解压:

unzip -o run_poc.zip

执行:

1. suricata直接触发告警:

# 默认执行
python run_poc.py

# 大部分用例fail时, 如下执行看结果(rules文件是测试环境验证的入侵检测规则库)
python run_poc.py -r suricata.rules 

使用说明usage

warning: unexcept args: ['-h']
        usage: python run_poc.py
               python run_poc.py -r suricata.rules -t default
               python run_poc.py -t ioc,http
               python run_poc.py -r suricata.rules
        -r, --rules : suricata's rules file
        -t, --tags  : **internal tag**: "default", "all",  multi-tags split with ","

**隐藏说明**
单独执行具体pcap: python run_poc_ex.py  -r suricata.rules -t ids --pcap alert_trojan_udp.pcap

执行效果

  • 批量默认

    [root@isa4 v2]# python run_poc_ex.py -r suricata.rules -t ids
    rules: 'suricata.rules', tags: ids
    [+]pcap:alert_VulAttack_LateralPenetration_Attempt_openssl_heartbleed.pcap,      result:pass
    [+]pcap:alert_VulAttack_LateralPenetration_Success_openssl_heartbleed.pcap,      result:pass
    [+]pcap:alert_VulAttack_LateralPenetration_Attempt_php_longflow.pcap,    result:pass
    [+]pcap:alert_VulAttack_LateralPenetration_Fail_phpunit.pcap,    result:pass
    [+]pcap:alert_WebAttack_LateralPenetration_Attempt_http-post-webshell-php-404.pcap,      result:pass
    [+]pcap:alert_WebAttack_NetworkIntrusion_Attempt_cve-2012-1823_phpcgi.pcap,      result:pass
    [+]pcap:alert_mysql_load_file.pcap,      result:pass
    [+]pcap:alert_ransonware_udp.pcap,       result:pass
    [+]pcap:alert_trojan_udp.pcap,   result:pass
    [+]pcap:alert_backdoor_134echo.pcap,     result:pass
    END: the detail log see:/home/test/poc/v2/tmp.log
  • 单个执行

    [root@isa4 v2]# python run_poc_ex.py  -r suricata.rules -t ids --pcap alert_trojan_udp.pcap
    notice: only run pcap: alert_trojan_udp.pcap
    rules: 'suricata.rules', tags: ids
    [+] pcap:alert_trojan_udp.pcap,  result:pass

2. tcpreplay 触发告警:

  • pcap 目录:
    pcaps/tcpreplay
  • 预置条件:

    1.额外一台服务器,简称G 或者 PC,安装CentosOS 7.x系统 和tcpreplay工具。

    2.Web端,系统设置-数据接入-流量探针配置,内网网段:192.168.0.0/16,10.0.0.0/8,172.16.0.0/12

    3.探针监控网口 直连 服务器G的流量回放网口,代号em100(具体看实际网卡名称 ifconfig, ip address等)

  • 执行操作:
1. tcpreplay -i em1 -K -M 10 --duration=30 --loop=0 --unique-ip alert_Scanports_InternalDetection_Attempt_nmap_sS.pcap
2. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_ssh_fail.pcap
3. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_ftp_fail.pcap
4. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_mysql_fail.pcap
5. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_telnet_fail.pcap
6. tcpreplay -i em1 -K --loop=0 --unique-ip alert_baopo_pop3_fail.pcap
最后修改:2025 年 07 月 01 日
分享是对我最大的赞赏