Network Intrusion Detection System

Status: Live_Environment

Build: 2025.05.23

Coverage: 100+ Tests

Project Essence

I built this project to understand how security professionals monitor network and application layers in real time. It combines a Network Intrusion Detection System (NIDS) and a Web Application Firewall (WAF) into a single terminal-style dashboard.

NIDS Functionality

The NIDS engine sniffs traffic across all interfaces using Scapy. It looks for patterns that suggest reconnaissance or denial-of-service attempts.

Attack Type	Severity	Identification
ICMP Echo	Low	Detects type 8 request packets
NULL Scan	Medium	TCP flags set to 0x00
XMAS Scan	Medium	TCP FIN+PSH+URG combination
Port Scan	Medium	8 unique SYN ports in 30s window
SYN Flood	Critical	15 rapid SYNs to non-service ports

WAF Functionality

The WAF acts as an application-level inspector, intercepting HTTP data to block common injection vectors before they reach the backend logic.

Guides

Attack Simulator

To test the NIDS without external tools, I included an internal simulator. You can trigger these via the dashboard UI or the CLI script:

cd backend
sudo python attacker.py

The simulator sends raw packets to loopback, exercising the NIDS detection logic for everything from stealthy scans to aggressive floods.

Request Inspector

The WAF tab features a Request Inspector where you can craft custom HTTP payloads. For example, sending a UNION SELECT string will trigger a SQL Injection alert immediately in the feed.

Implementation Story

March 10, 2025: The Beginning

I have started sketching out the architecture for what I hope will be a security-first dashboard. I want to see exactly what is happening on my network, not just high-level summaries. I have decided to go with Python for the backend: it is readable, and the Scapy library seems incredibly flexible for working with raw packets. I am a bit nervous about the performance overhead of Python for a sniffer, but for a learning project, the ability to rapidly prototype new detection rules is more important to me right now.

March 28, 2025: The Loopback Wall

I hit a massive wall today. I spent hours trying to figure out why my sniffer could not see any of the attack packets I was sending from my own machine. I was using a standard socket listener, but it turns out that on Linux, local traffic on the loopback interface often bypasses the parts of the networking stack where standard sockets live. It was incredibly frustrating. Then I had an aha! moment after digging through some old forums: I need to use Scapy Layer 2 sockets and the sendp() function to talk directly to the interface. Once I made the switch, the terminal finally started lighting up with the ICMP packets I was injecting. It felt like I finally found the key to the front door.

April 15, 2025: WAF & False Positives

Moving up the stack to the Web Application Firewall today. I am using Flask to intercept and inspect incoming HTTP requests. I ran into a classic beginner mistake: false positives. I noticed that my WAF was blocking perfectly legitimate requests just because they contained the word DELETE in the headers. It was a nightmare. I realized I was looking at the wrong headers and being way too aggressive with my pattern matching. This taught me a valuable lesson about fail-open versus fail-closed security. I have decided to move to a whitelist-only approach for user inputs, specifically targeting the request body and URL parameters. It is much cleaner and way less prone to breaking the app for actual users.

May 10, 2025: Testing & Polish

It is finally coming together. I just hit a milestone of 100+ passing tests in the test_waf.py suite. It took a long time to write all those edge cases for SQL injection and XSS, but seeing that wall of green text in the terminal is so satisfying. The highlight of the day was seeing the first real-time SQLi alert pop up in the React frontend. I am using Socket.IO to stream alerts from the Python engine, and seeing that terminal-style notification slide in when I sent a malicious UNION SELECT payload made all the late nights worth it.

Reflections

Building this project from scratch has changed how I think about security. It is not just about setting up a firewall and walking away: it is about visibility and constant, rigorous testing. If you cannot see the traffic, you cannot defend against it. I am coming out of this with a much deeper respect for the tools I use every day.

Setup

Local Environment

# Install dependencies
pip install flask flask-socketio flask-cors scapy pytest

# Start NIDS (Root required for raw sockets)
sudo python backend/app.py

# Start WAF
python backend/waf_app.py

Docker Deployment

I containerized the stack to make it portable. The NIDS container uses network_mode: host so it can actually reach the host's networking interfaces.

docker-compose up --build

Technical Deep Dive

Detection Rules

My detection logic uses a sliding window approach for rate-based attacks. For SYN floods, the engine tracks source IPs and clears counters every 15 seconds to avoid memory bloat.

The Pytest Suite

I maintained a mandatory test-driven approach. The test_waf.py suite contains over 100 test cases that validate:

SQL injection patterns (including encoded variants)
XSS payloads in various headers
Path traversal attempts (Unix and Windows styles)
Malicious User-Agent strings

Every time I added a new WAF rule, I had to ensure it didn't break existing functionality or introduce new false positives.