sridharchary42/cybersecurity-network-monitoring

# Cybersecurity Network Monitoring (Capstone) ## Overview A network security monitoring system combining **Snort IDS/IPS rule engineering** and **Python-based packet analysis** to detect, correlate, and report suspicious traffic patterns in a simulated data center environment. ### What It Detects | Threat Category | Techniques Covered | |---|---| | Reconnaissance | SYN scan, NULL scan, XMAS scan, UDP scan, SNMP probing | | Brute Force | SSH, RDP, Telnet credential attacks | | Malware / C2 | DNS tunneling, IRC C2, HTTP beaconing | | Data Exfiltration | Large outbound transfers, anomalous DNS payload sizes | | DoS / DDoS | ICMP flood detection | | Policy Violations | Telnet access, unauthorized NETCONF, unencrypted management traffic | ## Project Structure cybersecurity-network-monitoring/ ├── snort_rules/ │ └── local.rules # Custom Snort IDS/IPS detection rules ├── wireshark_analysis.py # PCAP parser & suspicious traffic correlator (Scapy) ├── alert_monitor.py # Real-time Snort alert log monitor (terminal dashboard) ├── requirements.txt └── README.md ## Quick Start ### 1. Run the Wireshark PCAP Analyzer pip install scapy # Demo mode (no real PCAP needed — great for showcasing) python wireshark_analysis.py --demo --summary # Analyze a real capture file python wireshark_analysis.py --pcap capture.pcap --summary --output report.json **Sample output:** ══════════════════════════════════════════════════ TRAFFIC ANALYSIS SUMMARY ══════════════════════════════════════════════════ Total Findings : 5 CRITICAL : 1 HIGH : 3 MEDIUM : 1 DNS Queries : 248 [CRITICAL] BRUTE_FORCE | 203.0.113.45 → 10.0.1.10 SSH brute force: 87 SYN packets to port 22 [HIGH ] PORT_SCAN | 192.168.1.200 → 10.0.1.0/24 Source probed 47 unique ports in 3 seconds [HIGH ] DNS_TUNNELING | 10.0.1.55 → 8.8.8.8 Oversized DNS query: 312 bytes — possible exfiltration ### 2. Run the Real-time Snort Monitor # Demo mode python alert_monitor.py --demo # Watch live Snort output (requires Snort running) python alert_monitor.py --log /var/log/snort/alert ### 3. Deploy Snort with Custom Rules # Install Snort on Ubuntu sudo apt-get install snort # Copy custom rules sudo cp snort_rules/local.rules /etc/snort/rules/ # Add to /etc/snort/snort.conf: # include $RULE_PATH/local.rules # Run Snort in IDS mode sudo snort -A console -c /etc/snort/snort.conf -i eth0 ## Lab Environment Tested in a VirtualBox virtual network with: - **Kali Linux** — attack workstation (running Nmap, Metasploit) - **Ubuntu Server** — target (SSH, Apache, SNMP enabled) - **Snort VM** — monitoring host (promiscuous mode NIC) - **Wireshark** — packet capture on the monitoring interface ## Security Best Practices Implemented 1. **Defense-in-depth** — Snort IDS positioned behind the firewall to catch lateral movement 2. **Threshold-based rules** — Reduces false positives while catching sustained attacks 3. **Severity classification** — Rules classified by impact (CRITICAL/HIGH/MEDIUM/LOW) 4. **Provisioning protection** — Custom rules protecting NETCONF/SNMP management plane 5. **Audit logging** — All alerts timestamped and persisted for RCA / forensic review ## Skills Demonstrated - Snort IDS/IPS rule writing and tuning - Packet capture analysis with Scapy (Python) - Network threat detection and classification - Real-time log monitoring and alerting - Cybersecurity lab environment setup (VirtualBox, Kali, Snort) - Data center infrastructure security best practices