Building a Modular IDS/IPS Tool with Python: A Practical Guide to Network Security

Source: Dev.to

What is IDS‑IPS‑Tool?

IDS‑IPS‑Tool is a Python‑based security framework that combines three critical functionalities into one modular package:

• IDS (Intrusion Detection System): Analyzes log files (e.g., /var/log/auth.log) using regex patterns to identify malicious activity.
• IPS (Intrusion Prevention System): Takes action by automatically blocking offending IPs using system firewalls (iptables).
• Network IDS: A sniffer that monitors live network traffic for suspicious packet patterns (e.g., TCP SYN scans).

Architecture & Tech Stack

The tool is modular and configuration‑driven—new rules are added by updating a config.json file rather than hard‑coding them.

• Python 3.x – Core logic.
• Scapy – Deep packet inspection and network sniffing.
• Watchdog – Real‑time log monitoring via file‑system events.
• Subprocess – Interfaces with Linux iptables for automated blocking.

Project Structure

IDS-IPS-Tool/
├── src/           # Core modules (Detection, Prevention, Logging)
├── config.json    # Attack signatures (Regex & Patterns)
├── ids_main.py    # Log Analysis Entrypoint
├── netids_main.py # Network Sniffer Entrypoint
└── ips_main.py    # Auto‑blocking Entrypoint

Key Feature: Regex‑Based Detection

The heart of the system lies in its ability to parse complex logs. Below is an example detection pattern from the configuration:

{
  "patterns": [
    {
      "name": "Failed SSH Login",
      "regex": "Failed password.*from ([\\d.]+)",
      "severity": "high"
    }
  ]
}

Capture groups extract the attacker’s IP address dynamically and pass it to the IPS module for immediate mitigation.

Getting Started

Clone the repository

git clone https://github.com/Bangkah/IDS-IPS-Tool.git
cd IDS-IPS-Tool

Install dependencies

pip install -r requirements.txt

Run the Network Sniffer (requires root)

sudo python netids_main.py config.json --iface eth0

Lessons Learned

• Performance: Real‑time packet sniffing demands efficient data handling to avoid packet drops.
• Security: Sanitizing IP inputs before passing them to shell commands prevents command injection.
• Automation: Bridging the gap between “seeing an attack” and “stopping an attack” programmatically is essential for effective defense.

Roadmap & Contribution

This is an ongoing project. Upcoming goals include:

• Adding a Web Dashboard using Streamlit.
• Telegram/Discord alert integration.
• Support for nftables alongside iptables.

If you’re interested in cybersecurity or Python, feel free to check out the code, open an issue, or submit a PR.

GitHub Repository: Bangkah/IDS-IPS-Tool