Go back
Cybersecurity Project

Live Network Intrusion Detection System (NIDS)

Real-time packet sniffing with signature + anomaly detection

A Python NIDS that captures live traffic from the active network interface, identifies suspicious behaviour (risky services, port scans, uncommon protocols, high packet rates), and emits actionable alerts in real time. The output mirrors SOC workflows with concise [ALERT]/[INFO] lines that analysts can paste directly into tickets.

Capabilities
  • Auto-detects capture interface, starts a live sniffer (AsyncSniffer).
  • Extracts core metadata (IPs, ports, protocol, TCP flags) per packet.
  • Rules: risky services, possible port scans, uncommon IP protocols, high packet rate.
  • Streams readable alerts; keeps per-rule thresholds simple and explainable.
Flow: Interface → Sniffer → Rules → Alerts
Flow (top→bottom): choose interface → capture packets → apply rules → stream alerts.
Overview

Purpose

Pivot from offline analysis to real-time detection

The goal was to capture packets live from a chosen interface, apply both signature-based and anomaly-based checks, and continuously surface alerts for quick triage. The design favours low complexity and high explainability so detections are easy to validate.

Tools & Technologies

  • Python 3, Scapy AsyncSniffer for live capture
  • Deque/counters for lightweight per-window state
  • Console alerts (JSON/CSV logging planned)
Process

How it works

Capture → Detect → Alert
  1. Interface selection. Pick active interface (with simple fallbacks inside VMs).
  2. Live capture. Start AsyncSniffer with a per-packet callback to parse headers.
  3. Rules.
    • Risky services: alert on RDP/3389, SMB/445, Telnet/23, NTP/123, etc.
    • Port scan: ≥10 unique ports to the same target within ~5s (TCP or UDP).
    • Uncommon protocol: flag GRE/47 (and other rare IP protocols).
    • High packet rate: ≥100 packets from a source within 10s.
  4. Alerting. Print concise reasoned messages with IPs/ports/protocol; use ellipses for long port lists.
Rules & thresholds
  • Scan window tuned small to catch fast probes without flooding.
  • Packet-rate window at 10s to distinguish spikes from background noise.
  • Risky-port list curated from commonly abused or sensitive services.
Edge cases & performance
  • Handles mixed TCP/UDP captures; skips packets with missing layers safely.
  • Maintains minimal state; avoids heavy per-packet processing.
  • BPF filter support and JSON/CSV logging planned for scaling.

Run & Usage

One command to start sniffing
# Linux / macOS (root needed to sniff)
sudo python3 main.py

# Output example:
# [*] Sniffer started on eth1 - press Ctrl+C to stop.
# [ALERT] Suspicious TCP port detected: 3389 (RDP) from 192.168.56.102 to 192.168.56.101
# ...

Use a second VM/host to generate traffic (nc, nmap, ping) and watch the alerts stream in.

Example Output

Real attacks simulated, real-time alerts

Rule 1 — Risky Services

Detect access to sensitive/abused services (RDP/3389, NTP/123, etc.).

Attacker command (TCP)

Attacker: TCP probe to 3389
File: exampleattack1-tcp.png

NIDS output (TCP)

NIDS alert for TCP 3389 (RDP)
File: exampleoutput1-tcp.png

Attacker command (UDP)

Attacker: UDP probe to 123
File: exampleattack1-udp.png

NIDS output (UDP)

NIDS alert for UDP 123 (NTP)
File: exampleoutput1-udp.png

Rule 2 — Possible Port Scan

Detect ≥10 unique destination ports to the same host within ~5s.

Attacker command

Attacker: nmap SYN scan
File: exampleattack2.png

NIDS output

NIDS: possible TCP port scan alerts
File: exampleoutput2.png

Rule 3 — High Packet Rate

Flag when a source sends ≥100 packets in a 10s window.

Attacker command

Attacker: ping flood
File: exampleattack3.png

Reference output (ping)

Attacker: ping stats output
File: exampleattack3.1.png

NIDS output

NIDS: high packet rate alerts
File: exampleoutput3.png

Rule 4 — Uncommon IP Protocol

Flag traffic using uncommon IP protocols (e.g., GRE/47).

Attacker command

Attacker: GRE packet generator
File: exampleattack4.png

NIDS output

NIDS: unusual protocol GRE alert
File: exampleoutput4.png

Reflection

What I learned & next steps
  • Takeaway: Simple, explainable signatures combined with lightweight anomaly windows deliver fast wins for Tier-1 SOC triage.
  • Challenges: Selecting the correct VM interface, balancing thresholds to avoid alert spam, keeping per-packet work minimal.
  • Future improvements: Persistent JSON/CSV logging, per-host summaries every N seconds, BPF filters for scale, optional Flask dashboard.
Go back

Copyright ©2025. All rights reserved