SPHERE Edge IDS/IPS Lab ( public )
A reproducible edge intrusion-detection / prevention lab on the SPHERE (MergeTB) testbed.
Topology (4 nodes): a compromised edge device and a benign edge device share an edge LAN with a gateway; the gateway mirrors edge-LAN traffic to a Suricata sensor.
- edge — runs a multi-stage attack: reconnaissance (SYN/FIN/XMAS scans) → web exploitation (path traversal, SQL injection, malicious user-agent) → SSH brute force → DNS-tunnel exfiltration.
- edge2 — benign baseline (normal web + ping).
- gw — gateway hosting a victim web service and a software traffic mirror (tc) to the sensor.
- mon — Suricata IDS with categorized rules logging to eve.json.
What you get: Run the weave to recreate the experiment (push model → realize → materialize). A bundled Jupyter notebook deploys the tooling, then analyzes and visualizes the alerts (topology graph, alerts by signature/category, severity, top talkers, attack graph, timeline) and runs a closed-loop IPS that auto-blocks the attacker on the gateway while the benign device keeps working.
Requires a SPHERE project with moddeter access.
Views
10
Downloads
7 active
(0 retired)
Versions
1
Last Updated
June 29, 2026, 12:02 a.m.
Versions
| Version | Created | URN | Downloads | Actions |
|---|---|---|---|---|
| 2026-06-28 | June 28, 2026, 11:40 p.m. | urn:fabric:contents:renci:5175cc90-96b6-40c0-81cc-821b7c2140cf | 7 | download |
Authors
University of North Carolina at Chapel Hill
— kthare10@email.unc.edu