-
Notifications
You must be signed in to change notification settings - Fork 208
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #925 from djv554/main
Added an IDS/IPS tool
- Loading branch information
Showing
3 changed files
with
118 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| ## **Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) tool** | ||
|
|
||
| ### 🎯 **Goal** | ||
|
|
||
| The goal of the IDS/IPS network packet sniffer code is to provide a simple but effective tool for monitoring network traffic in real-time, detecting potentially malicious or suspicious activity, and automatically responding by blocking the offending IP addresses. | ||
|
|
||
| ### 🧾 **Description** | ||
|
|
||
| This project is a simple Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) implemented in Python using the Scapy library. The tool monitors network traffic in real-time and checks for suspicious activity based on predefined keywords within packet payloads. If a certain number of suspicious packets are detected from the same IP address, the tool can automatically block the offending IP address using system-level firewall rules. | ||
|
|
||
| Key Features: | ||
|
|
||
| **Real-Time Packet Monitoring:** Continuously monitors incoming network traffic for both IPv4 and IPv6 packets. | ||
| - **Keyword Detection:** Scans TCP/UDP packet payloads for predefined suspicious keywords like "attack", "exploit", etc. | ||
| - **IP Blocking Mechanism:** Automatically blocks an IP address after it sends a threshold number of suspicious packets. | ||
| - **Cross-Platform Support:** Uses platform-specific firewall tools: | ||
| - **Linux:** Blocks IPs using `iptables`. | ||
| - **macOS:** Blocks IPs using `pfctl`. | ||
| - **Windows:** Blocks IPs using the built-in firewall via `netsh`. | ||
| - **Whitelisting Support:** Allows trusted IP addresses to be whitelisted and protected from blocking. | ||
| - **Logging:** Records all detected alerts and blocked IPs to a log file (`ids_ips_alerts.log`) for auditing purposes. | ||
|
|
||
| ### 📚 **Libraries Needed** | ||
|
|
||
| To run this project, you'll need the following libraries installed: | ||
|
|
||
| - **Scapy:** For packet sniffing and network protocol manipulation. | ||
| - **subprocess (built-in):** For running system commands to block IPs. | ||
| - **collections (built-in):** For managing a counter of suspicious activities by IP. | ||
|
|
||
| ### 📢 **Conclusion** | ||
|
|
||
| This project serves as a basic demonstration of a real-time IDS/IPS tool that can detect suspicious network activities based on packet content and apply system-level firewall rules to block malicious traffic. While it's a simplified example, it can be extended with more advanced packet inspection techniques and integrated into larger network security systems. | ||
|
|
||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| import os | ||
| import platform | ||
| import logging | ||
| from scapy.all import sniff, IP, TCP, UDP, IPv6 | ||
| from collections import defaultdict | ||
| import subprocess | ||
|
|
||
| # Set up logging to record alerts to a file | ||
| logging.basicConfig(filename='ids_ips_alerts.log', level=logging.INFO, format='%(asctime)s - %(message)s') | ||
|
|
||
| # Suspicious keywords in packet payloads | ||
| SUSPICIOUS_KEYWORDS = ["attack", "malicious", "exploit", "payload"] | ||
|
|
||
| # List of blocked IPs and a whitelist of safe IPs | ||
| BLOCKED_IPS = set() | ||
| WHITELIST_IPS = {"192.168.1.1", "8.8.8.8"} # Trusted IP addresses | ||
|
|
||
| # Threshold for blocking: block IP after 'n' suspicious packets | ||
| THRESHOLD = 3 | ||
| ip_suspicion_count = defaultdict(int) # Store how many suspicious packets are seen from each IP | ||
|
|
||
| # Function to block IP addresses (supports Linux, macOS, Windows) | ||
| def block_ip(ip_address): | ||
| if ip_address in WHITELIST_IPS: | ||
| logging.info(f"Skipping whitelist IP: {ip_address}") | ||
| return | ||
|
|
||
| if ip_address not in BLOCKED_IPS: | ||
| print(f"[IPS] Blocking IP address: {ip_address}") | ||
| system_name = platform.system() | ||
| try: | ||
| if system_name == "Linux": | ||
| # Block with iptables (Linux) | ||
| subprocess.run(["sudo", "iptables", "-A", "INPUT", "-s", ip_address, "-j", "DROP"], check=True) | ||
| elif system_name == "Darwin": | ||
| # Block with pf (macOS) | ||
| subprocess.run(["sudo", "pfctl", "-t", "blocklist", "-T", "add", ip_address], check=True) | ||
| elif system_name == "Windows": | ||
| # Block with Windows Firewall | ||
| subprocess.run(["netsh", "advfirewall", "firewall", "add", "rule", | ||
| f"name=Block IP {ip_address}", "dir=in", "action=block", | ||
| f"remoteip={ip_address}"], check=True) | ||
| else: | ||
| print(f"Unsupported OS: {system_name}. Cannot block IP.") | ||
| return | ||
| except subprocess.CalledProcessError as e: | ||
| print(f"Error while blocking IP {ip_address}: {e}") | ||
| else: | ||
| BLOCKED_IPS.add(ip_address) | ||
| logging.info(f"Blocked IP: {ip_address}") | ||
|
|
||
| # Function to process each packet for IDS/IPS | ||
| def packet_callback(packet): | ||
| # Detect IP or IPv6 packets | ||
| if IP in packet or IPv6 in packet: | ||
| ip_src = packet[IP].src if IP in packet else packet[IPv6].src | ||
| ip_dst = packet[IP].dst if IP in packet else packet[IPv6].dst | ||
|
|
||
| # Check for TCP or UDP layer to get payload | ||
| if TCP in packet or UDP in packet: | ||
| payload = str(packet[TCP].payload) if TCP in packet else str(packet[UDP].payload) | ||
|
|
||
| # Check for suspicious keywords in the payload | ||
| for keyword in SUSPICIOUS_KEYWORDS: | ||
| if keyword in payload: | ||
| alert_message = f"[ALERT] Suspicious packet detected from {ip_src} to {ip_dst}: {payload}" | ||
| print(alert_message) | ||
| logging.info(alert_message) | ||
|
|
||
| # Increment the count for the suspicious activity from the source IP | ||
| ip_suspicion_count[ip_src] += 1 | ||
|
|
||
| # Block IP if suspicion count exceeds the threshold | ||
| if ip_suspicion_count[ip_src] >= THRESHOLD: | ||
| block_ip(ip_src) | ||
| break | ||
|
|
||
| # Start sniffing network packets | ||
| print("Starting IDS/IPS... Press Ctrl+C to stop.") | ||
| sniff(prn=packet_callback, store=0) # `store=0` means do not keep packets in memory |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters