入侵检测与数字取证-期末复习

ids复习

请添加图片描述
请添加图片描述

在这里插入图片描述

idshwk1

alert tcp any any -> any 8080 (flags:A; content:"I|20|am|20|IDS|20|Homework|20|I"; offset:99; depth:101; msg:"TEST ALERT"; sid:20210319;)

hwk2

alert tcp any any -> any 3399 ( pcre:"/(login|Initial)/";  flowbits:set,cy; flowbits:noalert; sid:100002;)
alert tcp any any -> any 3399 ( pcre:"/((25[0-5]|2[0-4]\d|((1\d{2})|([1-9]?\d)))\.){3}(25[0-5]|2[0-4]\d|((1\d{2})|([1-9]?\d)):([0-9]|[1-9]\d|[1-9]\d{2}|[1-9]\d{3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]))/"; msg: "bot founded"; flowbits:isset,cy; sid:100001; )

hwk3

global agentTable :table[addr] of set[string] = table();

event http_header(c: connection, is_orig: bool, name: string, value: string) {
	local orig_addr: addr = c$id$orig_h;
	if (c$http?$user_agent){
		local agent: string = to_lower(c$http$user_agent);
		if (orig_addr in agentTable) {
			add agentTable[orig_addr][agent];
		} else {
			agentTable[orig_addr] = set(agent);
		}
	}
}

event zeek_done() {
	for (orig_addr in agentTable) {
		if (|agentTable[orig_addr]| >= 3) {
			print(addr_to_uri(orig_addr) + " is a proxy");
		}
	}
}

hwk4

event http_reply(c: connection, version: string, code: count, reason: string)
{
	if(code == 404)
	{
		SumStats::observe("http_response_404", 
    	  SumStats::Key($host = c$id$orig_h), 
    	  SumStats::Observation($str=c$http$uri));
	}

	SumStats::observe("http_response", 
	  SumStats::Key($host = c$id$orig_h), 
	  SumStats::Observation($str=c$http$uri));

}

event zeek_init()
{

	local reducer1 = SumStats::Reducer($stream="http_response_404", 
                                 $apply=set(SumStats::SUM, SumStats::UNIQUE));
	local reducer2 = SumStats::Reducer($stream="http_response", 
                             $apply=set(SumStats::SUM));
                                 
    SumStats::create([$name = "find_scaner",
                    	$epoch = 10min,
                    	$reducers = set(reducer1, reducer2),
						$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
						{
						local r1 = result["http_response_404"];
						local r2 = result["http_response"];
						if(r1$sum > 2 && (r1$unique / r1$sum) > 0.5 && (r1$sum / r2$sum) > 0.2)
						print fmt("%s is a scanner with %d scan attemps on %d urls", 
									key$host, r1$sum, r1$unique);
						}]);
}

hwk5

from sklearn.ensemble import RandomForestClassifier
import numpy as np
import math


domainlist = []
domainlist2= []

class Domain:
	def __init__(self,_name,_label):
		self.name = _name
		self.label = _label

	def returnData(self):
		return [len(self.name),countnumber(self.name),cal_entropy(self.name)]

	def returnLabel(self):
		if self.label == "notdga":
			return 0
		else:
			return 1
		
def countnumber(string):
        int_count=0
        for i in string:
                if i.isdigit():
                        int_count +=1

        return int_count

def cal_entropy(text):
    h = 0.0
    sum = 0
    letter = [0] * 26
    text = text.lower()
    for i in range(len(text)):
        if text[i].isalpha():
            letter[ord(text[i]) - ord('a')] += 1
            sum += 1
    for i in range(26):
        p = 1.0 * letter[i] / sum
        if p > 0:
            h += -(p * math.log(p, 2))
    return h

def initData(filename):
	with open(filename) as f:
		for line in f:
			line = line.strip()
			if line.startswith("#") or line =="":
				continue
			tokens = line.split(",")
			name = tokens[0]
			label = tokens[1]
			domainlist.append(Domain(name,label))
			
def initData2(filename):
	with open(filename) as f:
		for line in f:
			line = line.strip()
			if line.startswith("#") or line =="":
				continue
			tokens = line.split(",")
			name = tokens[0]
			domainlist2.append(name)

def main():
	initData("train.txt")
	initData2("test.txt")
	featureMatrix = []
	labelList = []
	for item in domainlist:
		featureMatrix.append(item.returnData())
		labelList.append(item.returnLabel())

	clf = RandomForestClassifier(random_state=0)
	clf.fit(featureMatrix,labelList)
	
	arr=["notdga","dga"]
	f=open("result.txt",'w')
	for item in domainlist2:
		t=clf.predict([[len(item),countnumber(item),cal_entropy(item)]])
		f.write(item+','+np.array(arr)[t][0]+'\n')
		                        

if __name__ == '__main__':
	main()

请添加图片描述
请添加图片描述
请添加图片描述
请添加图片描述
请添加图片描述
请添加图片描述
请添加图片描述
请添加图片描述
请添加图片描述
请添加图片描述
请添加图片描述
请添加图片描述

  • 6
    点赞
  • 24
    收藏
    觉得还不错? 一键收藏
  • 2
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值