the detail log see:/home/test/poc/v2/tmp.log

• 单个执行

  [root@isa4 v2]# python run_poc_ex.py  -r suricata.rules -t ids --pcap alert_trojan_udp.pcap
  notice: only run pcap: alert_trojan_udp.pcap
  rules: 'suricata.rules', tags: ids
  [+] pcap:alert_trojan_udp.pcap,  result:pass

2. tcpreplay 触发告警：

• pcap 目录：
  pcaps/tcpreplay

• 预置条件：

  1.额外一台服务器，简称G 或者 PC，安装CentosOS 7.x系统 和tcpreplay工具。

  2.Web端，系统设置-数据接入-流量探针配置，内网网段：192.168.0.0/16,10.0.0.0/8,172.16.0.0/12

  3.探针监控网口 直连 服务器G的流量回放网口，代号em100（具体看实际网卡名称 ifconfig, ip address等）

• 执行操作：

1. tcpreplay -i em1 -K -M 10 --duration=30 --loop=0 --unique-ip alert_Scanports_InternalDetection_Attempt_nmap_sS.pcap
2. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_ssh_fail.pcap
3. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_ftp_fail.pcap
4. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_mysql_fail.pcap
5. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_telnet_fail.pcap
6. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_pop3_fail.pcap