Connection Guard is a powerful Python-based Network Intrusion Detection and Prevention System (IDS/IPS) that monitors incoming network connections, detects suspicious activity based on configurable rules and signatures, and automatically blocks malicious traffic.
β¨ Real-time Network Monitoring
- Captures and analyzes TCP, UDP, and ICMP traffic
- Tracks connection states and statistics
- Supports promiscuous mode for complete network visibility
π‘οΈ Advanced Threat Detection
- Port Scan Detection: Identifies reconnaissance attempts
- SYN Flood Detection: Detects DoS attacks
- Signature-based Detection: Pre-defined patterns for:
- SQL Injection
- Cross-Site Scripting (XSS)
- Command Injection
- Path Traversal
- And more...
π« Automated Blocking
- Integrates with Windows Firewall and Linux iptables
- Temporary or permanent IP blocking
- Auto-expiry for temporary blocks
- Whitelist support to protect trusted IPs
π Comprehensive Logging & Alerts
- Rotating log files with configurable size limits
- Colorized console output
- File-based alerts
- Detailed threat and connection logging
βοΈ Highly Configurable
- YAML-based configuration files
- Custom rule creation
- Adjustable detection thresholds
- Flexible blocking policies
- Python 3.8 or higher
- Administrator/root privileges (required for packet capture and firewall modification)
- Windows or Linux operating system
-
Clone or download this repository
-
Install dependencies
pip install -r requirements.txt
-
Configure the tool (optional)
Edit the configuration files in the
config/directory:config.yaml- Main settingsrules.yaml- Security ruleswhitelist.yaml- Trusted IPs/networks
Run Connection Guard with default settings:
Windows (Administrator)
python connection_guard.pyLinux (Root)
sudo python3 connection_guard.pyusage: connection_guard.py [-h] [-c CONFIG] [--clear-blocks] [--list-rules]
Connection Guard - Network Security Tool
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
Configuration directory (default: config)
--clear-blocks Clear all firewall rules created by Connection Guard
--list-rules List all loaded rules and exit
List all loaded rules:
python connection_guard.py --list-rulesClear all blocked IPs:
python connection_guard.py --clear-blocksUse custom configuration directory:
python connection_guard.py -c /path/to/custom/config# Monitoring settings
monitoring:
interface: null # null = monitor all interfaces
promiscuous_mode: true
# Detection thresholds
thresholds:
port_scan:
ports_accessed: 10
timeframe: 60
syn_flood:
syn_packets: 100
timeframe: 10
# Blocking settings
blocking:
enabled: true
default_action: log
block_duration: 3600 # seconds
auto_unblock: trueRules support the following criteria:
name: Unique rule identifieraction:block,alert, orlogprotocol:TCP,UDP,ICMP, or null for anysrc_ip: Source IP or CIDR notationdst_ip: Destination IP or CIDR notationsrc_port: Source port numberdst_port: Destination port numberpayload_pattern: Regex pattern to match in payloadpriority: Higher values are checked firstenabled:trueorfalse
Example rule:
rules:
- name: block_ssh_from_suspicious_network
action: block
protocol: TCP
src_ip: 192.0.2.0/24
dst_port: 22
description: Block SSH from suspicious network
priority: 90
enabled: trueProtect trusted IPs from being blocked:
whitelist:
- 127.0.0.1
- 192.168.0.0/16
- 10.0.0.0/8- Packet Capture: Uses Scapy to capture network packets in real-time
- Analysis: Each packet is analyzed for suspicious patterns
- Rule Evaluation: Connections are matched against loaded rules
- Threat Detection: Built-in algorithms detect port scans, SYN floods, and attack signatures
- Action: Based on matched rules, the system can:
- Log: Record the event
- Alert: Generate a notification
- Block: Add the source IP to the firewall blocklist
Triggers when a single IP attempts to connect to multiple ports within a short timeframe.
Identifies excessive SYN packets from a single source, indicating a potential DoS attack.
Matches payload content against known attack patterns:
- SQL Injection attempts
- XSS payloads
- Command injection
- Path traversal
- Malicious user agents
- Capture network packets
- Modify firewall rules
connection_guard/
βββ connection_guard.py # Main application
βββ monitor/ # Network monitoring
β βββ connection.py # Connection data models
β βββ monitor.py # Packet capture & analysis
βββ rules/ # Rule engine
β βββ rule_engine.py # Rule matching logic
β βββ signatures.py # Attack signatures
βββ blocker/ # Blocking system
β βββ blocker.py # Firewall integration
βββ utils/ # Utilities
β βββ logger.py # Logging system
β βββ alerts.py # Alert notifications
β βββ config.py # Configuration loader
βββ config/ # Configuration files
βββ config.yaml
βββ rules.yaml
βββ whitelist.yaml
"This tool requires administrator/root privileges"
- Run with elevated privileges (sudo on Linux, Run as Administrator on Windows)
"No module named 'scapy'"
- Install dependencies:
pip install -r requirements.txt
Cannot capture packets on Windows
- Install Npcap: https://npcap.com/
Blocked legitimate traffic
- Add the IP/network to
config/whitelist.yaml - Clear blocks:
python connection_guard.py --clear-blocks
MIT License - See LICENSE file for details
This tool is for educational and authorized security testing purposes only. Always ensure you have permission to monitor and block network traffic on the systems and networks you are working with.
Created by TheExploitLab
Stay Protected! π‘οΈ