ids复习
idshwk1
alert tcp any any -> any 8080 (flags:A; content:"I|20|am|20|IDS|20|Homework|20|I"; offset:99; depth:101; msg:"TEST ALERT"; sid:20210319;)
hwk2
alert tcp any any -> any 3399 ( pcre:"/(login|Initial)/"; flowbits:set,cy; flowbits:noalert; sid:100002;)
alert tcp any any -> any 3399 ( pcre:"/((25[0-5]|2[0-4]\d|((1\d{2})|([1-9]?\d)))\.){3}(25[0-5]|2[0-4]\d|((1\d{2})|([1-9]?\d)):([0-9]|[1-9]\d|[1-9]\d{2}|[1-9]\d{3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]))/"; msg: "bot founded"; flowbits:isset,cy; sid:100001; )
hwk3
global agentTable :table[addr] of set[string] = table();
event http_header(c: connection, is_orig: bool, name: string, value: string) {
local orig_addr: addr = c$id$orig_h;
if (c$http?$user_agent){
local agent: string = to_lower(c$http$user_agent);
if (orig_addr in agentTable) {
add agentTable[orig_addr][agent];
} else {
agentTable[orig_addr] = set(agent);
}
}
}
event zeek_done() {
for (orig_addr in agentTable) {
if (|agentTable[orig_addr]| >= 3) {
print(addr_to_uri(orig_addr) + " is a proxy");
}
}
}
hwk4
event http_reply(c: connection, version: string, code: count, reason: string)
{
if(code == 404)
{
SumStats::observe("http_response_404",
SumStats::Key($host = c$id$orig_h),
SumStats::Observation($str=c$http$uri));
}
SumStats::observe("http_response",
SumStats::Key($host = c$id$orig_h),
SumStats::Observation($str=c$http$uri));
}
event zeek_init()
{
local reducer1 = SumStats::Reducer($stream="http_response_404",
$apply=set(SumStats::SUM, SumStats::UNIQUE));
local reducer2 = SumStats::Reducer($stream="http_response",
$apply=set(SumStats::SUM));
SumStats::create([$name = "find_scaner",
$epoch = 10min,
$reducers = set(reducer1, reducer2),
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
{
local r1 = result["http_response_404"];
local r2 = result["http_response"];
if(r1$sum > 2 && (r1$unique / r1$sum) > 0.5 && (r1$sum / r2$sum) > 0.2)
print fmt("%s is a scanner with %d scan attemps on %d urls",
key$host, r1$sum, r1$unique);
}]);
}
hwk5
from sklearn.ensemble import RandomForestClassifier
import numpy as np
import math
domainlist = []
domainlist2= []
class Domain:
def __init__(self,_name,_label):
self.name = _name
self.label = _label
def returnData(self):
return [len(self.name),countnumber(self.name),cal_entropy(self.name)]
def returnLabel(self):
if self.label == "notdga":
return 0
else:
return 1
def countnumber(string):
int_count=0
for i in string:
if i.isdigit():
int_count +=1
return int_count
def cal_entropy(text):
h = 0.0
sum = 0
letter = [0] * 26
text = text.lower()
for i in range(len(text)):
if text[i].isalpha():
letter[ord(text[i]) - ord('a')] += 1
sum += 1
for i in range(26):
p = 1.0 * letter[i] / sum
if p > 0:
h += -(p * math.log(p, 2))
return h
def initData(filename):
with open(filename) as f:
for line in f:
line = line.strip()
if line.startswith("#") or line =="":
continue
tokens = line.split(",")
name = tokens[0]
label = tokens[1]
domainlist.append(Domain(name,label))
def initData2(filename):
with open(filename) as f:
for line in f:
line = line.strip()
if line.startswith("#") or line =="":
continue
tokens = line.split(",")
name = tokens[0]
domainlist2.append(name)
def main():
initData("train.txt")
initData2("test.txt")
featureMatrix = []
labelList = []
for item in domainlist:
featureMatrix.append(item.returnData())
labelList.append(item.returnLabel())
clf = RandomForestClassifier(random_state=0)
clf.fit(featureMatrix,labelList)
arr=["notdga","dga"]
f=open("result.txt",'w')
for item in domainlist2:
t=clf.predict([[len(item),countnumber(item),cal_entropy(item)]])
f.write(item+','+np.array(arr)[t][0]+'\n')
if __name__ == '__main__':
main()
