A compact, self-contained lab that demonstrates real-time intrusion detection and automated response using an IDS script (Scapy), Cisco router ACLs (Netmiko), and victim host hardening (Paramiko + iptables).
This project implements a mini Intrusion Detection & Response System (IDRS) designed for teaching and demonstration purposes.
It:
- Captures live network traffic using Scapy.
- Detects common attack types:
- XMAS / Nmap scans
- TCP SYN floods
- SSH brute-force attempts
- Responds automatically by:
- Adding
deny ip host <attacker> anyto a Cisco router ACL (via Netmiko). - Inserting an
iptablesDROP rule on the victim host (via Paramiko SSH).
- Adding
- Logs detections and actions to
/var/log/ids.log. - Supports a whitelist file and a Streamlit dashboard for monitoring and manual control.
𧩠Lab flow: Attacker β Router β Victim, with the Monitor node inspecting traffic and orchestrating the automated response.
β
Real-time Detection using Scapy packet analysis
β
Automatic Response β blocks attacker IPs on:
- Cisco Router (via ACLs)
- Victim host (via iptables)
β Dashboard Interface built withStreamlitfor: - Live attack logs
- Manual block/unblock actions
- Whitelist management
β Modular Design β easy to extend and integrate
β Learning-focused β ideal for cybersecurity students and labs
Virtual Machines (VMs):
| Role | OS | Description |
|---|---|---|
| Attacker | Kali Linux | Uses tools like nmap, hping3, hydra |
| Victim | Ubuntu | Runs ssh, managed via iptables |
| Monitor | Ubuntu | Runs IDS scripts (idrs_monitor.py, dashboard) |
Emulation:
- Cisco Router (c7200) via GNS3, bridging VMware networks (internal & NAT).
Key Scripts:
idrs_monitor.pyβ main IDS + auto-response engineidrs_dashboard.pyβ optional Streamlit dashboard
Libraries Used:
scapy, netmiko, paramiko, streamlit, pandas, plotly
- VMware Workstation Pro / Player + GNS3 integration
- 3 VMs configured: Attacker, Victim, Monitor
- Cisco Router image (e.g., c7200) in GNS3 (Download link available below at References & Resources section.)
- Python 3.13 on the Monitor VM
-
Run VMware Workstation Pro as Administrator.
-
Open Virtual Network Editor and configure:
- VMnet2 β Host-Only (no DHCP, allow promiscuous mode, subnet 192.168.10.0/24)
- VMnet8 β NAT (leave default)
-
Set VM network adapters to Host-Only β VMnet2.
-
Enable promiscuous mode for the Monitor VM.
- Open GNS3 as Administrator.
- Add Cloud and bind to VMnet2 and VMnet8.
- Add a Hub and connect Cloud-VMnet2 β Hub.
- Connect Router Fa0/0 β Hub and Fa0/1 β Cloud-VMnet8.
- VMnet2 connects Attacker, Victim, Monitor, and Router Fa0/0.
- VMnet8 connects Router Fa0/1 to internet through NAT.
sudo dhclient -v eth0
ip address
ping 192.168.10.1- Renew DHCP.
- Ping router.
- From Monitor:
sudo tcpdump -i eth0 -nn -c 50- Cloud nodes mapped to VMnet2/VMnet8.
- Hub forwarding traffic.
- Monitor sees traffic.
- Cloud adapter missing β run GNS3 as Admin.
- DHCP not working β disable VMware DHCP on VMnet2.
- Promiscuous mode issues β ensure hub is used.
- Cloud-VMnet2 β Hub β Attacker / Victim / Monitor / Router Fa0/0
- Cloud-VMnet8 β Router Fa0/1
-
Clone the repo:
git clone http://github.com/VishvaNarkar/Mini-IDRS.git cd Mini-IDRS -
Ensure log file exists and writable by the process:
sudo touch /var/log/ids.log sudo chown $(whoami) /var/log/ids.log -
Create a whitelist file:
nano whitelist.txt
Example contents:
192.168.10.1 # Router 192.168.10.10 # Monitor 127.0.0.1
-
Create a virtual environment:
python3 -m venv venv source venv/bin/activate -
Install require dependencies:
pip3 install -r requirements.txt
-
Edit configuration variables near the top of idrs_monitor.py and idrs_dashboard.py if your IPs or credentials differ.
-
(Recommended) Configure the victim user to allow passwordless sudo for iptables:
sudo visudo # add: monitoruser ALL=(ALL) NOPASSWD: /sbin/iptables, /usr/sbin/iptables
/home/monitor/Mini-IDRS/
βββ idrs_monitor.py
βββ idrs_dashboard.py
βββ requirements.txt
βββ whitelist.txt
βββ README.md
βββ CONTRIBUTING.md
βββ LICENSE
βββ .gitignore
βββ /var/log/ids.log
Open idrs_monitor.py and update the following variables to match your lab:
-
ROUTER_IP,ROUTER_SSH_USER,ROUTER_SSH_PASS -
VICTIM_IP,VICTIM_SSH_USER,VICTIM_SSH_PASS -
WHITELIST_FILE path(defaults to/home/monitor/Mini-IDRS/whitelist.txt) -
Detection thresholds:
SYN_THRESHOLD,SYN_WINDOW_SECONDS
SSH_THRESHOLD, SSH_WINDOW_SECONDS
Tuning thresholds is essential for lab reproducibility β e.g., hping3 -i u1000 sends β1000 packets/sec, so set SYN_THRESHOLD accordingly.
Start IDS monitor on the Monitor VM:
sudo python3 idrs_monitor.py -i ens33Launch dashboard:
streamlit run idrs_dashboard.py1οΈβ£ Nmap XMAS Scan Detection
From Attacker:
nmap -sX <victim's IP>Verify Router ACL:
show access-lists IDS_BLOCK_LISTExpected Output:
Extended IP access list IDS_BLOCK_LIST
deny ip host <attacker's IP> any log2οΈβ£ SYN Flood Detection
From Attacker:
hping3 -S <victim's IP> -p 22 --flood
# or rate-limited flood:
sudo hping3 -S -p 22 -i u1000 <victim's IP>Verify Router ACL:
show ip access-lists IDS_BLOCK_LISTExpect deny ip host <attacker' IP> any.
3οΈβ£ SSH Brute-Force Detection
From Attacker:
hydra -l root -P wordlist.txt ssh://<victim's IP>Check Router ACL:
show access-lists IDS_BLOCK_LISTπ Router Verification & Removal of ACL Entry
Show ACL:
show access-lists IDS_BLOCK_LISTRemove entry:
conf t
ip access-list extended IDS_BLOCK_LIST
no deny ip host <attacker' IP> any
exit
write memory𧱠Check / Remove iptables Rules (Victim)
View current rules:
sudo iptables -L -n -vRemove by IP:
sudo iptables -D INPUT -s <attacker' IP> -j DROP
sudo iptables -D FORWARD -s <attacker' IP> -j DROPOr use a safe loop:
sudo iptables -S INPUT | grep "<attacker' IP>" | while read -r rule; do sudo iptables ${rule/-A/-D}; done1. Start monitor and tail logs:
sudo tail -f /var/log/ids.log2. Run attack example from attacker.
3. Look for detection entries:
2025-10-14 10:53:42 INFO SYN_FLOOD | attacker=192.168.10.12 | victim=192.168.10.11 | 100 SYNs in 10s
2025-10-14 10:53:43 INFO [BLOCK_RESULT] attacker=192.168.10.12 router=(True,'...') victim=(True,'...')4. Check router ACL and victim iptables for the block.
| Issue | Solution |
|---|---|
| Scapy permission denied | Run with sudo |
| Interface not found | ip link show or python3 -c "from scapy.all import get_if_list; print(get_if_list())" |
| Netmiko/Paramiko auth errors | Verify SSH credentials |
| False positives | Adjust SYN_THRESHOLD / SSH_THRESHOLD |
| Streamlit error (experimental_rerun) | Replace st.experimental_rerun() with st.rerun() |
- Do not use on production networks.
- Protect router/victim credentials (use SSH keys).
- Limit dashboard access (
localhostbinding). - Store sensitive config in
.envor environment variables. - Persist firewall rules using
iptables-save.
- REST API (FastAPI) for control
- Replace
iptableswithnftables - βDry-runβ alert-only mode
- Integrate threat intelligence (AbuseIPDB)
- Add ML-based anomaly detection
-
Cisco IOS ACL Documentation
This project is released under the MIT License β see LICENSE for full text.
Vishva Narkar β Student
Himesh Nayak β Student
Thanks to open-source projects Scapy, Netmiko, Paramiko, and Streamlit, and the Cisco documentation community.
Replace all placeholder IPs and credentials with your labβs values before publishing.
Use .gitignore to exclude sensitive data and configuration files