Defensive wireless security lab that detects suspicious 802.11 Wi-Fi activity using Python, Scapy, configurable detection rules, and Zero Trust response logic. The lab safely simulates wireless events in memory and logs SOC-style alerts without transmitting attack traffic.
Built to connect enterprise wireless networking experience with blue-team detection engineering.
I built this project to bridge enterprise wireless networking and cybersecurity detection engineering. The goal was to show how suspicious Wi-Fi behavior can be detected, scored, logged, and mapped to a Zero Trust response workflow in a safe lab environment.
| Detection | Purpose |
|---|---|
| Deauthentication flood | Identify possible wireless disruption behavior |
| Unknown wireless device | Flag untrusted MAC addresses |
| Evil twin AP | Detect suspicious SSID/BSSID mismatch behavior |
| Beacon flood | Identify abnormal beacon activity |
| Probe requests | Log suspicious discovery behavior |
| Trust-score changes | Reduce trust based on suspicious activity |
| Simulated isolation | Log guarded containment decisions |
- Simulated packets or offline PCAP packets are sent to the detector.
- Detection rules are loaded from
config/detection_rules.json. - Trusted devices and SSID/BSSID expectations are loaded from
config/trusted_devices.json. - Alerts are written to
logs/alerts.logandlogs/alerts.jsonl. - Suspicious trusted devices lose trust score.
- If risk and trust thresholds allow it, simulated containment is logged.
flowchart LR
A[Simulated Scapy Packets / Optional PCAP] --> B[Attack Detector]
B --> C[Detection Rules]
C --> D[SOC-style Alerts]
C --> E[Zero Trust Trust Engine]
E --> F[Trust Score Update]
F --> G{Risk + Trust Threshold Met?}
G -->|Yes| H[Guarded Simulated Isolation]
G -->|No| I[Log and Continue]
H --> J[logs/alerts.log]
D --> J
J --> K[logs/alerts.jsonl]
In a production wireless environment, this workflow could map to:
- Wireless LAN Controller telemetry
- Cisco ISE / NAC policy decisions
- Rogue AP and client behavior monitoring
- SIEM alert ingestion
- SOAR response approval
- Identity-aware quarantine workflows
This project is intentionally built as a defensive blue-team lab, not a wireless attack toolkit. Instead of focusing on exploitation, it shows how wireless signals can flow through detection rules, risk scoring, SOC-style logging, trust-score reduction, and guarded simulated response. It is small by design: configurable enough to demonstrate real security thinking, but simple enough to read, test, and explain.
pip install -r requirements.txt
python3 run_lab.pyView alerts:
cat logs/alerts.log
cat logs/alerts.jsonlpython3 src/pcap_analyzer.py --pcap path/to/wireless_capture.pcapTry the small included sample:
python3 src/pcap_analyzer.py --pcap sample-data/wireless_lab_sample.pcapThe analyzer also handles non-wireless PCAPs and reports when no 802.11 frames are present. Only analyze captures you are authorized to use.
pip install -r requirements-dev.txt
pytestDetection thresholds, severities, and cooldowns live in:
config/detection_rules.json
Trusted devices, trusted SSID/BSSID expectations, trust penalties, and response safety controls live in:
config/trusted_devices.json
This project demonstrates hands-on experience with:
- Wireless security detection concepts
- Python and Scapy-based packet simulation
- Zero Trust trust scoring
- SOC-style alert logging
- Detection rules and threshold tuning
- Network security response workflow design
This is a lab project, not a production wireless IDS. MAC addresses can be spoofed, thresholds need tuning, and real deployments should combine this kind of logic with controller telemetry, NAC identity, SIEM correlation, and RF context.
This project is for educational and defensive use only. Test only on systems and networks you own or have permission to assess.