Skip to content

Alhasan100/netbaseline-py

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

NetBaseline

Version: 1.0.0 | Author: Alhasan Al-Hmondi

License: GPL v3

NetBaseline is a Windows-focused Python CLI for host network exposure baselining and drift detection. It captures a local snapshot of interfaces, routes, ARP neighbors, listening sockets, and process context, then compares snapshots so changes in host exposure are easy to review.

Why This Project Exists

Cybersecurity and IT teams often need a quick way to answer simple but important questions:

  • Which ports are listening on this machine right now?
  • Which interfaces, routes, and neighbors were present when the system was in a known-good state?
  • What changed between the last baseline and the current one?

NetBaseline addresses that gap with a lightweight, scriptable workflow that exports JSON snapshots and generates readable drift reports without requiring a heavy platform or frontend stack. I built it to practice the kind of host review work that sits between cybersecurity, networking, and IT operations.

Chosen Stack

  • Python 3.11+
  • Standard library first (argparse, dataclasses, json, subprocess, pathlib)
  • Windows-native command integration (netstat, ipconfig, route, arp, tasklist)
  • unittest for lightweight regression coverage

This stack is practical for cybersecurity and IT operations work because it is easy to inspect, portable in constrained environments, and straightforward to discuss in interviews.

Features

  • Capture a host exposure snapshot with host metadata, interfaces, IPv4 routes, ARP neighbors, sockets, and process names
  • Save snapshots as structured JSON
  • Compare two snapshots and identify new or removed interfaces, routes, neighbors, and listening sockets
  • Suppress expected drift with a JSON allowlist so regular lab changes do not overwhelm the report
  • Highlight newly exposed high-interest management ports in drift reports
  • Print terminal summaries and export Markdown or CSV drift reports

Project Structure

netbaseline-py/
|-- examples/
|-- src/netbaseline/
|-- tests/
|-- docs/
|-- LICENSE
|-- pyproject.toml
`-- README.md

Installation

cd netbaseline-py
py -3 -m pip install --upgrade pip
py -3 -m pip install .

For development mode:

py -3 -m pip install -e .

How To Run

Capture a baseline snapshot:

netbaseline snapshot --output .\snapshots\baseline.json

Capture a second snapshot later:

netbaseline snapshot --output .\snapshots\current.json

Compare both snapshots in the terminal:

netbaseline diff --baseline .\snapshots\baseline.json --candidate .\snapshots\current.json

Compare both snapshots while suppressing expected drift:

netbaseline diff --baseline .\snapshots\baseline.json --candidate .\snapshots\current.json --allowlist .\examples\expected-drift-allowlist.json

Write a Markdown report:

netbaseline diff --baseline .\snapshots\baseline.json --candidate .\snapshots\current.json --report .\reports\drift-report.md

Write a CSV report for spreadsheet review:

netbaseline diff --baseline .\snapshots\baseline.json --candidate .\snapshots\current.json --csv-report .\reports\drift-report.csv

Write both report formats in one run:

netbaseline diff --baseline .\snapshots\baseline.json --candidate .\snapshots\current.json --allowlist .\examples\expected-drift-allowlist.json --report .\reports\drift-report.md --csv-report .\reports\drift-report.csv

Example Usage

The tool records a JSON snapshot with normalized keys for repeatable comparisons. A drift report highlights meaningful infrastructure changes such as:

  • a new listener on 0.0.0.0:3389
  • a removed static route
  • a newly discovered ARP neighbor on a local subnet
  • an RDP, WinRM, SSH, SMB, LDAP, or database listener that deserves closer review

When some drift is expected, such as a lab route or a temporary management listener, an allowlist file can suppress those exact entries while still recording what was filtered. That makes the output more useful for repeated baseline checks instead of one-off comparisons.

Final Scope

This version is intentionally Windows-focused because the most realistic cybersecurity use case here is endpoint baselining and hardening. It is small enough to understand in an interview, but complete enough to show collection, normalization, comparison, reporting, and test coverage.

Future Improvements

  • Add Linux collectors using ss and ip
  • Add risk scoring for suspicious exposure changes

The scheduled workflow notes are documented in docs/scheduled-usage.md.

License

This project is licensed under the GNU General Public License v3.0. See LICENSE for the full license text.

About

A Windows-focused Python CLI for host network exposure baselining and drift detection.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages