Giter Club home page Giter Club logo

idseventgenerator's Introduction

idsEventGenerator, a.k.a GENESIDS

Reads rules written in a Snort like syntax (as of Snort 2.9.11) from a rule file, puts parsed rule content in a struct and (optionally) prints the rule. It than (optionally) constructs HTTP requests that are sent to the configured host (possibly a webserver) that trigger events on a listening IDS related to the parsed rules. "Snort like" means it accepts Snort rules, but does not require all fields of a Snort rule.

For the moment it only converts hex characters in content patterns that are part of the first 128 readable ASCII characters. It only parses rules that use one of the following content modifiers: http_[method,uri,raw_uri,stat_msg,stat_code,header,raw\header,client_body,cookie,raw_cookie] or the equivalent modifiers for PCRE content and rules with the uricontent keyword. It ignores rules that are not triggering an alert or do not contain the 'content' or the 'pcre' or the 'uricontent' keyword or contain any other unsupported content related keyword.

libcurl is needed for compilation. Build it by executing "g++ -std=c++11 idsEventGenerator.cpp -lcurl" (e.g. sudo apt-get install libcurl4-openssl-dev)

For generating Strings out of PCREs it uses the python command exrex. Install it with the command "pip install exrex", this requires running python and pip environment are (e.g. sudo apt-get install python-pip)

Run it by executing "./a.out -f <snortRuleFile> -s <webserver>" or "./a.out -h" to see more options.

For more options run "./a.out -h"

ISSUES: -libcurl reports a timeout error if an HTTP HEAD request is sent although the request is sent and a response is received. BEWARE: The more likely cause for this error is that the Webserver at the given IP-address is not responding or down or IP is wrong. -If you see a python "Traceback" error in your stderr than it means that the exrex command hat problems parsing/generating/... the regex from the given rule.

For more into depth info refer to the paper: "How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffic" Proceedings of ACM SIGCOMM 2018, Workshop on Traffic Measurements for Cybersecurity (WTMC 2018) http://www.ccs-labs.org/bib/erlacher2018genesids/

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.