A lightweight, signature-based Intrusion Detection System (IDS) that detects common web attacks including SQL injection, XSS, command injection, path traversal, and more.
| Attack Type | Detection Rules | Severity |
|---|---|---|
| SQL Injection | UNION, OR/AND, Comments, Time-based, Stacked queries | HIGH/CRITICAL |
| XSS | Script tags, Event handlers, JavaScript URIs, SVG/Image | MEDIUM/HIGH |
| Command Injection | Semicolon, Pipe, Subshell, Reverse shell patterns | CRITICAL |
| Path Traversal | Unix, Windows, URL-encoded | HIGH |
| Reconnaissance | Security scanner UA, Directory bruteforce | LOW/MEDIUM |
| File Upload | Malicious extensions, Double extensions | HIGH |
| Log4Shell | JNDI injection patterns | CRITICAL |
| XXE | External entity declarations | HIGH |
- Log File Analysis - Scan Apache, Nginx, or custom logs
- PCAP Analysis - Analyze network captures with tshark
- Attack Simulation - Test detection capabilities
- Report Generation - JSON output with statistics
# Clone the repository
git clone https://github.com/joshuaguda281-stack/simple-ids.git
cd simple-ids
# No Python dependencies required!
# For PCAP analysis, install tshark:
sudo apt install tshark # Linux
1. Attack Simulation (Test Detection)
python3 simple_ids.py simulate
2. Analyze Log File
# Apache access log
python3 simple_ids.py log /var/log/apache2/access.log
# Nginx access log
python3 simple_ids.py log /var/log/nginx/access.log
# Custom log file
python3 simple_ids.py log /path/to/custom.log
3. Analyze PCAP File
python3 simple_ids.py pcap capture.pcap
4. Generate Report
python3 simple_ids.py report
📊 Sample Output
Attack Simulation
======================================================================
🔬 IDS ATTACK SIMULATION
======================================================================
✅ DETECTED: SQLi - UNION
Rule: SQL Injection - UNION SELECT
Matched: union select
✅ DETECTED: XSS - Script
Rule: XSS - Script Tag
Matched: <script>alert('XSS')</script>
======================================================================
📊 SIMULATION RESULTS
Detected: 28/30 (93.3%)
======================================================================
Alert Format
╔══════════════════════════════════════════════════════════════════╗
║ 🚨 SQL Injection - UNION SELECT ║
╠══════════════════════════════════════════════════════════════════╣
║ Source: access.log:1523 ║
║ Severity: HIGH ║
║ Category: SQL Injection ║
║ Description: Detects UNION SELECT SQL injection attempts ║
║ Matched: union select ║
║ → Mitigation: Use parameterized queries and input validation ║
║ Data: GET /page.php?id=1 UNION SELECT username,password FROM users
╚══════════════════════════════════════════════════════════════════╝
JSON Report
{
"timestamp": "2024-01-15T14:30:00",
"total_alerts": 47,
"alerts_by_category": {
"SQL Injection": 23,
"XSS": 12,
"Command Injection": 5,
"Path Traversal": 4,
"Reconnaissance": 3
},
"alerts_by_severity": {
"CRITICAL": 8,
"HIGH": 25,
"MEDIUM": 10,
"LOW": 4
}
}
📁 Rule Categories
Category # Rules Description
SQL Injection 5 UNION, OR/AND, Comments, Time-based, Stacked
XSS 5 Script, Events, JavaScript URI, SVG, Data URI
Command Injection 4 Semicolon, Pipe, Subshell, Redirect
Path Traversal 3 Unix, Windows, Encoded
Reconnaissance 2 Scanners, Directory bruteforce
File Upload 2 Malicious extensions, Double extensions
Log4Shell 1 JNDI injection
XXE 1 External entities
🎯 Use Cases
Web Application Firewall (WAF) - Complement existing security
Log Analysis - Review historical attacks
Incident Response - Investigate security events
Security Testing - Validate detection rules
Network Forensics - Analyze PCAP files
⚙️ Customization
Add Custom Rules
Edit the load_rules() method:
self.rules.append({
'name': 'Custom Rule Name',
'pattern': r'your_regex_pattern',
'severity': 'HIGH', # LOW, MEDIUM, HIGH, CRITICAL
'category': 'Custom Category',
'description': 'What this rule detects',
'mitigation': 'How to fix/prevent'
})
Modify Existing Rules
Adjust patterns, severity, or mitigation messages as needed.
📋 Requirements
Python 3.6+ (no external dependencies)
tshark (optional, for PCAP analysis)
sudo apt install wireshark
🐛 Troubleshooting
Issue Solution
tshark: command not found Install wireshark: sudo apt install wireshark
Permission denied reading log Use sudo or adjust file permissions
No alerts on known attacks Verify log format matches expected patterns
📝 License
MIT License - See LICENSE file for details.
👤 Author
Joshua Guda
GitHub: @joshuaguda281-stack
LinkedIn: Joshua Guda
⭐ Support
If this tool helps you detect attacks, please star the repository!
python3 simple_ids.py report