githubinferredactive
Trident
provenance:github:labsin-uncuyo/Trident
WHAT THIS AGENT DOES
Here's a plain English summary of the Trident agent: Trident is a tool that creates a small, self-contained network environment for testing security systems. It allows you to simulate network traffic and see how different security tools, like intrusion detection systems, would react. This helps businesses ensure their security measures are working effectively and can identify potential weaknesses before they impact real networks. Security professionals and network engineers would find this particularly useful for evaluating and improving their defenses.
README
# Trident Lab
## What it is
Trident is a compact, fully routed Docker lab for evaluating network telemetry, IDS/IPS pipelines, and agent behavior in a reproducible environment. It models a small enterprise segment (client → router → server) and makes traffic capture a first‑class output.
## Why it exists / use cases
- Validate detection rules against realistic routed traffic.
- Compare agent behaviors with consistent network baselines.
- Generate repeatable PCAP datasets for IDS evaluation.
- Teach or demo network monitoring in a contained lab.
## Key features
- Deterministic IPs and routes so traffic always crosses the router.
- Automated PCAP capture (router + server) into `outputs/<RUN_ID>/`.
- Optional agents (defender/attacker/benign) that plug in after infra is up.
- Single-command infra spin‑up and teardown.
## Quickstart
### Prerequisites
- Docker 23+
- Docker Compose v2
- GNU Make
### Commands
```bash
cp .env.example .env
# Edit .env and set at least:
# LAB_PASSWORD=... (required)
make up
```
### Verify it worked
1) **Containers are running**:
```bash
docker ps --filter "name=lab_" --format "table {{.Names}}\t{{.Status}}"
```
Expected containers: `lab_router`, `lab_server`, `lab_compromised`.
2) **Connectivity across subnets** (from compromised → server):
```bash
docker exec lab_compromised ping -c 1 172.31.0.10
docker exec lab_compromised curl -sf http://172.31.0.10:80 >/dev/null && echo "HTTP OK"
```
3) **PCAPs are being written**:
```bash
RUN_ID=$(cat outputs/.current_run)
ls -1 outputs/$RUN_ID/pcaps | head
```
Expected: `router_YYYY-MM-DD_HH-MM-SS.pcap` files and `server.pcap`.
Tear down:
```bash
make down
```
## Where outputs go
`make up` creates a run-scoped output tree:
```
outputs/
└── <RUN_ID>/
├── pcaps/
├── slips/
├── aracne/
├── coder56/
└── benign_agent/
```
## Safety model
- **Lab‑only**: This repo is intended for isolated, local experimentation.
- **Privileged containers**: `lab_router` and `lab_server` run privileged and use `NET_ADMIN`.
- **Host‑network defender**: the defender container uses `network_mode: host` (port configurable via `DEFENDER_PORT`).
- **No production targets**: do not point agents at real systems or networks.
- **Credentials are defaults**: see `guide/credentials.md` and override via `.env`.
## Docs
Start here: `guide/index.md`
- Architecture: `guide/architecture.md`
- Agents: `guide/agents.md`
- Topologies: `guide/topologies.md`
- Credentials: `guide/credentials.md`
## License
See `LICENSE`.
PUBLIC HISTORY
First discoveredApr 1, 2026
IDENTITY
inferred
Identity inferred from code signals. No PROVENANCE.yml found.
Is this yours? Claim it →METADATA
platformgithub
first seenNov 25, 2025
last updatedMar 31, 2026
last crawledtoday
version—
README BADGE
Add to your README:
