Traditional network security often acts like a security camera: it records the "crime" (an intrusion) but doesn't stop it. By the time an administrator checks the logs, the data might already be exfiltrated.
In the context of the MIRAGE Defense Platform, I developed Sentinelle—a module designed to move from passive logging to Active Response.
What is Sentinelle?
Sentinelle is the "Guardian" of the MIRAGE ecosystem. It is a Python-based IDS/IPS (Intrusion Detection & Prevention System) that performs deep packet inspection (DPI) and implements a graduated response to threats.
The Tech Stack
- Python 3.12: The core engine.
- Scapy: For packet sniffing, analysis, and forging.
- Suricata Rules: Leveraging the power of the Emerging Threats (ET) ruleset for signature matching.
- IPTables/Netfilter: For real-time kernel-level isolation.
Technical Architecture
Sentinelle operates as a middleman between raw network traffic and the decision-making "Brain" (ORACLE).
graph TD
Traffic[Raw Network Traffic] --> Sniffer[Scapy Sniffer]
Sniffer --> SigEngine[Signature Engine]
Sniffer --> DNSGuard[DNS Guard]
SigEngine -- Alert --> Logic{Response Logic}
DNSGuard -- Malware Domain --> Logic
Logic -->|Block| IPTables[IPTables Isolation]
Logic -->|Kill| TCPReset[TCP Reset Attack]
Logic -->|Report| Oracle[Oracle Orchestrator]
Key Features
1. Deep Packet Inspection (DPI)
Sentinelle doesn't just look at headers; it inspects the payload. Using Scapy, it can identify patterns characteristic of:
- SQL Injection attempts.
- SSH/FTP Brute-forcing.
- Scanning tools signatures (Nmap, ZMap).
2. DNS Guard: Killing C2 Channels
One of the most effective ways to stop malware is to break its "phone home" capability. Sentinelle acts as a transparent watcher on DNS traffic. If a local machine attempts to resolve a domain flagged by Threat Intelligence (like URLhaus), Sentinelle intercepts the request and blocks the resolution before the connection can even start.
3. Tiered Mitigation (The Escalation Logic)
Not every alert requires a total shutdown. Sentinelle implements a graduated response:
- Level 1 (Info): Log locally and monitor.
- Level 2 (Warning): Throttling bandwidth for the suspicious IP.
- Level 3 (Critical): Immediate isolation via IPTables and triggering the GHOST module (redirecting the attacker to a honeypot).
4. TCP Reset Counter-Attacks
For high-priority threats, Sentinelle can forge TCP RST packets. This effectively "kills" a connection on both ends without needing complex firewall rules, providing an instantaneous stop to an ongoing attack.
Code Spotlight: The Sniffer Loop
Here is a simplified look at how Sentinelle processes traffic. This loop is non-blocking and handles packets at high speed.
from scapy.all import sniff, IP, TCP
from sentinelle.logic import SignatureEngine
def guardian_loop(interface="eth0"):
print(f"[*] Sentinelle active on {interface}...")
# We use a BPF filter to capture only IP traffic
sniff(iface=interface,
filter="ip",
prn=process_packet,
store=0)
def process_packet(pkt):
if pkt.haslayer(IP):
# Pass the packet to our signature engine
threat = SignatureEngine.check(pkt)
if threat.is_critical:
# Drop the connection immediately
mitigate_threat(pkt)
print(f"[!] Blocked critical threat from {pkt[IP].src}")
def mitigate_threat(pkt):
# Forging a TCP Reset packet
if pkt.haslayer(TCP):
rst_pkt = IP(src=pkt[IP].dst, dst=pkt[IP].src)/TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="R")
send(rst_pkt, verbose=0)
Lessons Learned
Building a real-time defense system in Python comes with challenges, primarily around performance. To overcome this, Sentinelle uses:
- Standardized Events: All modules communicate via MirageEvent (JSON), ensuring interoperability.
- Multiprocessing: Offloading heavy analysis to separate cores.
- Kernel Integration: Using Python to decide and IPTables to execute.
What's Next?
The next phase for Sentinelle involves eBPF integration to move packet filtering even deeper into the Linux kernel for near-zero latency.
Are you building security tools with Python? I'd love to hear your thoughts on automated mitigation vs. manual intervention in the comments!
Find the project on GitHub | Connect with me on LinkedIn
Top comments (0)