Share
## https://sploitus.com/exploit?id=430332C2-EC66-5F4C-9F93-C2EE81998644
# Simple IDS - Intrusion Detection System

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![Python 3.6+](https://img.shields.io/badge/python-3.6+-blue.svg)](https://www.python.org/downloads/)

A lightweight, signature-based Intrusion Detection System (IDS) that detects common web attacks including SQL injection, XSS, command injection, path traversal, and more.

## ๐Ÿš€ Features

### Detection Capabilities

| Attack Type | Detection Rules | Severity |
|-------------|-----------------|----------|
| **SQL Injection** | UNION, OR/AND, Comments, Time-based, Stacked queries | HIGH/CRITICAL |
| **XSS** | Script tags, Event handlers, JavaScript URIs, SVG/Image | MEDIUM/HIGH |
| **Command Injection** | Semicolon, Pipe, Subshell, Reverse shell patterns | CRITICAL |
| **Path Traversal** | Unix, Windows, URL-encoded | HIGH |
| **Reconnaissance** | Security scanner UA, Directory bruteforce | LOW/MEDIUM |
| **File Upload** | Malicious extensions, Double extensions | HIGH |
| **Log4Shell** | JNDI injection patterns | CRITICAL |
| **XXE** | External entity declarations | HIGH |

### Analysis Modes

- **Log File Analysis** - Scan Apache, Nginx, or custom logs
- **PCAP Analysis** - Analyze network captures with tshark
- **Attack Simulation** - Test detection capabilities
- **Report Generation** - JSON output with statistics

## ๐Ÿ”ง Installation

```bash
# Clone the repository
git clone https://github.com/joshuaguda281-stack/simple-ids.git
cd simple-ids

# No Python dependencies required!
# For PCAP analysis, install tshark:
sudo apt install tshark  # Linux

1. Attack Simulation (Test Detection)

python3 simple_ids.py simulate


2. Analyze Log File

# Apache access log
python3 simple_ids.py log /var/log/apache2/access.log

# Nginx access log
python3 simple_ids.py log /var/log/nginx/access.log

# Custom log file
python3 simple_ids.py log /path/to/custom.log


3. Analyze PCAP File

python3 simple_ids.py pcap capture.pcap


4. Generate Report

python3 simple_ids.py report


๐Ÿ“Š Sample Output
Attack Simulation

======================================================================
๐Ÿ”ฌ IDS ATTACK SIMULATION
======================================================================

โœ… DETECTED: SQLi - UNION
   Rule: SQL Injection - UNION SELECT
   Matched: union select
โœ… DETECTED: XSS - Script
   Rule: XSS - Script Tag
   Matched: alert('XSS')

======================================================================
๐Ÿ“Š SIMULATION RESULTS
Detected: 28/30 (93.3%)
======================================================================


Alert Format

โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘ ๐Ÿšจ SQL Injection - UNION SELECT                                   โ•‘
โ• โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ
โ•‘ Source: access.log:1523                                          โ•‘
โ•‘ Severity: HIGH                                                   โ•‘
โ•‘ Category: SQL Injection                                          โ•‘
โ•‘ Description: Detects UNION SELECT SQL injection attempts         โ•‘
โ•‘ Matched: union select                                            โ•‘
โ•‘ โ†’ Mitigation: Use parameterized queries and input validation     โ•‘
โ•‘ Data: GET /page.php?id=1 UNION SELECT username,password FROM users
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

JSON Report

{
    "timestamp": "2024-01-15T14:30:00",
    "total_alerts": 47,
    "alerts_by_category": {
        "SQL Injection": 23,
        "XSS": 12,
        "Command Injection": 5,
        "Path Traversal": 4,
        "Reconnaissance": 3
    },
    "alerts_by_severity": {
        "CRITICAL": 8,
        "HIGH": 25,
        "MEDIUM": 10,
        "LOW": 4
    }
}


๐Ÿ“ Rule Categories
Category	# Rules	Description
SQL Injection	5	UNION, OR/AND, Comments, Time-based, Stacked
XSS	5	Script, Events, JavaScript URI, SVG, Data URI
Command Injection	4	Semicolon, Pipe, Subshell, Redirect
Path Traversal	3	Unix, Windows, Encoded
Reconnaissance	2	Scanners, Directory bruteforce
File Upload	2	Malicious extensions, Double extensions
Log4Shell	1	JNDI injection
XXE	1	External entities


๐ŸŽฏ Use Cases
Web Application Firewall (WAF) - Complement existing security

Log Analysis - Review historical attacks

Incident Response - Investigate security events

Security Testing - Validate detection rules

Network Forensics - Analyze PCAP files


โš™๏ธ Customization
Add Custom Rules
Edit the load_rules() method:

self.rules.append({
    'name': 'Custom Rule Name',
    'pattern': r'your_regex_pattern',
    'severity': 'HIGH',  # LOW, MEDIUM, HIGH, CRITICAL
    'category': 'Custom Category',
    'description': 'What this rule detects',
    'mitigation': 'How to fix/prevent'
})


Modify Existing Rules
Adjust patterns, severity, or mitigation messages as needed.

๐Ÿ“‹ Requirements
Python 3.6+ (no external dependencies)

tshark (optional, for PCAP analysis)

sudo apt install wireshark

๐Ÿ› Troubleshooting
Issue	Solution
tshark: command not found	Install wireshark: sudo apt install wireshark
Permission denied reading log	Use sudo or adjust file permissions
No alerts on known attacks	Verify log format matches expected patterns


๐Ÿ“ License
MIT License - See LICENSE file for details.

๐Ÿ‘ค Author
Joshua Guda
GitHub: @joshuaguda281-stack

LinkedIn: Joshua Guda

โญ Support
If this tool helps you detect attacks, please star the repository!
python3 simple_ids.py report