https://github.com/amssidds/IoT_IDS

A Python-based Network Intrusion Detection System (NIDS) designed to detect and block brute force attacks on a Raspberry Pi. This lightweight and efficient tool monitors live network traffic, detects malicious activity, and logs incidents for analysis.
https://github.com/amssidds/IoT_IDS

internet-of-things intrusion-detection-system iot nids

Last synced: 10 months ago
JSON representation

A Python-based Network Intrusion Detection System (NIDS) designed to detect and block brute force attacks on a Raspberry Pi. This lightweight and efficient tool monitors live network traffic, detects malicious activity, and logs incidents for analysis.

• Host: GitHub
• URL: https://github.com/amssidds/IoT_IDS
• Owner: amssidds
• License: mit
• Created: 2024-11-15T08:57:54.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2024-12-01T07:58:57.000Z (over 1 year ago)
• Last Synced: 2025-05-31T04:52:49.771Z (about 1 year ago)
• Topics: internet-of-things, intrusion-detection-system, iot, nids
• Language: Python
• Homepage:
• Size: 276 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          

# **Raspberry Pi Network Intrusion Detection System (NIDS)**

A Python-based Network Intrusion Detection System (NIDS) designed to detect and block malicious activities on a Raspberry Pi. This lightweight and efficient tool monitors live network traffic, detects malicious activity, and logs incidents for analysis.



  



## **Collaborators**

1. Ameen Siddiqui

2. [Mohammed Idris](https://github.com/mczdj) 

## **Features**

- **Brute Force Attack Detection**: Monitors SSH traffic for repeated failed login attempts and blocks offending IPs.

- **Live Traffic Monitoring**: Displays live network traffic with timestamps and identifies attack types.

- **Automatic IP Blocking**: Automatically blocks IPs that exceed a predefined failed login threshold.

- **Manual Block/Unblock**: Allows users to manually block or unblock IPs through a user-friendly menu.

- **Logs Management**: Logs all detected attacks with timestamps for future reference.

- **Menu-Driven Interface**: Simple and interactive CLI for ease of use.

- **Nmap Scan Detection**: Detects SYN, Null, and XMAS scans performed using tools like Nmap and logs them.

- **ARP Poisoning Detection**: Identifies ARP spoofing attempts to alert and log malicious behavior.

## **Installation**

### **Prerequisites**

- Raspberry Pi running a Linux-based OS.

- Python 3.x installed.

- Required Python modules: `scapy`.

### **Setup Instructions**

1. Clone this repository:

   ```

   git clone https://github.com/AmeenMS03/IoT_IDS.git

   cd IoT_IDS

   ```

2. Install the required Python library:

   ```

   sudo apt-get update

   sudo apt-get install python3-pip

   pip3 install scapy

   ```

3. Install `iptables` for IP blocking:

   ```

   sudo apt-get install iptables

   ```

## **Usage**

1. Run the program:

   ```

   sudo python3 code.py

   ```

2. Select an option from the menu:

   - **Start Packet Sniffing**: Monitors live traffic for potential brute force attacks, Nmap scans, and ARP poisoning attempts.

   - **Block an IP Manually**: Add an IP to the blocklist.

   - **Remove IP from Blocklist**: Unblock a previously blocked IP.

   - **Show Blocked IPs**: Display all currently blocked IPs.

   - **View Logs**: View recorded logs of detected attacks.

   - **Exit**: Quit the program.

## **Configuration**

- **Failed Login Threshold**:

  - Set the number of failed SSH login attempts before an IP is blocked.

- **Log File**:

  - All logs are saved in `logs.txt` in the same directory as the script.

## **Example Output**

### **Live Traffic**

```

[2024-11-15 12:00:00] 192.168.1.101 -> 192.168.1.24, Port: 22 | Attack Type: No

[2024-11-15 12:00:05] 192.168.1.101 -> 192.168.1.24, Port: 22 | Attack Type: Brute Force - SSH - 22

[2024-11-15 12:01:00] SYN scan detected from 192.168.1.102 to port 22 | Attack Type: Nmap SYN Scan

[2024-11-15 12:02:00] ARP Poisoning detected: 192.168.1.103 is claiming to be MAC 00:11:22:33:44:55

```

### **Blocked IPs**

```

Blocked IPs:

192.168.1.101

192.168.1.102

```

### **Logs**

```

[2024-11-15 12:00:05] 192.168.1.101 -> 192.168.1.24, Port: 22 | Attack Type: Brute Force - SSH - 22

[2024-11-15 12:01:00] SYN scan detected from 192.168.1.102 to port 22 | Attack Type: Nmap SYN Scan

[2024-11-15 12:02:00] ARP Poisoning detected: 192.168.1.103 is claiming to be MAC 00:11:22:33:44:55

```

## **License**

This project is licensed under the MIT License. See the `LICENSE` file for details.