joaquin-developer-gif/cyber-defense-xdr-platform

```markdown [README.md](https://github.com/user-attachments/files/28430475/README.md) # Cyber Defense XDR Platform v1.0 开发者：Joaquin Rodriguez GitHub：https://github.com/joaquin-developer-gif/ # 🇬🇧 English ## 概述 **Cyber Defense XDR Platform** is a real-time cybersecurity monitoring and response platform built as a practical **SOC/XDR lab project**. The platform combines network traffic monitoring, suspicious event detection, real-time WebSocket telemetry, threat intelligence, alert visualization, manual IP blocking, IP unblocking, and response history tracking. It was developed as a cybersecurity and software development portfolio project. ## 主要目标 The objective of this project is to demonstrate how a defensive cybersecurity platform works from detection to response. The system follows this flow: ``` Network Traffic ↓ Packet Sniffer ↓ Detection Engine ↓ XDR Event Bus ↓ WebSocket Realtime Stream ↓ React SOC Dashboard ↓ Manual / Auto Response Engine ↓ Firewall Blocking / Unblocking ``` ## 技术栈 ### 后端 - Python - FastAPI - Uvicorn - Scapy - WebSockets - iptables - Threat Intelligence modules - In-memory blocked IP registry - In-memory response event history ### 前端 - React - Vite - Tailwind CSS - Framer Motion - Lucide React - Recharts ### 环境 - Linux / WSL - Git - GitHub - Local cybersecurity lab network ## 主要功能 ### 实时仪表板 The main dashboard provides a live overview of the XDR platform. It includes: - WebSocket connection status - Backend status - Local time - Threat counters - Severity counters - SOC-style interface ### 实时威胁源 The **Live Threat Feed** displays real-time XDR telemetry events. It shows: - Event type - Severity - Source IP - Destination IP - Threat score - Timestamp - Live status Detected events may include: - Brute force behavior - Port scan activity - ICMP activity - ICMP flood - Suspicious TCP activity - Threat intelligence matches ### XDR 警报中心 The **XDR Alert Center** provides a SOC-style alert management interface. It allows the analyst to review suspicious events and trigger response actions such as manual IP blocking. ### 威胁情报 The platform includes a Threat Intelligence module for analyzing suspicious IP addresses. It can be extended with providers such as: - AbuseIPDB - VirusTotal - GeoIP - TOR exit node detection - Custom blacklists API keys must be stored locally in `.env` and must never be pushed to GitHub. ### 被封 IP 模块 The **Blocked IPs** module displays IP addresses currently blocked by the XDR response engine. It includes: - Total blocked IPs - Blocked IP table - Blocking reason - Firewall protection status - Block timestamp - Copy IP button - Unblock IP button Backend endpoint: ``` GET /response/blocked-ips ``` ### 手动 IP 封锁 The platform can block an IP address through the backend API. Endpoint: ``` POST /response/block-ip ``` Example: ``` curl -X POST http://127.0.0.1:8000/response/block-ip \ -H "Content-Type: application/json" \ -d '{"ip":"45.155.205.233","reason":"Manual block from XDR Alert Center"}' ``` When successful, the backend: - Validates the IP address - Applies a firewall rule using `iptables` - Adds the IP to the blocked IP registry - Publishes an XDR response event - Stores the event in response history ### 手动 IP 解锁 The platform can remove a blocked IP from the firewall and internal registry. Endpoint: ``` POST /response/unblock-ip ``` Example: ``` curl -X POST http://127.0.0.1:8000/response/unblock-ip \ -H "Content-Type: application/json" \ -d '{"ip":"45.155.205.233","reason":"Manual unblock from XDR Blocked IPs"}' ``` When successful, the backend: - Removes the `iptables` firewall rule - Removes the IP from the blocked registry - Publishes an `IP_UNBLOCKED` event - Stores the action in the Auto Response history ### 自动响应引擎 The **Auto Response Engine** displays a real history of actions taken by the platform. It tracks response events such as: ``` IP_BLOCKED IP_UNBLOCKED BLOCK_FAILED BLOCK_REJECTED BLOCK_REJECTED_PROTECTED_IP UNBLOCK_FAILED UNBLOCK_ERROR NO_ACTION_MONITORING ``` Backend endpoint: ``` GET /response/events ``` This allows the frontend to display response history even if the WebSocket event was missed. ## API 端点 ### 通用 ``` GET / GET /stats GET /scan GET /ports GET /threat/ip ``` ### 响应引擎 ``` POST /response/block-ip POST /response/unblock-ip GET /response/blocked-ips GET /response/events ``` ### WebSocket ``` WS /ws ``` ## 项目结构 ``` cyber-defense-intelligence-system/ │ ├── backend/ │ ├── app/ │ │ ├── core/ │ │ │ └── event_bus.py │ │ │ │ │ ├── packet_analyzer/ │ │ │ ├── analyzer.py │ │ │ └── detector.py │ │ │ │ │ ├── response_engine/ │ │ │ ├── firewall.py │ │ │ ├── quarantine.py │ │ │ ├── responder.py │ │ │ └── rules.py │ │ │ │ │ ├── scanner/ │ │ │ └── scanner.py │ │ │ │ │ ├── sniffer/ │ │ │ ├── detection_engine.py │ │ │ └── packet_sniffer.py │ │ │ │ │ ├── threat_intel/ │ │ │ └── intel.py │ │ │ │ │ ├── websocket_manager.py │ │ └── main.py │ │ │ └── .env │ ├── frontend/ │ ├── src/ │ │ ├── components/ │ │ │ ├── dashboard/ │ │ │ │ ├── XDRAlertCenter.jsx │ │ │ │ ├── XDRBlockedIPs.jsx │ │ │ │ ├── XDRAutoResponse.jsx │ │ │ │ ├── XDRLiveFeed.jsx │ │ │ │ ├── XDRCharts.jsx │ │ │ │ ├── XDRTimeline.jsx │ │ │ │ └── ThreatIntelPanel.jsx │ │ │ │ │ │ │ └── layout/ │ │ │ ├── Header.jsx │ │ │ ├── Navbar.jsx │ │ │ └── Sidebar.jsx │ │ │ │ │ ├── hooks/ │ │ │ └── useWebSocket.js │ │ │ │ │ ├── pages/ │ │ │ └── Dashboard.jsx │ │ │ │ │ ├── services/ │ │ │ ├── api.js │ │ │ └── websocket.js │ │ │ │ │ ├── main.jsx │ │ └── index.css │ │ │ └── package.json │ ├── .gitignore └── README.md ``` ## 环境变量 Create a `.env` file inside the `backend/` folder. Example: ``` ABUSEIPDB_API_KEY=your_abuseipdb_api_key_here VIRUSTOTAL_API_KEY=your_virustotal_api_key_here ``` A `.env.example` file is recommended for public repositories: ``` ABUSEIPDB_API_KEY=your_abuseipdb_api_key_here VIRUSTOTAL_API_KEY=your_virustotal_api_key_here ``` Important: ``` Never commit real API keys to GitHub. ``` ## 运行项目 ### 后端 From the backend folder: ``` cd backend sudo ./venv/bin/uvicorn app.main:app --reload ``` The backend runs at: ``` http://127.0.0.1:8000 ``` `sudo` is required because the response engine uses `iptables`. ### 前端 From the frontend folder: ``` cd frontend npm install npm run dev ``` The frontend runs at: ``` http://localhost:5173 ``` ## 示例工作流程 ### 1. 启动后端 ``` cd backend sudo ./venv/bin/uvicorn app.main:app --reload ``` ### 2. 启动前端 ``` cd frontend npm run dev ``` ### 3. 打开仪表板 ``` http://localhost:5173 ``` ### 4. 封锁 IP ``` curl -X POST http://127.0.0.1:8000/response/block-ip \ -H "Content-Type: application/json" \ -d '{"ip":"45.155.205.233","reason":"Manual test block"}' ``` ### 5. 检查被封 IP ``` curl http://127.0.0.1:8000/response/blocked-ips ``` ### 6. 解锁 IP ``` curl -X POST http://127.0.0.1:8000/response/unblock-ip \ -H "Content-Type: application/json" \ -d '{"ip":"45.155.205.233","reason":"Manual test unblock"}' ``` ### 7. 检查响应历史 ``` curl http://127.0.0.1:8000/response/events ``` ## 实验室测试 ### 公共 IP 测试 The platform was tested with the public IP: ``` 45.155.205.233 ``` Confirmed results: - IP blocked successfully - IP appeared in the Blocked IPs module - Firewall rule was created - IP was unblocked successfully - Firewall rule was removed - Auto Response history registered the action ### 私有实验室 IP 测试 A controlled lab test was performed against a Windows machine in the same WiFi network. Lab IP: ``` 192.168.1.18 ``` To avoid accidentally blocking private infrastructure such as the router or WSL gateway, the platform uses a private lab allowlist: ``` LAB_ALLOWED_PRIVATE_IPS = { "192.168.1.18", } ``` Confirmed results: - Private lab IP was blocked successfully - Private lab IP was unblocked successfully - Firewall rule was removed - Registry was updated correctly Protected addresses include: ``` localhost router / gateway WSL gateway multicast link-local addresses private IPs not explicitly allowlisted ``` ## 本地网络调查示例 During testing, a device was discovered on the local network: ``` 192.168.1.7 ``` Nmap discovered the following open ports: ``` 8008/tcp 8009/tcp 8443/tcp 9000/tcp 9080/tcp ``` A request to: ``` http://192.168.1.7:8008/setup/eureka_info ``` identified the device as: ``` Crown Mustang UK Android TV ``` This demonstrated safe device identification in a controlled local lab environment. ## 截图 This section shows the main visual modules of the Cyber Defense XDR Platform, captured from a controlled local lab environment. The screenshots demonstrate real-time telemetry, threat detection, alert management, firewall-based IP blocking and automated response history.```txt # 1. 主要 SOC/XDR 仪表板 Main monitoring dashboard showing the global status of the platform, WebSocket connectivity, backend health, active threat state and SOC/XDR security metrics. # 2. 实时威胁源 Real-time threat telemetry stream displaying detected security events, severity levels, source IPs, destination data and threat scores. # 3. XDR 警报中心 Alert management center used to review suspicious activity such as brute force attempts, threat intelligence detections and high-severity events. The interface includes investigation, manual blocking and resolution actions. # 4. 封锁 IP 管理 Blocked IP management panel connected to the backend response engine and Linux iptables. It displays currently blocked addresses, blocking reasons, timestamps, firewall status and manual unblock actions. # 5. 自动响应引擎 Automated response history showing actions performed by the XDR response engine, including blocked IPs, unblocked IPs, rejected actions and monitoring events. # 注意： All screenshots were generated in a controlled local environment for educational, testing and portfolio purposes. ## 安全提示 This project is intended for: ``` Educational use Personal lab use Cybersecurity portfolio demonstration Defensive security research ``` This project should only be used on: ``` Networks you own Devices you own Authorized lab environments ``` The project includes safeguards to avoid blocking critical internal IP addresses. Private IP blocking is only allowed for explicitly configured lab devices. ## 当前版本 ``` Version: 1.0 Status: Stable lab release ``` Completed modules: - Real-time dashboard - Live Threat Feed - Alert Center - Threat Intelligence panel - Blocked IPs module - Manual Block IP - Manual Unblock IP - Auto Response history - WebSocket live telemetry - iptables response engine - Safe private IP lab validation ## 路线图 Future improvements: - SQLite or Firebase persistence - Docker deployment - Router-based Network Quarantine - Endpoint agent for Windows/Linux - PDF incident reports - AI-based threat scoring - Advanced MITRE ATT&CK mapping - SIEM-style event search - Multi-agent XDR architecture - Kubernetes deployment ## 作者 Developed by **Joaquin Rodriguez**. GitHub: ``` https://github.com/joaquin-developer-gif ``` ## 免责声明 This project was built for defensive cybersecurity learning and portfolio purposes. Do not use this tool against third-party networks, public systems, or devices without explicit authorization. # 🇪🇸 Español ## Descripción general **Cyber Defense XDR Platform** es una plataforma de monitoreo y respuesta de ciberseguridad en tiempo real, desarrollada como un proyecto práctico de laboratorio **SOC/XDR**. La plataforma combina monitoreo de tráfico de red, detección de eventos sospechosos, telemetría en tiempo real mediante WebSocket, inteligencia de amenazas, visualización de alertas, bloqueo manual de IPs, desbloqueo de IPs e historial de acciones de respuesta. Fue desarrollada como proyecto de portfolio en ciberseguridad y desarrollo de software. ## Objetivo principal El objetivo del proyecto es demostrar cómo funciona una plataforma defensiva de ciberseguridad desde la detección hasta la respuesta. El sistema sigue este flujo: ``` Tráfico de red ↓ Packet Sniffer ↓ Motor de detección ↓ XDR Event Bus ↓ WebSocket en tiempo real ↓ Dashboard SOC en React ↓ Motor de respuesta manual / automática ↓ Bloqueo / desbloqueo con firewall ``` ## Tecnologías utilizadas ### Backend - Python - FastAPI - Uvicorn - Scapy - WebSockets - iptables - Módulos de Threat Intelligence - Registro en memoria de IPs bloqueadas - Historial en memoria de eventos de respuesta ### Frontend - React - Vite - Tailwind CSS - Framer Motion - Lucide React - Recharts ### Entorno - Linux / WSL - Git - GitHub - Red local de laboratorio ## Funcionalidades principales ### Dashboard en tiempo real El dashboard principal muestra una vista general del estado del sistema XDR. Incluye: - Estado de WebSocket - Estado del backend - Hora local - Contadores de amenazas - Contadores por severidad - Interfaz visual estilo SOC ### Live Threat Feed El **Live Threat Feed** muestra eventos de telemetría XDR en tiempo real. Muestra: - Tipo de evento - Severidad - IP de origen - IP de destino - Puntaje de amenaza - Fecha/hora - Estado en vivo Eventos detectados posibles: - Comportamiento de fuerza bruta - Port scanning - Actividad ICMP - ICMP flood - Actividad TCP sospechosa - Coincidencias de Threat Intelligence ### XDR Alert Center El **XDR Alert Center** proporciona una interfaz estilo SOC para revisar alertas sospechosas. Permite al analista revisar eventos y ejecutar acciones de respuesta, como el bloqueo manual de una IP. ### Threat Intelligence La plataforma incluye un módulo de inteligencia de amenazas para analizar IPs sospechosas. Puede extenderse con proveedores como: - AbuseIPDB - VirusTotal - GeoIP - Detección de nodos TOR - Blacklists personalizadas Las API keys deben guardarse localmente en `.env` y nunca deben subirse a GitHub. ### Módulo Blocked IPs El módulo **Blocked IPs** muestra las IPs actualmente bloqueadas por el motor de respuesta XDR. Incluye: - Total de IPs bloqueadas - Tabla de IPs bloqueadas - Motivo del bloqueo - Estado de protección del firewall - Fecha/hora del bloqueo - Botón para copiar IP - Botón para desbloquear IP Endpoint del backend: ``` GET /response/blocked-ips ``` ### Bloqueo manual de IP La plataforma puede bloquear una IP mediante la API del backend. Endpoint: ``` POST /response/block-ip ``` Ejemplo: ``` curl -X POST http://127.0.0.1:8000/response/block-ip \ -H "Content-Type: application/json" \ -d '{"ip":"45.155.205.233","reason":"Manual block from XDR Alert Center"}' ``` Cuando el bloqueo es exitoso, el backend: - Valida la IP - Aplica una regla de firewall usando `iptables` - Agrega la IP al registro de IPs bloqueadas - Publica un evento de respuesta XDR - Guarda el evento en el historial de respuesta ### Desbloqueo manual de IP La plataforma puede quitar una IP bloqueada del firewall y del registro interno. Endpoint: ``` POST /response/unblock-ip ``` Ejemplo: ``` curl -X POST http://127.0.0.1:8000/response/unblock-ip \ -H "Content-Type: application/json" \ -d '{"ip":"45.155.205.233","reason":"Manual unblock from XDR Blocked IPs"}' ``` Cuando el desbloqueo es exitoso, el backend: - Elimina la regla de `iptables` - Elimina la IP del registro de bloqueadas - Publica un evento `IP_UNBLOCKED` - Guarda la acción en el historial de Auto Response ### Auto Response Engine El **Auto Response Engine** muestra un historial real de acciones tomadas por la plataforma. Registra eventos como: ``` IP_BLOCKED IP_UNBLOCKED BLOCK_FAILED BLOCK_REJECTED BLOCK_REJECTED_PROTECTED_IP UNBLOCK_FAILED UNBLOCK_ERROR NO_ACTION_MONITORING ``` Endpoint del backend: ``` GET /response/events ``` Esto permite que el frontend muestre el historial de respuesta aunque un evento WebSocket no haya sido capturado. ## Endpoints de la API ### General ``` GET / GET /stats GET /scan GET /ports GET /threat/ip ``` ### Response Engine ``` POST /response/block-ip POST /response/unblock-ip GET /response/blocked-ips GET /response/events ``` ### WebSocket ``` WS /ws ``` ## Estructura del proyecto ``` cyber-defense-intelligence-system/ │ ├── backend/ │ ├── app/ │ │ ├── core/ │ │ │ └── event_bus.py │ │ │ │ │ ├── packet_analyzer/ │ │ │ ├── analyzer.py │ │ │ └── detector.py │ │ │ │ │ ├── response_engine/ │ │ │ ├── firewall.py │ │ │ ├── quarantine.py │ │ │ ├── responder.py │ │ │ └── rules.py │ │ │ │ │ ├── scanner/ │ │ │ └── scanner.py │ │ │ │ │ ├── sniffer/ │ │ │ ├── detection_engine.py │ │ │ └── packet_sniffer.py │ │ │ │ │ ├── threat_intel/ │ │ │ └── intel.py │ │ │ │ │ ├── websocket_manager.py │ │ └── main.py │ │ │ └── .env │ ├── frontend/ │ ├── src/ │ │ ├── components/ │ │ │ ├── dashboard/ │ │ │ │ ├── XDRAlertCenter.jsx │ │ │ │ ├── XDRBlockedIPs.jsx │ │ │ │ ├── XDRAutoResponse.jsx │ │ │ │ ├── XDRLiveFeed.jsx │ │ │ │ ├── XDRCharts.jsx │ │ │ │ ├── XDRTimeline.jsx │ │ │ │ └── ThreatIntelPanel.jsx │ │ │ │ │ │ │ └── layout/ │ │ │ ├── Header.jsx │ │ │ ├── Navbar.jsx │ │ │ └── Sidebar.jsx │ │ │ │ │ ├── hooks/ │ │ │ └── useWebSocket.js │ │ │ │ │ ├── pages/ │ │ │ └── Dashboard.jsx │ │ │ │ │ ├── services/ │ │ │ ├── api.js │ │ │ └── websocket.js │ │ │ │ │ ├── main.jsx │ │ └── index.css │ │ │ └── package.json │ ├── .gitignore └── README.md ``` ## Variables de entorno Creá un archivo `.env` dentro de la carpeta `backend/`. Ejemplo: ``` ABUSEIPDB_API_KEY=your_abuseipdb_api_key_here VIRUSTOTAL_API_KEY=your_virustotal_api_key_here ``` Se recomienda crear un archivo `.env.example` para repositorios públicos: ``` ABUSEIPDB_API_KEY=your_abuseipdb_api_key_here VIRUSTOTAL_API_KEY=your_virustotal_api_key_here ``` Importante: ``` Nunca subas claves reales a GitHub. ``` ## Cómo ejecutar el proyecto ### Backend Desde la carpeta backend: ``` cd backend sudo ./venv/bin/uvicorn app.main:app --reload ``` El backend corre en: ``` http://127.0.0.1:8000 ``` Se usa `sudo` porque el motor de respuesta utiliza `iptables`. ### Frontend Desde la carpeta frontend: ``` cd frontend npm install npm run dev ``` El frontend corre en: ``` http://localhost:5173 ``` ## Flujo de prueba ### 1. Iniciar backend ``` cd backend sudo ./venv/bin/uvicorn app.main:app --reload ``` ### 2. Iniciar frontend ``` cd frontend npm run dev ``` ### 3. Abrir dashboard ``` http://localhost:5173 ``` ### 4. Bloquear una IP ``` curl -X POST http://127.0.0.1:8000/response/block-ip \ -H "Content-Type: application/json" \ -d '{"ip":"45.155.205.233","reason":"Manual test block"}' ``` ### 5. Consultar IPs bloqueadas ``` curl http://127.0.0.1:8000/response/blocked-ips ``` ### 6. Desbloquear la IP ``` curl -X POST http://127.0.0.1:8000/response/unblock-ip \ -H "Content-Type: application/json" \ -d '{"ip":"45.155.205.233","reason":"Manual test unblock"}' ``` ### 7. Consultar historial de respuesta ``` curl http://127.0.0.1:8000/response/events ``` ## Pruebas de laboratorio ### Prueba con IP pública La plataforma fue probada con la IP pública: ``` 45.155.205.233 ``` Resultados confirmados: - IP bloqueada correctamente - IP visible en el módulo Blocked IPs - Regla de firewall creada - IP desbloqueada correctamente - Regla de firewall eliminada - Acción registrada en Auto Response ### Prueba con IP privada de laboratorio Se realizó una prueba controlada contra una máquina Windows en la misma red WiFi. IP deatorio: ``` 192.168.1.18 ``` Para evitar bloquear infraestructura privada por accidente, como el router o el gateway de WSL, la plataforma usa una lista permitida de IPs privadas de laboratorio: ``` LAB_ALLOWED_PRIVATE_IPS = { "192.168.1.18", } ``` Resultados confirmados: - IP privada de laboratorio bloqueada correctamente - IP privada de laboratorio desbloqueada correctamente - Regla de firewall eliminada - Registro interno actualizado correctamente Direcciones protegidas:

标签：AMSI绕过, AV绕过, FastAPI, ICMP攻击, iptables, IP封禁, PoC, Python, React, Scapy, SOC平台, Syscalls, WebSocket, WebSockets, WSL, XDR平台, 依赖分析, 响应历史, 威胁情报, 威胁检测, 安全响应, 实时数据流, 开发者工具, 数据统计, 无后门, 暴力破解, 端口扫描, 网络安全, 网络安全实验室, 自定义脚本, 逆向工具, 隐私保护