Detress is a lightweight Network Detection & Response (NDR) platform designed for SOC training, security labs, and Blue Team experimentation.
It provides:
- Real-time packet metadata capture (Scapy)
- A simple but realistic analysis/rule engine (FastAPI)
- A minimal dashboard for traffic & alert visibility
┌──────────────────────────────────────────────┐
│ Detress │
└──────────────────────────────────────────────┘
▲ ▲
│ │ Web Dashboard (Vanilla JS)
│ │
Alert API ┌─────────────┐
│ Frontend UI │
└─────────────┘
│
┌────────┴────────┐
│ Backend API │ FastAPI
└────────┬────────┘
│
▼
┌────────────────────┐
│ Analysis Pipeline │
│ - Rules engine │
│ - Behavior checks │
└─────────┬──────────┘
│
▼
┌────────────────────────────┐
│ Capture Agent (Scapy) │
│ Extracts packet metadata │
└────────────────────────────┘
The backend exposes REST endpoints for ingestion and alert retrieval, the capture module streams network metadata to the API, and the dashboard polls the backend every few seconds to display recent flows and alerts.
- Live packet sniffing
- Metadata extraction (IP addresses, ports, protocol, packet size, timestamps)
- Lightweight JSON events sent to the backend
A simple but realistic SOC-style rule engine:
- Port scan detection (burst analysis)
- Sensitive port access alerts
- Time-window based checks
- Basic behavioral rules (extensible)
Rules are cleanly separated and easy to extend.
- Severity levels (low / medium / high)
- Categories for quick triage
- Real-time generation
- Stored in memory for demonstration purposes
A minimal web UI to visualize:
- The last 100 traffic events
- The last 50 alerts
- Backend health status
- Auto-refresh every 2 seconds
No frameworks.
- Docker Desktop
- Python 3.11+ (optional, for running the capture agent on the host)
docker compose up --buildOnce started, open:
http://127.0.0.1:8000You’ll see the dashboard updating in real time.
Docker Desktop cannot sniff the host network. For real traffic visibility, run the capture agent locally:
cd capture
python main.pyIt will automatically send events to:
http://127.0.0.1:8000/trafficpython tests/test_api.pypython tests/test_sensitive.pyDetress/
│
├── backend/
│ ├── main.py # FastAPI backend and rule engine
│ ├── static/index.html # Dashboard UI
│
├── capture/
│ ├── main.py # Scapy capture agent
│
├── tests/
│ ├── test_api.py
│ ├── test_sensitive.py
│
├── docker-compose.yml
├── Dockerfile
├── entrypoint.sh
└── README.mdComponent Technology Backend FastAPI (Python) Capture Agent Scapy Communication REST / JSON Dashboard HTML + Vanilla JS Deployment Docker / Compose
| Component | Technology |
|---|---|
backend |
FastAPI (Python) |
capture |
Agent Scapy |
Communication |
REST / JSON |
Dashboard |
HTML + Vanilla JS |
Deployment |
Docker / Compose |
- PCAP import support
- YAML rule definitions (Suricata-style light rules)
- JA3/JA3S fingerprinting
- Threat intelligence enrichment (Abuse.ch, OTX, blocklists)
- More behavioral rules and correlation logic
- Optional TimescaleDB storage
MIT License.