InviGuard

InviGuard is a network attack monitor that checks your device's network traffic and alerts you to any suspicious or malicious activity. It also helps secure your device from C2 network communications

Project Phases

• Phase 1: Gathering IP IOCs from various feed platforms
• Phase 2: Monitoring for network attacks & C&C communications with over 50 detection modules

InviGuard is user-friendly and easily integrates with your security solutions through a simple API. It features a dashboard for viewing alerts, locations, severity, IP details, and modifying config settings easily. The dashboard also includes charts and statistics. Alerts can be exported directly in PDF, JSON, CSV, and HTML formats

API Integration

Integrate InviGuard with Your Product by using the InviGuard API to easily get all alerts and connect them to your applications

Example

import requests
import json

# URL of the server
base_url = 'HTTP://IP:PORT'

def get_alerts():

    url = f'{ base_url }/get_alerts'
    response = requests.get( url )

    if response.status_code == 200:
        alerts = response.json()
        print('Alerts:', json.dumps( alerts , indent = 4 ))
    else:
        print(f'Failed to get alerts: { response.status_code }')
        print( response.text )

# Get all alerts
get_alerts()

Example of the output format :

Alerts: [
    {
        "alert_type": "Unusual ARP Response Frequency",
        "count": 6,
        "description": "An unusually high frequency of ARP responses may indicate an ongoing ARP spoofing attack, where an attacker attempts to intercept, modify, or stop data in transit.",
        "details": "Possible ARP spoofing due to frequent ARP responses.",
        "src_ip": "192.168.201.50"
    },
    {
        "alert_type": "MITM Detected",
        "count": 14,
        "description": "Man-In-The-Middle (MITM) attacks involve an attacker secretly relaying and possibly altering the communication between two parties who believe they are directly communicating with each other.",
        "details": "ARP spoofing detected for IP 192.168.201.50: New MAC b4:b5:b6:98:bc:bf, Previous MACs {'b4:b5:b6:98:bc:bf'}",
        "src_ip": "192.168.201.21"
    }
]

Completed Features

Network Monitoring and Alerting

• In-General

  • User can select the network interface to monitor/alert based on it
  • Capture network packets using Scapy
    • Employ Scapy for capturing
      • TCP
      • UDP
      • ICMP
      • ARP
      • DNS
      • DNSQR
  • Monitoring and printing network packets
  • Utilizing logging mechanisms for network packet analysis
  • Integration of detection modules for packet processing
  • Identification of malicious source/destination IP addresses within network packets
  • Periodically updating the IP IOCs and reloading the IPs list when modifucation happens
  • Parallel execution of detection modules alongside network packet processing
  • Enhancement of the alerting system to trigger Windows notifications upon detecting network attacks
  • Support for exporting alerts in files
  • Creating configs.yml file, enabling user-configurable API keys and other settings like setting custom thresholds for detection

• Network Detection

  • ARP Spoofing Detection Module
  • DHCP Spoofing Detection Module
  • DNS Spoofing Detection Module
  • SMB Relay Attack Detection Module
  • ICMP Tunneling Attack Detection Module
  • DNS Tunneling Attack Detection Module
  • DDoS/DoS Attack Detection Module
  • Port Scanning Detection Module
    • SYN scans
    • FIN scans
    • NULL scans
    • XMAS scans
    • UDP scans
  • Man-In-The-Middle (MITM) Attack Detection Module
  • TLS/SSL Monitoring for additional MITM attack detection
  • Detecting HTTP Flooding Attacks
  • Ports Monitoring Module
  • IP Spoofing Detection Module
  • MAC Spoofing Detection Module
  • MAC Flooding Detection Module
  • IP NULL Detection Module
  • RST/FIN Flooding Detection Module
  • DNS Hijacking Detection Module
  • LLDP Spoofing Detection Module
  • TCP Connection Hijacking Detection Module
  • SMTP Relay Detection Module

• C2 Detection

  • Detecting known malicious IP addresses from many IOCs Feeds Platform
  • C2 Communication Detection via analysis of TLS values
  • Detecting C2 Communications via DGA (Domain Generation Algorithm)
  • Analyzing Network Flow
  • Geo-Location Analysis & Detection Module
  • P2P C2 Communication Detection Module
  • LLMNR/NBT-NS Poisoning Detection Module
  • HTTP/S Beaconing Detection Module
  • Newly Registered Domain Detection Module
  • HTTP Headers Analysis Module
  • Dns-Over-HTTP ( DoH ) Detection Module
  • Detecting TOR Exit Nodes & It's Traffic
  • HTTP POST Exfiltration Detection Module

• IOC (Indicators of Compromise) Harvester

  • Integration with platforms to get all possible IP addresses from (IPs, URLs, Domains, Hostnames) from:

    • AbuseIPDB
    • AlienVault OTX (Open Threat Exchange)
    • ThreatFox
    • TweetFeed for real-time threat intelligence
    • URLHaus
    • VXVault
  • Writing all the IOCs in data/ip.txt file

• Alerting

  • Supported Formats:

    • PDF
    • JSON
    • CSV
    • HTML

  • Alerting Functionality:

    • Easy direct calling
    • Creates system warning messages if there are attacks
    • Using Flask endpoint to save alerts there for APIs & UI
    • Offering detailed descriptions for every attack that occurs

• UI Dashboard

  • General Features

    • View all alerts
    • Modify and add configurations
    • Display statistics and charts for alerts, including their frequency and numbers
    • Show charts for the severity of triggered attacks
    • Provide an attack map to trace the geo-locations of attacks

  • Plugins

    • Display total unique IPs
    • Show total number of alerts
    • List total alert types

The End

This project is made with love by Hossam Ehab, also licensed under the MIT license and all rights reserved.