Favour's Network Intrusion Detection System+Suricata IDS + Python Dashboard + Automated ResponseCybersecurity Internship - Task 3 | CodeAlpha | May 2026
I built a complete Network Intrusion Detection System using Suricata, an industry standard open source security tool used by cybersecurity teams worldwide. I wrote custom detection rules from scratch, built a live Python web dashboard to visualize alerts, and implemented an automated response engine that sends email notifications and blocks malicious IPs automatically.
I wrote 5 custom rules that detect real cybersecurity threats:
- Ping Flood (ICMP) - Low Priority - Detects network scanning
- Port Scan (Any port) - Medium Priority - Detects reconnaissance
- HTTP Traffic (Port 80) - Medium Priority - Detects web attacks
- FTP Attempt (Port 21) - High Priority - Detects unauthorized file transfer
- MySQL Probe (Port 3306) - High Priority - Detects database attacks
Built a real time web dashboard that displays total alerts by category, color codes threats by severity, auto refreshes every 10 seconds, shows last 10 alerts with timestamps and runs on http://localhost:8080.
Built a Python response engine that watches Suricata logs in real time, sends email alerts for low and medium threats and automatically blocks IPs for critical threats using iptables. It runs alongside the dashboard simultaneously.
- Ping flood detection confirmed working
- Port scan detection confirmed working
- HTTP traffic detection confirmed working
- FTP attempt detection confirmed working
- MySQL probe detection confirmed working
- Auto IP blocking confirmed working
- Email notifications confirmed working
- Live dashboard displaying real alerts
- Timestamps on every alert
- Network traffic flows into the Suricata engine which detects suspicious activity and writes alerts to fast.log.
- The dashboard reads this log file and displays live alerts in the browser with color coded severity levels.
- The response engine reads the same log file simultaneously. For low and medium threats it sends email notifications. For critical threats it automatically blocks the IP address using iptables and also sends an email alert.
Before this project I had never set up an IDS before.Now I understand:
- How Suricata rules are structured and written
- The difference between IDS and IPS
- How cybersecurity analysts monitor threats 24/7
- Why certain ports are considered dangerous
- How to think like an attacker to write better rules
- How to build monitoring and response tools in Python
- How automated incident response works in practice
- Kali Linux
- Suricata 8.0.4
- Python 3
- Firefox browser
- Gmail account with App Password
- sudo apt install suricata -y
- sudo nano /etc/suricata/rules/custom.rules
-
Step 1 - Start Suricata:sudo suricata -c /etc/suricata/suricata.yaml -i lo
-
Step 2 - Start Dashboard:python3 ~/suricata-ids/suricata_dashboard.py
-
Step 3 - Start Response Engine:sudo python3 ~/suricata-ids/response_engine.py
-
Step 4 - Open browser at:http://localhost:8080
-
Step 5 - Trigger test alerts:
-
ping -c 10 10.0.0.1
-
nmap -sT 10.0.0.1
-
ftp 10.0.0.1
-
mysql -h 10.0.0.1
- suricata_dashboard.py - Python live web dashboard
- response_engine.py - Automated alert and block system
- custom.rules - 5 custom Suricata detection rules
- README.md - This file
-
VM Network LimitationsSuricata could not capture on eth0 due to VM kernel constraints. Fixed by switching to loopback interface and creating virtual IP 10.0.0.1 for safe testing.
-
Python CSS ConflictDashboard crashed because CSS curly braces conflicted with Python string formatting. Fixed by doubling all CSS braces in the HTML template.
-
Gmail AuthenticationEmail alerts failed when using a business Gmail account. Fixed by switching to personal Gmail with proper AFavourpp Password configuration.
-
Dashboard Choice - Python vs ELK StackThe industry standard dashboard for Suricata is ELK Stack which stands for Elasticsearch, Logstash and Kibana. However ELK Stack requires significant system resources with a minimum of 4GB RAM which exceeded my current system specifications. Instead I built a custom lightweight Python dashboard from scratch using only Python's built-in HTTP server library. This demonstrated deeper programming knowledge than simply installing ELK Stack would have, proving I can build monitoring tools from scratch when needed.
All testing was performed on a virtual loopback interface to ensure no real network traffic or private IP addresses were exposed publicly.
This project is for educational purposes only.Only use on networks and systems you own or have explicit permission to monitor.Never use these techniques on unauthorized networks.
Cybersecurity analysts use IDS tools like Suricata daily to monitor network traffic for threats around the clock, get alerted when attackers probe their network, automatically respond to critical threats and investigate and document security incidents. This project gave me hands-on experience with the exact tools and workflows used in real cybersecurity environments.
Favour Ugochi Ogbonnaya Cybersecurity Intern | CodeAlpha Task 3: Network Intrusion Detection System May 2026
LinkedIn: https://www.linkedin.com/in/favour-ogbonnaya-0043422b5