A comprehensive Proof of Concept (POC) for detecting malware, analyzing network traffic, and automating responses using Zeek, Docker, and AI agents.
Think of this as a smart security camera system for your network:
- 📱 Devices Send Traffic → IoT devices, laptops, and containers communicate normally
- 🎥 Monitor Watches Everything → Network monitor captures all traffic (like a CCTV camera)
- 🧠 AI Analyzes Behavior → Zeek + AI Agent detect suspicious patterns (malware, attacks, anomalies)
- 🚨 Alerts & Response → Dashboard shows threats + Auto-isolates bad actors to honeypot
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ Docker Network: custom_net │
│ (192.168.6.0/24) │
│ │
│ ┌──────────────────────┐ ┌──────────────────────┐ ┌──────────────────────┐ │
│ │ Monitor Server │◄────────┤ Normal Devices │ │ Attackers │ │
│ │ (network-monitor) │ │ (IoT Simulators) │ │ (Malware/DoS/SSH) │ │
│ │ │ │ │ │ │ │
│ │ IP: 192.168.6.131 │ │ IP: 192.168.6.10-16 │ │ IP: 192.168.6.200+ │ │
│ │ │ │ │ │ │ │
│ │ Services: │ │ Behavior: │ │ Behavior: │ │
│ │ • Zeek (Traffic Log) │ │ • Send Sensor Data │ │ • Upload Malware │ │
│ │ • tcpdump (Capture) │ │ • Regular Heartbeat │ │ • Brute Force SSH │ │
│ │ • Flask API (:5000) │ │ • Valid Requests │ │ • DoS Flooding │ │
│ └──────────┬───────────┘ └──────────────────────┘ └──────────────────────┘ │
│ │ │
└─────────────┼───────────────────────────────────────────────────────────────────────────┘
│
│ Traffic Logs (conn.log, files.log)
▼
┌─────────────────────────────┐ ┌───────────────────────────────────────────────────┐
│ Host Machine (Windows) │ │ Docker Network: honeypot_net │
│ │ │ (172.18.0.0/16) │
│ ┌───────────────────────┐ │ │ │
│ │ MCP Agent │ │ │ ┌──────────────────────┐ │
│ │ (Python/Claude AI) │ │ │ │ Beelzebub Honeypot │ │
│ │ │ │ │ │ │ │
│ │ Actions: │ │ │ │ IP: 172.18.0.2 │ │
│ │ 1. Read Zeek Logs │──┼──────►│ │ │ │
│ │ 2. Check File Hashes │ │ DNAT │ │ Services: │ │
│ │ 3. Reroute Traffic │ │ Rule │ │ • SSH (LLM Powered) │ │
│ └───────────────────────┘ │ │ │ • HTTP / FTP / SQL │ │
│ │ │ └──────────▲───────────┘ │
│ ┌───────────────────────┐ │ │ │ │
│ │ Dashboard │ │ └─────────────┼─────────────────────────────────────┘
│ │ (Flask Web UI) │ │ │
│ │ │ │ │
│ │ • http://localhost:5000 │ │
│ └───────────────────────┘ │ │
└─────────────────────────────┘ │
│
Attacker Traffic Redirected (DNAT) ────────┘
scripts/start_all.shWhat happens:
- ✅ Creates
custom_net(192.168.6.0/24) andhoneypot_net - ✅ Starts Network Monitor (192.168.6.131) with Zeek & tcpdump
- ✅ Starts Honeypot (172.18.0.2) with LLM integration
- ✅ Starts Dashboard on host (localhost:5000)
Scenario A: Normal IoT Device
IoT Device (192.168.6.10) Monitor (192.168.6.131)
│ │
│ 1. Send Sensor Data (JSON) │
├──────────────────────────────────────────►│
│ POST /api/device/data │
│ │
│◄──────────────────────────────────────────┤
│ 200 OK │
Result: Zeek logs "Normal" traffic. Agent sees no threat.
Scenario B: Malware Attack
Malware Attacker (192.168.6.200) Monitor (192.168.6.131)
│ │
│ 1. Upload Malicious File (APK/EXE) │
├──────────────────────────────────────────►│
│ POST /api/firmware/update │
│ [Malicious Payload] │
│ │
│◄──────────────────────────────────────────┤
│ 200 OK (File received) │
Result: Zeek extracts file hash. Agent detects threat.
Automatic Process (Every 30s):
- Zeek rotates logs (
conn.log,files.log) tonetwork/zeek_logs/ - MCP Agent reads the new logs
- Agent sees file upload from
192.168.6.200 - Agent checks hash against MalwareBazaar Database
- Agent confirms: "
⚠️ MALWARE DETECTED (Trojan.AndroidOS)"
Action Taken:
- Agent triggers Isolation Protocol
- Applies iptables DNAT Rule on the Host/Router:
iptables -t nat -A PREROUTING -s 192.168.6.200 -j DNAT --to-destination 172.18.0.2
- Attacker is now silently rerouted to Honeypot
The honeypot uses Ollama (LLM) to generate realistic responses, fooling the attacker into thinking they have breached a real system.
┌──────────────────────┐ ┌──────────────────────┐
│ Malware Attacker │ │ Beelzebub Honeypot │
│ (192.168.6.200) │ │ (172.18.0.2) │
└──────────┬───────────┘ └──────────┬───────────┘
│ │
│ 1. SSH Login Attempt │
│ "ssh root@192.168.6.201" │
├──────────────────────────────────────────►│
│ │
│ │ 2. Honeypot asks LLM:
│ │ "User ran 'ssh root'. Generate a
│ │ realistic Ubuntu login prompt."
│ │
│ 3. LLM Generates Response │◄────────────────────────┐
│ "Welcome to Ubuntu 22.04 LTS..." │ │
│◄──────────────────────────────────────────┤ │
│ │ │
│ 4. Attacker runs command │ │
│ "cat /etc/passwd" │ │
├──────────────────────────────────────────►│ │
│ │ │
│ │ 5. Honeypot asks LLM: │
│ │ "User ran 'cat /etc/passwd'. │
│ │ Generate fake file content."│
│ │ │
│ 6. LLM Generates Fake File │◄────────────────────────┘
│ "root:x:0:0:root:/root:/bin/bash..." │
│◄──────────────────────────────────────────┤
│ │
▼ ▼
Attacker is fooled! Interaction Logged
Result: Attacker wastes time attacking a decoy while you collect evidence.
📱 Device → 🌐 Network → 🖥️ Monitor → ✅ Allowed
- IoT devices send sensor data every 10 seconds
- Monitor server receives and logs the data
- Everything operates normally
💀 Attacker → 🌐 Network → 🖥️ Monitor → 🎥 Captured
- Malware Attacker: Uploads suspicious files (APK, EXE)
- DoS Attacker: Floods network with packets
- SSH Attacker: Tries brute force login
- All traffic is captured by tcpdump
📦 PCAP File → 🧪 Zeek → 📋 Logs (conn.log, files.log, http.log)
- Zeek processes captured packets
- Extracts connection details, file hashes, HTTP requests
- Logs stored in
network/zeek_logs/session_TIMESTAMP/
📋 Zeek Logs → 🤖 AI Agent → 🔍 Analysis
AI Agent analyzes using MCP Tools:
- 🔧 read_zeek_logs → Reads network traffic logs
- 🔧 check_malware_hash → Verifies file signatures against MalwareBazaar
- 🔧 docker_command → Checks container status
- 🔧 move_device_to_honeypot → Isolates threats
Detection Methods:
- Behavioral Anomalies: Regular intervals, high frequency, unusual endpoints
- Signature Matching: File hash verification (SHA256)
- Traffic Patterns: Data exfiltration, C2 beacons, port scanning
🚨 Threat Detected → 🚫 iptables Rules → 🍯 Honeypot Isolation
When threat is confirmed:
- Dashboard shows alert with evidence
- User clicks "Reroute to Honeypot"
- System applies iptables DNAT rules
- Attacker's traffic redirected to isolated network
- Honeypot logs all attacker behavior safely
Network_Security_poc/
├── attackers/ # Attack simulation containers
│ ├── dos_attacker/ # Denial of Service simulator
│ ├── endpoint_behavior/ # Endpoint behavior simulator
│ ├── malware_attacker/ # Malware upload simulator
│ └── ssh_attacker/ # SSH brute force simulator
├── dashboard/ # Web interface (Flask)
│ ├── app.py # Main application
│ ├── static/ # JS, CSS
│ └── templates/ # HTML templates
├── devices/ # IoT device simulators
├── honey_pot/ # Beelzebub Honeypot
│ ├── docker-compose.yml # Honeypot configuration
│ └── logs/ # Honeypot interaction logs
├── malware_db/ # Malware hash database & YARA rules
├── mcp_agent/ # AI Agent (MCP Server & Client)
│ ├── client/ # Agent logic
│ └── server/ # MCP server implementation
├── network/ # Network monitoring (Zeek)
│ ├── zeek/ # Zeek scripts
│ └── zeek_logs/ # Traffic logs
├── scripts/ # Utility scripts
└── tests/ # Test scripts
Run the setup script to initialize the environment:
scripts/initial_setup.batLaunch all containers and services:
scripts/start_all.shOpen your browser and navigate to:
http://localhost:5000
Start the AI agent to monitor traffic:
mcp_agent/RUN_AGENT.batWhat it does: Acts as the "security camera" recording all network traffic
- Runs on Docker container at
192.168.6.131:5000 - Uses
tcpdumpto capture all packets on the network - Zeek processes PCAP files every 30 seconds
- Generates detailed logs:
conn.log,http.log,files.log,dns.log
- Malware Attacker (192.168.6.200): Uploads real malware APK files
- DoS Attacker (192.168.6.132): Simulates high-volume packet flooding
- SSH Attacker: Attempts brute force login
- Role: Decoy system to trap attackers
- Features: AI-powered responses (LLM), SSH emulation, HTTP emulation
- Integration: Connected to dashboard for real-time monitoring
- Role: Intelligent analysis and response
- Capabilities:
- Reads Zeek logs
- Checks file hashes against malware database
- Executes Docker commands
- Manages iptables rules for isolation
- Real-time Traffic Map: Visualizes network flow
- Threat Alerts: Instant notifications of detected attacks
- Honeypot Logs: View attacker interactions
- LLM Responses: See how the AI honeypot responds to attackers
- Control Panel: Start/Stop simulators, Reroute IPs
All utility scripts are located in the scripts/ directory:
start_all.sh: Start the entire systemapply_dnat_reroute.bat: Manually reroute an IP to the honeypotinitial_setup.bat: First-time setupdiagnose.bat: Troubleshoot issues
Run tests located in the tests/ directory:
test_gemini.py: Test LLM connectiontest_ssh_llm_connection.py: Test SSH honeypot connectivity
Developed for Network Security Research
- Hash:
a864d996cb...(known malware signature)
Detection Method: File hash matching against MalwareBazaar database
Purpose: Tests network flooding detection
Behavior:
- Sends 100+ packets per second using
hping3 - SYN flood attack on port 5000
- Overwhelms network monitor
Detection Method: High connection frequency in conn.log
Purpose: Tests authentication attack detection
Behavior:
- Attempts SSH login with common passwords
- Uses wordlist of 100+ credentials
- Targets monitor server (192.168.6.131:22)
Detection Method: Repeated failed connection attempts
Purpose: Tests behavioral anomaly detection (no real malware)
Simulates 9 malicious behaviors:
- C2 Beacon → Regular callbacks every 2s
- Data Exfiltration → Large uploads to cloud
- DNS DGA → Random domain queries
- Port Scanning → Sequential port probing
- API Abuse → High-frequency API calls
- Credential Harvesting → /etc/passwd reads
- Privilege Escalation → Sudo attempts
- Lateral Movement → Internal network scans
- Data Staging → File compression
Detection Method: Behavioral pattern analysis (timing, frequency, endpoints)
URL: http://localhost:5100
Pages:
- Overview → System status, container counts, network health
- Network Map → Visual topology with all devices and IPs
- Monitor → Start/stop Zeek monitor, view logs
- Devices → Create/delete IoT simulators
- Honeypot → Beelzebub control, reroute threats, attacker analytics
- Attackers → Start/stop attack simulations
- AI Agent → Chat with AI for threat analysis
- Logs → Device data, monitor logs, honeypot attacks
Key Features:
- Real-time status updates every 5 seconds
- One-click threat isolation
- AI-powered security analysis
- Network topology visualization
- Tool execution tracking
Model: glm-4.5 (Claude 3.5 Sonnet via Anthropic API)
Framework: MCP (Model Context Protocol) with FastMCP
Capabilities:
- Reads Zeek logs and analyzes traffic patterns
- Detects behavioral anomalies without signatures
- Verifies file hashes against MalwareBazaar
- Executes Docker commands via WSL
- Provides evidence-based threat reports
20 MCP Tools Available:
📁 File System: read_file, write_file, list_directory
💻 System: run_command, run_powershell, run_batch_file
🐧 WSL/Linux: wsl_command, wsl_bash_script, wsl_read_file
🐳 Docker: docker_command
🛡️ Security: read_zeek_logs, check_malware_hash, move_device_to_honeypot
Workflow:
- User asks: "Analyze latest logs for threats"
- AI uses
🔧 read_zeek_logs→ Gets latest session data - AI analyzes behavior → Detects anomalies
- AI uses
🔧 check_malware_hash→ Verifies suspicious files - AI uses
🔧 docker_command→ Checks container status - AI generates report with evidence and recommendations
Network: Isolated honeypot_net (192.168.7.0/24)
Purpose: Safely trap and study attackers
How Isolation Works:
- AI detects threat on main network (192.168.6.x)
- User clicks "Reroute to Honeypot" on dashboard
- System applies
iptables DNATrules:iptables -t nat -A PREROUTING -s 192.168.6.132 -j DNAT --to-destination 192.168.7.3
- All attacker traffic redirected to honeypot
- Attacker thinks they're still on main network
- Honeypot logs all actions (commands, credentials, HTTP requests)
Honeypot Services:
- SSH (port 2223)
- HTTP (ports 8080, 8081, 8443)
- FTP (port 2121)
- MySQL (port 3306)
- PostgreSQL (port 5432)
Attacker Analytics:
- Unique IPs detected
- Credentials attempted
- Commands executed
- HTTP paths accessed
- Protocols used
nNetwork_Security_poc/ attackers/ # Docker containers for attack simulation malware_attacker/ # Sends malware samples dos_attacker/ # Performs DoS attacks dashboard/ # Flask-based web UI network/ # Zeek monitor configuration zeek/ # Zeek scripts (local.zeek, monitor.sh) zeek_logs/ # Generated logs honey_pot/ # Beelzebub honeypot setup docs/ # Documentation scripts/ # Utility scripts for setup/maintenance n
- Docker & Docker Compose
- WSL2 (if on Windows)
-
Start the System:
Bash cd Network_Security_poc ./scripts/start_all.sh -
Access Dashboard: Open http://localhost:5001 in your browser.
-
Simulate Attack:
- Go to the Dashboard.
- Click 'Start Malware Attacker'.
- Watch the Zeek Logs panel for files.log entries showing the detected hashes.
Zeek logs are stored in network/zeek_logs/.
- files.log: Details of transferred files (MD5, SHA1, SHA256).
- http.log: Web traffic details.
- conn.log: All TCP/UDP connections.
- Hash Extraction: The system extracts X-Original-Hash headers to verify file integrity even if the transfer is incomplete.
- Automated Isolation: Capable of rewriting iptables rules to quarantine attackers.