Sentinel Shield is an academic cybersecurity project that simulates how a real-world Intrusion Detection System (IDS) and Web Application Firewall (WAF) work.
It inspects incoming HTTP requests, detects common web attacks, logs suspicious activity, and generates alerts.
• Understand how malicious web requests look in real traffic
• Detect common attacks using rule-based logic
• Monitor abusive behavior using rate limiting
• Log and analyze security events
• Simulate the detection → decision → logging → alerting workflow
✔ SQL Injection (SQLi)
✔ Cross-Site Scripting (XSS)
✔ Local File Inclusion (LFI)
✔ Command Injection (basic patterns)
✔ Brute-force / abusive traffic via rate limiting
1. A user sends an HTTP request
2. Sentinel Shield inspects the request (URL, parameters, headers)
3. The detection engine matches known attack patterns
4. IP behavior is monitored (rate limiting)
5. If malicious or abusive:
• The request is blocked or flagged
• The event is logged
• An alert is generated
Think of Sentinel Shield as a security guard for your web application.
User Request
↓
Web App (Flask)
↓
Sentinel Shield Engine
├── Request Inspection
├── Rule-Based Detection
├── Behavior Monitoring (Rate Limiting)
├── Logging & Alerts
↓
Logs / Dashboard / Reports
Check:
python --version
mkdir sentinel-shield
cd sentinel-shield
python -m venv venv
venv\Scripts\activate # Windows
source venv/bin/activate # Linux/Mac
pip install flask
Create these files:
📁Sentinel-Shield/
│
├── app.py # Main Flask application
├── dashboard.py # Simple dashboard view
├── detector.py # Detection logic
├── logger.py # Logging & alerting
├── rate_limiter.py # IP behavior tracking
├── rules.json # Attack signatures and patterns
│
📁├── logs/
│ └── security.log
│
📁├── templates/
│ └── dashboard.html
│
├── README.md
└── requirements.txt
{
"XSS": [
"<script>",
"onerror",
"onload",
"alert\\("
],
"SQL Injection": [
"select .* from",
"union select",
"or 1=1",
"' or '1'='1"
]
}
import re
import json
from logger import log_event
with open("rules.json") as f:
RULES = json.load(f)
def inspect_request(req):
data = req.query_string.decode().lower()
print("[+] Raw Data:", data)
for attack, patterns in RULES.items():
for pattern in patterns:
if re.search(pattern, data):
ip = req.remote_addr
print(f"[!] Attack detected: {attack} from {ip}")
log_event(ip, attack)
import time
from collections import defaultdict
REQUEST_LOG = defaultdict(list)
LIMIT = 10
WINDOW = 60
def is_abusive(ip):
now = time.time()
REQUEST_LOG[ip] = [t for t in REQUEST_LOG[ip] if now - t < WINDOW]
REQUEST_LOG[ip].append(now)
return len(REQUEST_LOG[ip]) > LIMIT
import logging
import os
LOG_DIR = "logs"
LOG_FILE = os.path.join(LOG_DIR, "security.log")
os.makedirs(LOG_DIR, exist_ok=True)
logger = logging.getLogger("sentinel")
logger.setLevel(logging.INFO)
handler = logging.FileHandler(LOG_FILE)
formatter = logging.Formatter("%(asctime)s | IP=%(message)s")
handler.setFormatter(formatter)
if not logger.handlers:
logger.addHandler(handler)
def log_event(ip, attack):
logger.info(f"{ip} | ATTACK={attack}")
from flask import Flask, request
from detector import inspect_request
app = Flask(__name__)
@app.before_request
def before():
inspect_request(request)
@app.route("/")
def home():
return "Sentinel Shield Active"
if __name__ == "__main__":
app.run(debug=True)
from collections import Counter
def get_summary():
counts = Counter()
try:
with open("logs/security.log") as f:
for line in f:
if "Attack:" in line:
attack = line.split("Attack:")[1].strip()
counts[attack] += 1
except FileNotFoundError:
pass
return counts
HTML template in templates/dashboard.html:
<!DOCTYPE html>
<html>
<head>
<title>Sentinel Shield Dashboard</title>
</head>
<body>
<h2>Sentinel Shield – Security Dashboard</h2>
<p>Attack Summary:</p>
<ul>
{% for k, v in summary.items() %}
<li><strong>{{ k }}</strong> : {{ v }}</li>
{% endfor %}
</ul>
</body>
</html>Command Prompt:
python app.py
Server will start at:
Test with:
http://127.0.0.1:5000/?q=<script>alert(1)</script>
"http://127.0.0.1:5000/?q=hello"
"http://127.0.0.1:5000/?q=' OR 1=1 --"
"http://127.0.0.1:5000/?q=<script>alert(1)</script>"
"http://127.0.0.1:5000/?q=../../etc/passwd"
All detected events are stored in:
logs/security.log
Each entry contains:
• Timestamp
• Source IP
• Detected attack type
• Action taken
These logs simulate what a SOC analyst would review.
✔ Send normal requests → should be allowed
✔ Send attack payloads → should be blocked
✔ Send repeated requests → rate limited
✔ Review logs → verify detection accuracy
Sentinel Shield bridges the gap between theory and real-world cybersecurity practice. It shows how attacks are detected, logged, and analyzed — the same workflow used in real security operations.
🙋♀️ Why didn’t I use Microsoft Sentinel?
The goal of Sentinel Shield was to understand and implement the core detection, logging, and alerting logic myself, similar to how a WAF/IDS works internally.
Microsoft Sentinel is a SIEM platform, which sits on top of detection systems.
My project focuses on building the detection layer — request inspection, rule-based analysis, behavior monitoring, and alert generation — which is the foundation that tools like Sentinel later consume.
🙋♀️ Am I using a real product called “Sentinel Shield”?
👉 No. This project does not use any real commercial product named Sentinel Shield.
In this project:
• “Sentinel Shield” is a custom, academic project name
• It represents a student-built IDS/WAF-style system
• It is not Microsoft Sentinel
• It is not a real vendor tool
You are building your own detection engine + logging + alerting system, just like how real tools work internally.