Version: 1.0.0 | Author: Alhasan Al-Hmondi
NetBaseline is a Windows-focused Python CLI for host network exposure baselining and drift detection. It captures a local snapshot of interfaces, routes, ARP neighbors, listening sockets, and process context, then compares snapshots so changes in host exposure are easy to review.
Cybersecurity and IT teams often need a quick way to answer simple but important questions:
- Which ports are listening on this machine right now?
- Which interfaces, routes, and neighbors were present when the system was in a known-good state?
- What changed between the last baseline and the current one?
NetBaseline addresses that gap with a lightweight, scriptable workflow that exports JSON snapshots and generates readable drift reports without requiring a heavy platform or frontend stack. I built it to practice the kind of host review work that sits between cybersecurity, networking, and IT operations.
- Python 3.11+
- Standard library first (
argparse,dataclasses,json,subprocess,pathlib) - Windows-native command integration (
netstat,ipconfig,route,arp,tasklist) unittestfor lightweight regression coverage
This stack is practical for cybersecurity and IT operations work because it is easy to inspect, portable in constrained environments, and straightforward to discuss in interviews.
- Capture a host exposure snapshot with host metadata, interfaces, IPv4 routes, ARP neighbors, sockets, and process names
- Save snapshots as structured JSON
- Compare two snapshots and identify new or removed interfaces, routes, neighbors, and listening sockets
- Suppress expected drift with a JSON allowlist so regular lab changes do not overwhelm the report
- Highlight newly exposed high-interest management ports in drift reports
- Print terminal summaries and export Markdown or CSV drift reports
netbaseline-py/
|-- examples/
|-- src/netbaseline/
|-- tests/
|-- docs/
|-- LICENSE
|-- pyproject.toml
`-- README.md
cd netbaseline-py
py -3 -m pip install --upgrade pip
py -3 -m pip install .For development mode:
py -3 -m pip install -e .Capture a baseline snapshot:
netbaseline snapshot --output .\snapshots\baseline.jsonCapture a second snapshot later:
netbaseline snapshot --output .\snapshots\current.jsonCompare both snapshots in the terminal:
netbaseline diff --baseline .\snapshots\baseline.json --candidate .\snapshots\current.jsonCompare both snapshots while suppressing expected drift:
netbaseline diff --baseline .\snapshots\baseline.json --candidate .\snapshots\current.json --allowlist .\examples\expected-drift-allowlist.jsonWrite a Markdown report:
netbaseline diff --baseline .\snapshots\baseline.json --candidate .\snapshots\current.json --report .\reports\drift-report.mdWrite a CSV report for spreadsheet review:
netbaseline diff --baseline .\snapshots\baseline.json --candidate .\snapshots\current.json --csv-report .\reports\drift-report.csvWrite both report formats in one run:
netbaseline diff --baseline .\snapshots\baseline.json --candidate .\snapshots\current.json --allowlist .\examples\expected-drift-allowlist.json --report .\reports\drift-report.md --csv-report .\reports\drift-report.csvThe tool records a JSON snapshot with normalized keys for repeatable comparisons. A drift report highlights meaningful infrastructure changes such as:
- a new listener on
0.0.0.0:3389 - a removed static route
- a newly discovered ARP neighbor on a local subnet
- an RDP, WinRM, SSH, SMB, LDAP, or database listener that deserves closer review
When some drift is expected, such as a lab route or a temporary management listener, an allowlist file can suppress those exact entries while still recording what was filtered. That makes the output more useful for repeated baseline checks instead of one-off comparisons.
This version is intentionally Windows-focused because the most realistic cybersecurity use case here is endpoint baselining and hardening. It is small enough to understand in an interview, but complete enough to show collection, normalization, comparison, reporting, and test coverage.
- Add Linux collectors using
ssandip - Add risk scoring for suspicious exposure changes
The scheduled workflow notes are documented in docs/scheduled-usage.md.
This project is licensed under the GNU General Public License v3.0. See LICENSE for the full license text.