Network Intrusion Risk Register

Traffic analysis and formal risk documentation for SYN flood attack patterns, built using Wireshark and Snort IDS on Ubuntu/Kali Linux VMs. Risk ratings are mapped to NIST Cybersecurity Framework controls.

What it does

• Captures and analyzes SYN flood attack traffic using Wireshark
• Detects attack signatures via Snort IDS custom rules
• Documents findings as a formal risk register with likelihood/impact scores
• Maps each risk to the relevant NIST CSF function and control

Files

File	Description
risk_register.csv	Full risk register with ratings and NIST CSF mappings
snort_rules/syn_flood.rules	Custom Snort rules used for detection
analysis/packet_summary.txt	Wireshark capture summary and findings
analysis/attack_timeline.txt	Reconstructed attack timeline from pcap
generate_report.py	Generates a formatted PDF risk report
requirements.txt	Python dependencies

Environment

• Ubuntu 22.04 (target/analyst VM)
• Kali Linux (attacker VM)
• Wireshark 4.x
• Snort 2.9.x

How to run

# Generate PDF risk report from CSV data
pip install -r requirements.txt
python generate_report.py

NIST CSF Functions covered

• Identify (ID): Asset inventory, risk assessment
• Protect (PR): Access control, network segmentation
• Detect (DE): Anomaly detection, continuous monitoring
• Respond (RS): Incident response planning
• Recover (RC): Recovery planning

Background

Lab project for CY320 (Access Control) at SEMO. SYN flood was simulated using hping3 on Kali. Wireshark filters and Snort rules were written from scratch based on observed traffic patterns.