add machine-learning

Author: qq4108863

README.TXT

@@ -1,19 +1,19 @@
-一、HiHTTPS是一款完整源码的高性能SSL WEB应用防火墙（ SSL WAF），采用epoll模式支持高并发，并且兼容ModSecurity正则规则。
-    [开源版提供完整的防护功能]
+一、HiHTTPS是首款基于机器学习、自主对抗未知攻击的高性能SSL WEB应用防火墙（ SSL WAF），源码完整并且兼容ModSecurity正则规则。
+    [开源版提供完整的源码和防护]
 	    1. 恶意Web漏洞扫描
 	    2. 数据库SQL注入
 	    3. 跨站脚本攻击（XSS)
 	    4、CC  & DDOS防护
 	    5、密码暴力破解
-	    6. URL黑白名单
-	    7. 危险文件上传检测
-	    8. 非法URL/文件访问
-	    9. 兼容OWASP的ModSecurity正则规则
-	    10.epoll模型单核3万+的HTTPS并发连接
+	    6. 危险文件上传检测
+	    7. 非法URL/文件访问
+	    8. 兼容OWASP的ModSecurity正则规则
+	    9. epoll模型单核数万并发连接
+	    10.无监督机器学习、自主生成对抗规则
 	    .....
 
 
-二、安装步骤  
+二、编译运行
   1. 安装OpenSSL和libpcre
   CentOS : 
   	yum install openssl openssl-devel
@@ -24,30 +24,41 @@
   	apt-get install libpcre3 libpcre3-dev  
 
   2.编译
-  解压到任意目录，make后生成可执行文件hihttps.
+  解压到任意目录，make后生成可执行文件hihttps
+  [rules]是规则目录，[train]是样本采集目录，[vector]是自然语言word2doc向量生成目录，[src]是源码目录。
+ 
 
   3.规则
-  规则放在和hihttps同一级的rules目录即可，注意后缀是.conf或者.rule,更多规则请在
-  https://github.com/SpiderLabs/owasp-modsecurity-crs/下载，根据需求配置。
-  具体请看rules/main.conf详细说明。
-  默认已经开启了DDOS & CC防御，要测试并发请求，可以临时停用DDOS规则。
+  规则放在和hihttps同一级的rules目录，更多规则在https://github.com/SpiderLabs/owasp-modsecurity-crs/ 下载。
+
 
   4.运行
-  通常是hihttps前端运行443（https）端口，后端反向代理80端口。
-  首先保证Web服务器80端口运行正常，443端口没占用（或者端口在config.cfg里改变配置)
-  ./hihttps默认读取当前目录下的confg.cfg文件， 或者./hihttps --config /dir/config.cfg
-  具体请看config.cfg详细说明， 如果成功打印加载了rules目录下的规则，代表运行成功。
-  
-  5.测试
-  rules/main.rule默认加载了一条SQL语句检测规则，可以访问https://ip/select.html?testsql=delete * from test
-  或者用WEB漏洞扫描器nikto运行：./nikto  -host ip -ssl -port 443 -C all
-  如果产生了报警记录，则代表正常！相关图片在doc目录。
-
-三、WEB管理演示地址
-  静态演示，无实际数据，http://120.79.51.135:8080/  
+  通常是hihttps前端运行443（https）端口，后端反向代理80端口; 首先保证Web服务器80端口运行正常，443端口没占用。  
+  ./hihttps默认读取当前目录下的confg.cfg文件，  或者./hihttps --config /dir/config.cfg， 打印出规则就成功。
+  
+三、测试  
+  1.ModSecuriyt规则测试
+  rules/main.rule默认加载了一条SQL语句检测规则，可以访问https://serverip/select.html?testsql=delete * from test
+  或者用Kali系统的漏洞扫描器nikto运行：./nikto  -host serverip -ssl -port 443 -C all
+  如果产生了报警记录，则代表正常！
+  
 
-四、机器学习  
-  机器学习在经过大量项目实战检验后，预计2020年6月1日在http://www.hihttps.com/ 开源，   QQ/微信:4108863 邮件:[email protected]
+  2.机器学习/自主对抗规则测试方法：
+  
+  机器学习是核心，但采集样本需要一定时间，为了方便测试，默认了一条hihttps.html对抗规则：
+  如果访问https://serverip/hihttps.html?id=123采集到的样本大于99%都是这种形态，那么下面的网址都将产生攻击报警：
+  
+  https://serverip/hihttps.html?id=123' or 1='1
+  https://serverip/hihttps.html?id=<script>alert(1);</script>
+  https://serverip/hihttps.html?id=1234567890&t=123
+  https://serverip/hihttps.html?id=abc
+  
+  3、要测试并发连接，可以用wrk等工具在相同环境对比和nginx反向代理的性能。
+  wrk -c 25 -t 25 -d 10 https://127.0.0.1/
+
+四、商用版也开源  
+   更多WEB管理和商用版请访问http://www.hihttps.com/  或者   QQ/微信:4108863 邮件:[email protected]      
+   机器学习对抗未知攻击任重而道远，攻防同源，hihttps 将不懈努力...
 
 
 

config.cfg

@@ -10,7 +10,7 @@ backend = "[127.0.0.1]:80"    # 后端默认反向连接80端口
 workers = 1                   #  CPU 数量
 daemon = off                  #  关闭后台模式，方便调试
 
-#证书文件,建议设置绝对路径
+#证书文件,建议设置绝对路径，大部分不能运行的都是这几项设置错误。
 pem-file = "server.pem"
 
 

doc/4.attack.png renamed to doc/3.attack.png

@@ -12,9 +12,6 @@ MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop"
 ######################检测到攻击后，重定向到某个网页，仅ruleAction drop有效################
 #DeniedUrl "http://www.hihttps.com/404.html"
 
-###如果文件名没做特殊处理，强烈建议开启www目录文件检查模式，阻止大多数攻击#################
-#www_dir /usr/share/nginx/html/
-
 
 ######默认rules目录已经加载了DDOS & CC防御，要测试并发请求，可以临时停用DDOS规则。##########
 ######1.REQUEST-20-APPLICATION-CC-DDOS.conf        DDOS & CC防御############################
@@ -23,5 +20,5 @@ MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop"
 ######4.REQUEST-941-APPLICATION-ATTACK-XSS.conf    XSS攻击##################################
 ######5.REQUEST-933-APPLICATION-ATTACK-PHP.conf    PHP相关规则##############################
 
-######################更多高级技术服务可以联系QQ:4108863 微信:wmkwang ######################
+######################更多高级技术服务可以联系QQ/微信:4108863  #############################
 

doc/3.scan.png

@@ -0,0 +1,13 @@
+##################攻击样本github去找吧,simhash支持数百万的样本数据##########################################
+/top.php?stuff='uname >q36497765 #
+/h21y8w52.nsf?<script>cross_site_scripting.nasl</script>
+/ca000001.pl?action=showcart&hop=\"><script>alert('vulnerable')</script>&path=acatalog/
+/scripts/edit_image.php?dn=1&userfile=/etc/passwd&userfile_name= ;id; 
+/javascript/mta.exe
+/examples/jsp/colors/kernel/loadkernel.php?installpath=/etc/passwd\x00
+/examples/jsp/cal/feedsplitter.php?format=../../../../../../../../../../etc/passwd\x00&debug=1
+/bb-hist.sh?histfile=../../../../../etc/passwd
+/cgi-bin/view_user.php?list=1&letter=&sort_by=aaaaaa
+/<script>document.cookie="testggad=2000;"</script>
+/ybz5rz7a.pl?<script>document.cookie="testsbvw=6289;"</script>
+/javascript/backup.exe

doc/7.qps test.png renamed to doc/4.qps test.png

@@ -1,31 +1,53 @@
 -----BEGIN CERTIFICATE-----
-MIICeTCCAeICCQC4688rSAUl9TANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMC
-Y24xEDAOBgNVBAgMB2JlaWppbmcxEDAOBgNVBAcMB2JlaWppbmcxEDAOBgNVBAoM
-B2h1YW5xaXUxDTALBgNVBAsMBHRlY2gxEDAOBgNVBAMMB2h1YW5nCAgxGjAYBgkq
-hkiG9w0BCQEWCzM0MjRAcXEuY29tMB4XDTE5MDIyNjA4MjIxM1oXDTIwMDIyNjA4
-MjIxM1owgYAxCzAJBgNVBAYTAmNuMRAwDgYDVQQIDAdiZWlqaW5nMRAwDgYDVQQH
-DAdiZWlqaW5nMRAwDgYDVQQKDAdodWFucWl1MQ0wCwYDVQQLDAR0ZWNoMRAwDgYD
-VQQDDAdodWFuZwgIMRowGAYJKoZIhvcNAQkBFgszNDI0QHFxLmNvbTCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEAotLnUh/qh2rWG4Z5OGfiZZpBC+9hq89cFhdX
-7wHff9p5sHvsaluXx1Naxk4tkCXSgqWqtELeNfDpZ0NDEjT/yHyC0LbKsTbKCktD
-tkOO9gmg2N/R7NkuFjT/GUS6aljZtIfFqv2CiBAuYbpyByat4qbmh6HXuToXi8y0
-cqXVtU8CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAjSxJY85/SbW2GJo5WuvGsCrol
-4h17+mMICQBUwwhumzxVbakvOW1AX86CjjUgAIBMUvx+g6+0uQXlnZd9E76XM06f
-ng/vsobM5EUGFZkGq4T7uSe5GLVYJB0pyPJPL3QGFEWMKB1eUsYVLMjKulbObESj
-R8UcLlq1wU0lbN0aXA==
+MIIEYDCCA0igAwIBAgIJALUqHsFBHJi/MA0GCSqGSIb3DQEBCwUAMIGiMQswCQYD
+VQQGEwJDTjERMA8GA1UECAwIc2hlbnpoZW4xEjAQBgNVBAcMCWd1YW5nZG9uZzEp
+MCcGA1UECgwgU2hlbnpoZW4gaGlodHRwcyBDb21wYW55IExpbWl0ZWQxKTAnBgNV
+BAsMIFNoZW56aGVuIGhpaHR0cHMgQ29tcGFueSBMaW1pdGVkMRYwFAYDVQQDDA0q
+LmhpaHR0cHMuY29tMB4XDTIwMDUyOTA1MzE1MFoXDTQwMDUyNDA1MzE1MFowgaQx
+CzAJBgNVBAYTAkNOMREwDwYDVQQIDAhzaGVuemhlbjESMBAGA1UEBwwJZ3Vhbmdk
+b25nMSowKAYDVQQKDCFTaGVuemhlbiBoaWh0dHBzICBDb21wYW55IExpbWl0ZWQx
+KjAoBgNVBAsMIVNoZW56aGVuIGhpaHR0cHMgIENvbXBhbnkgTGltaXRlZDEWMBQG
+A1UEAwwNKi5oaWh0dHBzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALCUOh0VaHzxlbIhGC7FuIwSW6aYNXrWNP9tynCP8WRpdxLEcauQxQprApoW
+ChNC6T+pyvwFpazLj1AlWqKE7X4TIigFDodfbMrY7Cpyw/Wgn7UA3kYjtoIkEKCu
+26tWGiHW1bba3JQEXWpXSaovrfNWY55TY2X1I1twwTco7HxqmeiUegREZiappdda
+QiJPXT/K4LfMerUCqzRo9URCq+B9Sd4N9RwiVE//DYPTAsY+SKTXqFKXos24ceJ1
+O+epRd2RufKHePmjdMsXS7ZXiKAvbW7hX0xwBvuYEe5BuVmpZvSzX8kldkPYMp6Z
+ThQX545tqCH73sUGANd7vK/0pIsCAwEAAaOBlDCBkTAPBgNVHRMBAf8EBTADAQH/
+MB0GA1UdDgQWBBT+4eKKFbOQvDaxWahSBkUdYuDKyDAOBgNVHQ8BAf8EBAMCAYIw
+FgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEwNwYDVR0RBDAwLoINKi5oaWh0dHBzLmNv
+bYIMKi5oaWh0dHBzLmNugg93d3cuaGlodHRwcy5jb20wDQYJKoZIhvcNAQELBQAD
+ggEBAGsjbtfuC92J+nawhybtMNfVQxLvYX8HwBxe4E6P73eGFQqeLDbZu7mSP4dH
+sgNyoNy42dDrcEqohpDiKeeNMrNpJW4gEGM2L/fWo5qkmrUhqe9T6tYNcKbNSoUU
+y6gtaX+H2/K7sxiMuwSMvTqONvkMUG68fHcQya6WEmpmiAPYcNbLiA+pChYrFTrl
+z/TkloJ5c8lx5psyp5sb2VZkTE0UszZlZILuYMfPYWAFOls7XMaVraNVX2Dfr0QB
+xux6OPaE+u06J5vB7VFfXJnMsfdi4mBj3ZeWffgLAWnEdWFNMwUCvMMmHqd2Ekyh
+Ozw1/6lHSSmYbJdi0SsxFTHZVpw=
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQCi0udSH+qHatYbhnk4Z+JlmkEL72Grz1wWF1fvAd9/2nmwe+xq
-W5fHU1rGTi2QJdKCpaq0Qt418OlnQ0MSNP/IfILQtsqxNsoKS0O2Q472CaDY39Hs
-2S4WNP8ZRLpqWNm0h8Wq/YKIEC5hunIHJq3ipuaHode5OheLzLRypdW1TwIDAQAB
-AoGABbB86L+4wDaZeKjAP5pRrN8w+qvIq+o4+4ShS/ayypLlwaby4dyFdy+QcnF0
-4h6QNoR3bIkRnqzmWvdctpwne9mpKE2mpe1SN10wdWREA+0hEdeAyy8cbDwYr9px
-szoK8/ray5JArkCI3C60xttqmIUmzOHGoZb6RNN6dy0NuyECQQDOGK4T6KMYhZQ9
-W386f8b9KFYd9CP3NT6strDEMC5RfigS1P+LDk/pWeG2GQ0ELTNBtetzvWadPJYN
-0nRJhvDZAkEAyj/h7ljS32zaSPPGt4TEDJU+gElAD9mdHqZRWMri2UelvjAeeVtY
-b16Xw9lcfR0y45bIYnmjl7qQC202FgB+ZwJAU1HY9oWDgkNmpdOawQytZuVqw1tT
-OvrUpsCJABe2cg29p7dixFX56o4C2TqRb5HSegtQ8A6vMHww8c+WYa9jKQJAO+Jw
-dk9smOU1OPadd0djeUpTiE6oHklUAXhDi+P/CVDynX7H9yz54XgDveTFQvJ7V/IU
-gTv9GXcPIaMDqb4ZrwJAF0vFUHQ87FR7yFCeWxaTa74lWEoCIpfH92ccg8rMf7aX
-Vogc5qK5Vn0b4tqMgX2cXh+q8X48tqy6eypC6n4Axg==
+MIIEowIBAAKCAQEAsJQ6HRVofPGVsiEYLsW4jBJbppg1etY0/23KcI/xZGl3EsRx
+q5DFCmsCmhYKE0LpP6nK/AWlrMuPUCVaooTtfhMiKAUOh19sytjsKnLD9aCftQDe
+RiO2giQQoK7bq1YaIdbVttrclARdaldJqi+t81ZjnlNjZfUjW3DBNyjsfGqZ6JR6
+BERmJqml11pCIk9dP8rgt8x6tQKrNGj1REKr4H1J3g31HCJUT/8Ng9MCxj5IpNeo
+Upeizbhx4nU756lF3ZG58od4+aN0yxdLtleIoC9tbuFfTHAG+5gR7kG5Walm9LNf
+ySV2Q9gynplOFBfnjm2oIfvexQYA13u8r/SkiwIDAQABAoIBAGEWfwVyuerI4if4
+7lT5Pck2ZtIoqm8JzEYNVduiKXWuT1wwStesV8qsn9ec+pkwlxL8BrGfYUKrAfdt
+MnJdaD+DwaoDbcOdAjJeJywHwhsR3/4jphMmm7jen43Z1spUIzYr64IIwHNaGwrX
+R5edc6VyAIATFXn/2Rrz2ii8BZs6D+vRffApcsS5ib9HKoSTsNbdUSi3wEHQd3ql
+M6bmE4eZOHb5sr+9dNMsiJzJxXyzn+rpdgzjdHFfLKgMGPPQwAAhLeuJpWRYXNen
+o+/ReoGZozJYhoqizRYFZUyBXi8txhNGOow/1YtXJpB4tEpk6s0lFs/x/uGp1kju
+kUdtnKECgYEA1QKAtI3UwTGNJeBZk8S9jW8MLS9vBjyHRSAKBIbzKRAA9zWS7mai
+6QJfT80WPZbwG1198iJnFVOkhBG9FmUVilx01OHNpReZ7Kf9ES+RSCi6xCCblO4o
+Rb51rPiawxo94t12KEotPvQMHfYZOeWRp+o95eQdAD2cakJ5Ma2Oq+kCgYEA1Dd4
+LCbxNTQ5gslfKCpJ3NABRPWjdG5cNyd6E7wtAkxPXaPgMeEaY/swZwQ6vljUbnNf
+rCsmKBO0xbzg4+ic088yMYSPI0gkuBAziZLps1KrCGQkVjBZECmxe1p1e2FdeAF/
+XCpeH4DtIYxbnRcHV16e/E5DBW9hWPP5u2eSqFMCgYEAj9NXyhH2NNhbYNbCRSdT
+gdsYUq4zffeCsqb2fKYOK4y1yjWvVy+QElratkxZFw8CYsfW0ZZvGhRXAiHkFen9
+CGZzMIaizzVHZmbrVh5TL3Do4qLNylqgcK8wT7Gw9cmTPcqhDIVBVb99KwHPeKtM
+lR9x2fcTqeTv50OpB2UT73kCgYBy7+QHTcQgQ7vOSRBfqZ+9l27IkZ3IxqjtOlVU
+8PsTno7xsXsQqNFpSzeo49KJG4VamOQ9VFVjKWEkI6tN5MNjuHl/9kKsIju48RVo
+sogelmyJq+s+PwtNxLcajyDIBTDheTYojc3SlDpajDFmQH26ZUYIcr6759o6mlEs
+nekBfwKBgBAkSrhcl8YrMtL7smCe1ebLgQM2+C+926QepXesnXchxa/M6gPBFlhw
+n7pC32kLPISezoOgr4+OeCf9EHuyNrmtw5gV6wZMJvULZBH1Pj/Qa25N0SZSXlh/
+yRBAqtPjYzkWHtbUPkFF840UvHfkIrx/4As0eXlHwzGHPPLogRYJ
 -----END RSA PRIVATE KEY-----

doc/5.web_index.png renamed to doc/5.web.png

@@ -1,4 +1,4 @@
-SRC=$(wildcard *.c  libinjection/*.c waf/*.c foreign/*.c libev/ev.c libev/event.c )
+SRC=$(wildcard *.c  machine-learning/*.c libinjection/*.c waf/*.c foreign/*.c libev/ev.c libev/event.c )
 LIB=-lssl -lcrypto -lm -lrt -lpcre
 OBJ=$(addprefix ./, $(addsuffix .o, $(basename $(SRC))))
 TARGET=hihttps