环境介绍
物理机:win10+wireshark
靶机:win7+phpstudy+DVWA
攻击手段
参见DVWA闯关File Inclusion
在攻击之前,做wireshark抓包并过滤数据
编写规则
alert tcp any any -> any any (msg:"DVWA-fi漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/fi"; fast_pattern:only; uricontent:"page="; nocase; pcre:"/page[\s=]+?.+?\.(php|html|txt|jsp|aspx|conf|htaccess|md|ini|ico)/iU"; metadata:service http; sid:6; rev:1;)
分析
在终端(powershell)中输入
snort -de -c C:\Snort\etc\snort.conf -l C:\Snort\log -r C:\dvwa抓包\file-inclusion.pcapng