SPHERE Edge IDS/IPS Lab ( public )

A reproducible edge intrusion-detection / prevention lab on the SPHERE (MergeTB) testbed.

Topology (4 nodes): a compromised edge device and a benign edge device share an edge LAN with a gateway; the gateway mirrors edge-LAN traffic to a Suricata sensor.

  • edge — runs a multi-stage attack: reconnaissance (SYN/FIN/XMAS scans) → web exploitation (path traversal, SQL injection, malicious user-agent) → SSH brute force → DNS-tunnel exfiltration.
  • edge2 — benign baseline (normal web + ping).
  • gw — gateway hosting a victim web service and a software traffic mirror (tc) to the sensor.
  • mon — Suricata IDS with categorized rules logging to eve.json.

What you get: Run the weave to recreate the experiment (push model → realize → materialize). A bundled Jupyter notebook deploys the tooling, then analyzes and visualizes the alerts (topology graph, alerts by signature/category, severity, top talkers, attack graph, timeline) and runs a closed-loop IPS that auto-blocks the attacker on the gateway while the benign device keeps working.

Requires a SPHERE project with moddeter access.

Views
10
Downloads
7 active (0 retired)
Versions
1
Last Updated
June 29, 2026, 12:02 a.m.
Version Created URN Downloads Actions
2026-06-28 June 28, 2026, 11:40 p.m. urn:fabric:contents:renci:5175cc90-96b6-40c0-81cc-821b7c2140cf 7 download
University of North Carolina at Chapel Hill — kthare10@email.unc.edu