Authors: Georgy Zaets, Raj Kunamaneni, Guneet Mummaneni, Jared Pugh
In the age of pervasive computer security threats, safeguarding networks against eavesdropping and snooping (man-in-the-middle) attacks is more crucial than ever. This repository aims to address the challenges faced by non-tech-savvy individuals who struggle to comprehend and employ traditional open-source network security tools. Our goal is to create an extensible network toolkit directory that is accessible to all users, providing a lightweight yet effective solution for detecting and mitigating eavesdropping attacks. The toolkit was developed to run on Raspberry Pi Version 3B+ and later models, as well as any Debian-based machine with equivalent or better hardware.
Eavesdropping attacks can vary in form, including snooping and man-in-the-middle attacks. These attacks are becoming more sophisticated over time, often outpacing the defensive capabilities of traditional network security tools. We propose a lightweight solution that can effectively mitigate such attacks with easy-to-understand notifications for users.
Anti-virus software, though effective against viruses, can significantly slow down system performance when running network scans. Our solution involves shifting this workload to a dedicated network machine, like a Raspberry Pi, acting as a DNS server to monitor network traffic and alert users of any unauthorized data transfers.
The design of this network toolkit is founded on simplicity and user accessibility. We understand that not everyone has the technical expertise to use complex security tools. We are developing a simple interface that allows users to easily set up and monitor their network. This approach makes sure that all users can actively participate in safeguarding their digital environment.
We understand the importance of teaching users about network security. Our repository has detailed documentation and tutorials to help users understand the basics of network security and how to effectively use this toolkit. We will also provide support for users who have questions or need help with the toolkit.
git clone https://github.com/rajkunamaneni/TrafficDetector.git2) Open the Terminal and run the start.sh bash script. This bash script has been provided to enable the installation of various programs and tools used to log information that is processed by the open-source security toolkit. Sudo permissions are required to run the script. The script will prompt the user to enter their password to proceed with the installation.
chmod +x start.sh
./start.shSnort is an open-source network intrusion prevention system and intrusion detection system. It's capable of performing real-time traffic analysis and packet logging on IP networks. Snort is used to detect and prevent attacks such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts. Snort can be used to monitor network traffic and detect suspicious activity.
Snort should already be installed if you have run the start.sh script. If not, you can install it manually using the following command:
sudo apt-get install snortConfigure Snort for your network. Edit the Snort configuration file:
sudo nano /etc/snort/snort.confSet the HOME_NET variable to your local network. For example, if your local network is 192.168.1.0/24, you would change the line to:
ipvar HOME_NET 192.168.1.0/24Save and close the file.
For your SNORT to detect attacks, it is really necessary to replace the local.rules files in /etc/snort/rules to the one provided by us. It had rule to detect ping, DDOS Attack, and Port Scan attack.
To run Snort in console mode and see the network traffic:
sudo snort -q -l /var/log/snort -i wlan0 -A console -c /etc/snort/snort.conf &wlan0 in this case is the network interface. Replace wlan0 with your network interface name. To find your network interface name, run the following command:
ifconfigifconfig will display your network interfaces. The network interface name will be displayed next to the word "inet". For example, if your network interface is eth0, you could run:
sudo snort -q -l /var/log/snort -i eth0 -A console -c /etc/snort/snort.conf &This will run Snort in console mode and display the network traffic. The traffic data contains the source and destination IP addresses, the protocol, and the port number.
To run Snort in packet logging mode and save the packets to a file:
sudo snort -A console -q -c /etc/snort/snort.conf -i eth0 -l ~/snortlogThe flags -A console -q -c /etc/snort/snort.conf -i eth0 are required to run Snort in packet logging mode. The -l flag specifies the directory to save the packets to. The directory must exist before running Snort. The directory will be created if it does not exist. -A flag specifies the output mode. -q flag specifies quiet mode. -c flag specifies the configuration file. /etc/snort/snort.conf is the default configuration file. -i flag specifies the network interface. eth0 is the default network interface.
This will save the packets to the snortlog directory in your home directory. Make sure to use the correct file path for your system.
But for the purpose of this project you can just use run the file run_snort_silent.sh, and this will start the SNORT as a background process.
After this you can run the attack simulation files and SNORT will show a log that attack has been indetified.
Wireshark is a network protocol analyzer that can capture and display the data traveling back and forth on a network. It is used to troubleshoot network problems, analyze network traffic, and detect network intrusions. In regards to the toolkit's functionality, Wireshark can be used to capture packets and analyze them for suspicious activity. The command line version of Wireshark, Tshark, can be used to capture packets and save them to a file
Wireshark is included in the start.sh script. To install it manually:
sudo apt-get install wiresharkTshark is a command-line version of Wireshark. It can be used to capture packets and save them to a file. It can also be used to read packets from a file and display them on the screen. Tshark is included in the start.sh script. To install it manually:
sudo apt-get install tsharkTo capture packets using Wireshark:
sudo tshark -i eth0 -w ~/capture.pcapReplace eth0 with your network interface and specify your desired output file.
Nmap is a free and open-source utility for network discovery and security auditing. It can be used to scan networks for open ports, detect operating systems, and find vulnerabilities.
Nmap should be installed with the start.sh script. To install it manually:
sudo apt-get install nmapScanning a network using NMap allows you to find open ports and detect operating systems. This is useful for finding vulnerabilities in your network. It can also be used to find the IP address of a host on your network. For security of your network, you can use NMap to scan for open ports and close them if necessary.
To scan a network or a host:
nmap [target]Replace [target] with the IP address or hostname of your target. For example:
nmap 192.168.1.1This procedure will scan the network and display the open ports and operating system of the target. The [target] can also be a hostname, such as google.com. Scanning a network or host can take a long time, so it is recommended to use the -T4 flag to speed up the scan. The flag -T4 will set the timing template to aggressive, in other words it will speed up the scan. For example using -T4 on google.com:
nmap -T4 google.comThis will speed up the scan and display the results faster. The -T4 flag can be used with any scan.
Using -vv with sudo permissions in Nmap will display more information about the scan. For example:
nmap -vv google.comThis will display more information about the scan, such as the number of packets sent and received. The -vv flag can be used with any scan.
FPing is a free and open-source utility for network discovery and security auditing. It is faster than ping because it sends multiple ICMP packets at once. It can be used to scan networks for open ports, detect operating systems, and find vulnerabilities.
FPing should be installed with the start.sh script. To install it manually:
sudo apt-get install fpingTo run FPing:
fping [target]Replace [target] with the IP address or hostname of your target. For example:
fping google.comThis procedure will ping the target and display the results. The [target] can also be an IP address. The output of FPing is much simpler than ping because it whether or not the target is reachable. It does not display the round trip time or the number of packets sent and received.
Here is how the outputs of ping and FPing compare:
Fping provides less information thatn ping, but it is faster because it sends multiple ICMP packets at once.
Ensure you have the necessary permissions when using these tools.
Regularly update the tools to get the latest security features and bug fixes.
Report any bugs or issues to the respective tool developers.
Do not use these tools for malicious purposes.
Expanding the toolkit to include other tools is encouraged.
WARNING! When expanding the toolkit, ensure that the tools are compatible with the Raspberry Pi 3B+ or newer. Some tools may not be compatible with the Raspberry Pi's ARM architecture.
For detailed usage and advanced configurations, consult the respective man pages or online documentation:
Raspberry Pi Requirements: A Raspberry Pi (version 3B+ or later) is recommended. We recommend installing Ubuntu Server LTS, which can be downloaded from the Raspberry Pi Imager Software. This version is more resource-efficient compared to Ubuntu Desktop because it does not bloat the storage with GUI files.
However, Raspberry Pi is NOT required! Any PC that can run the latest Ubuntu Server LTS is valid. We recommend the following minimum requirements for the machine:
CPU: Intel Pentium or AMD Athlon dual-core processor (e.g., Intel Pentium Gold G6400 or AMD Athlon 3000G)
Motherboard: Any motherboard with onboard Wi-Fi/Ethernet or a dedicated External Wi-Fi Card
Memory (RAM): 4GB DDR4 RAM recommended (DDR3 also valid)
Storage: An 8 GB SD card should suffice, the bigger the better as the tool grows over time.
Access to AWS hosting is also needed. In the future, there is potential to expand to other well-known hosting platforms (i.e. DigitalOcean, Cloudflare, etc.).
For AWS system to work, first we have to download AWS CLI (you can skip these steps if you ran start.sh).
Also before this you have to setup AWS SES in AWS Management console.
You can find more information about this at
AWS should already be installed if you have run the start.sh script. If not, you can install it manually using the following command:
First check if you have pip is installed.
sudo apt install python3-pip Download boto3 which is a AWS SDK used to send mails.
sudo pip install boto3 Download AWS CLI Interface
sudo pip3 install awsclisudo aws configureThis asks for the few information about your AWS Account.
After successful setup of AWS, you can run the cli_read_test.py in another terminal.
- 1.) Attack is performed using attack simulation files
- 2.) Detection Programs on Raspberry Pi constantly look for any network attacks
- 3.) When the program detects an attack, it uses AWS SES to send an email notification to the user
- 4.) User receives a notification that an attack on their network has been detected.
- The user will get an email about the kind of attack that has been detected.
- Description of the attack and possible steps to avoid this in the future is also involved.
Development of Bash Scripts: Created scripts for automating the installation of tools like SNORT and Wireshark.
SNORT Installation and Configuration: Successfully installed and tested SNORT for monitoring network traffic as well as set up AWS notifaction messaging.
Network Attack Simulations: Conducted simulations like DDOS and Port Scanning to test SNORT's detection capabilities.
Additional Tools: Looking into integrating other security tools to complement the current library.
Optimization for Raspberry Pi: Focusing on performance and resource efficiency for specifically Raspberry Pi devices.
User Experience Enhancement: Developing a simple, intuitive interface with clear notifications for security incidents as well as improving the UI for AWS notifications.
Data Presentation: Improvements to the AWS messaging format with a more user-friendly design, while still providing easy to integral information about the security of the network.
Better Hardware Support: Expanding to support other hardware platforms like RISC-V.
Reducing User Effort: Automating the installation process to reduce the amount of manual work required.
As an open source toolkit, the start.sh shell script was designed to be easily configurable. To implement new programs and utilities into the toolkit to optimize security coverage, one needs to only insert lines indicating tools to be installed. This enables simplicity with little overhead in terms of mental effort.
Users can customize the shell script to provide more information regarding the status of the installation process. Flags to suppress information and prompts can be disabled if the user desires.
For more information, users can check man pages for Unix-based systems to learn the fine details of all commands.