Share
## https://sploitus.com/exploit?id=430332C2-EC66-5F4C-9F93-C2EE81998644
# Simple IDS - Intrusion Detection System
[](https://opensource.org/licenses/MIT)
[](https://www.python.org/downloads/)
A lightweight, signature-based Intrusion Detection System (IDS) that detects common web attacks including SQL injection, XSS, command injection, path traversal, and more.
## ๐ Features
### Detection Capabilities
| Attack Type | Detection Rules | Severity |
|-------------|-----------------|----------|
| **SQL Injection** | UNION, OR/AND, Comments, Time-based, Stacked queries | HIGH/CRITICAL |
| **XSS** | Script tags, Event handlers, JavaScript URIs, SVG/Image | MEDIUM/HIGH |
| **Command Injection** | Semicolon, Pipe, Subshell, Reverse shell patterns | CRITICAL |
| **Path Traversal** | Unix, Windows, URL-encoded | HIGH |
| **Reconnaissance** | Security scanner UA, Directory bruteforce | LOW/MEDIUM |
| **File Upload** | Malicious extensions, Double extensions | HIGH |
| **Log4Shell** | JNDI injection patterns | CRITICAL |
| **XXE** | External entity declarations | HIGH |
### Analysis Modes
- **Log File Analysis** - Scan Apache, Nginx, or custom logs
- **PCAP Analysis** - Analyze network captures with tshark
- **Attack Simulation** - Test detection capabilities
- **Report Generation** - JSON output with statistics
## ๐ง Installation
```bash
# Clone the repository
git clone https://github.com/joshuaguda281-stack/simple-ids.git
cd simple-ids
# No Python dependencies required!
# For PCAP analysis, install tshark:
sudo apt install tshark # Linux
1. Attack Simulation (Test Detection)
python3 simple_ids.py simulate
2. Analyze Log File
# Apache access log
python3 simple_ids.py log /var/log/apache2/access.log
# Nginx access log
python3 simple_ids.py log /var/log/nginx/access.log
# Custom log file
python3 simple_ids.py log /path/to/custom.log
3. Analyze PCAP File
python3 simple_ids.py pcap capture.pcap
4. Generate Report
python3 simple_ids.py report
๐ Sample Output
Attack Simulation
======================================================================
๐ฌ IDS ATTACK SIMULATION
======================================================================
โ
DETECTED: SQLi - UNION
Rule: SQL Injection - UNION SELECT
Matched: union select
โ
DETECTED: XSS - Script
Rule: XSS - Script Tag
Matched: alert('XSS')
======================================================================
๐ SIMULATION RESULTS
Detected: 28/30 (93.3%)
======================================================================
Alert Format
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐จ SQL Injection - UNION SELECT โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Source: access.log:1523 โ
โ Severity: HIGH โ
โ Category: SQL Injection โ
โ Description: Detects UNION SELECT SQL injection attempts โ
โ Matched: union select โ
โ โ Mitigation: Use parameterized queries and input validation โ
โ Data: GET /page.php?id=1 UNION SELECT username,password FROM users
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
JSON Report
{
"timestamp": "2024-01-15T14:30:00",
"total_alerts": 47,
"alerts_by_category": {
"SQL Injection": 23,
"XSS": 12,
"Command Injection": 5,
"Path Traversal": 4,
"Reconnaissance": 3
},
"alerts_by_severity": {
"CRITICAL": 8,
"HIGH": 25,
"MEDIUM": 10,
"LOW": 4
}
}
๐ Rule Categories
Category # Rules Description
SQL Injection 5 UNION, OR/AND, Comments, Time-based, Stacked
XSS 5 Script, Events, JavaScript URI, SVG, Data URI
Command Injection 4 Semicolon, Pipe, Subshell, Redirect
Path Traversal 3 Unix, Windows, Encoded
Reconnaissance 2 Scanners, Directory bruteforce
File Upload 2 Malicious extensions, Double extensions
Log4Shell 1 JNDI injection
XXE 1 External entities
๐ฏ Use Cases
Web Application Firewall (WAF) - Complement existing security
Log Analysis - Review historical attacks
Incident Response - Investigate security events
Security Testing - Validate detection rules
Network Forensics - Analyze PCAP files
โ๏ธ Customization
Add Custom Rules
Edit the load_rules() method:
self.rules.append({
'name': 'Custom Rule Name',
'pattern': r'your_regex_pattern',
'severity': 'HIGH', # LOW, MEDIUM, HIGH, CRITICAL
'category': 'Custom Category',
'description': 'What this rule detects',
'mitigation': 'How to fix/prevent'
})
Modify Existing Rules
Adjust patterns, severity, or mitigation messages as needed.
๐ Requirements
Python 3.6+ (no external dependencies)
tshark (optional, for PCAP analysis)
sudo apt install wireshark
๐ Troubleshooting
Issue Solution
tshark: command not found Install wireshark: sudo apt install wireshark
Permission denied reading log Use sudo or adjust file permissions
No alerts on known attacks Verify log format matches expected patterns
๐ License
MIT License - See LICENSE file for details.
๐ค Author
Joshua Guda
GitHub: @joshuaguda281-stack
LinkedIn: Joshua Guda
โญ Support
If this tool helps you detect attacks, please star the repository!
python3 simple_ids.py report