picatz/simple_ids.rb

## simple_ids.rb
require 'packetfu'

iface = PacketFu::Utils.default_int

cap = PacketFu::Capture.new(:iface => iface, :start => true, :filter => "ip")

attack_patterns = ["^gotcha", "owned!*$", "^\x04[^\x00]{50}"]

loop do
  cap.stream.each do |pkt|
    packet = PacketFu::Packet.parse(pkt)
    attack_patterns.each do |sig|
      hit = packet.payload.scan(/#{sig}/i) || nil
      puts "#{Time.now}: %s attacked %s [%s]" % [packet.ip_saddr, packet.ip_daddr, sig.inspect] unless hit.size.zero?
    end
  end
end
	require 'packetfu'

	iface = PacketFu::Utils.default_int

	cap = PacketFu::Capture.new(:iface => iface, :start => true, :filter => "ip")

	attack_patterns = ["^gotcha", "owned!*$", "^\x04[^\x00]{50}"]

	loop do
	cap.stream.each do \|pkt\|
	packet = PacketFu::Packet.parse(pkt)
	attack_patterns.each do \|sig\|
	hit = packet.payload.scan(/#{sig}/i) \|\| nil
	puts "#{Time.now}: %s attacked %s [%s]" % [packet.ip_saddr, packet.ip_daddr, sig.inspect] unless hit.size.zero?
	end
	end
	end