DEV Community: Bhilal. Chitou

Building a Proactive Network Guardian: Deep Dive into Sentinelle (MIRAGE Project)

Bhilal. Chitou — Thu, 04 Jun 2026 17:02:53 +0000

Traditional network security often acts like a security camera: it records the "crime" (an intrusion) but doesn't stop it. By the time an administrator checks the logs, the data might already be exfiltrated.

In the context of the MIRAGE Defense Platform, I developed Sentinelle—a module designed to move from passive logging to Active Response.

What is Sentinelle?

Sentinelle is the "Guardian" of the MIRAGE ecosystem. It is a Python-based IDS/IPS (Intrusion Detection & Prevention System) that performs deep packet inspection (DPI) and implements a graduated response to threats.

The Tech Stack

Python 3.12: The core engine.
Scapy: For packet sniffing, analysis, and forging.
Suricata Rules: Leveraging the power of the Emerging Threats (ET) ruleset for signature matching.
IPTables/Netfilter: For real-time kernel-level isolation.

Technical Architecture

Sentinelle operates as a middleman between raw network traffic and the decision-making "Brain" (ORACLE).

graph TD
    Traffic[Raw Network Traffic] --> Sniffer[Scapy Sniffer]
    Sniffer --> SigEngine[Signature Engine]
    Sniffer --> DNSGuard[DNS Guard]

    SigEngine -- Alert --> Logic{Response Logic}
    DNSGuard -- Malware Domain --> Logic

    Logic -->|Block| IPTables[IPTables Isolation]
    Logic -->|Kill| TCPReset[TCP Reset Attack]
    Logic -->|Report| Oracle[Oracle Orchestrator]

Key Features

1. Deep Packet Inspection (DPI)

Sentinelle doesn't just look at headers; it inspects the payload. Using Scapy, it can identify patterns characteristic of:

SQL Injection attempts.
SSH/FTP Brute-forcing.
Scanning tools signatures (Nmap, ZMap).

2. DNS Guard: Killing C2 Channels

One of the most effective ways to stop malware is to break its "phone home" capability. Sentinelle acts as a transparent watcher on DNS traffic. If a local machine attempts to resolve a domain flagged by Threat Intelligence (like URLhaus), Sentinelle intercepts the request and blocks the resolution before the connection can even start.

3. Tiered Mitigation (The Escalation Logic)

Not every alert requires a total shutdown. Sentinelle implements a graduated response:

Level 1 (Info): Log locally and monitor.
Level 2 (Warning): Throttling bandwidth for the suspicious IP.
Level 3 (Critical): Immediate isolation via IPTables and triggering the GHOST module (redirecting the attacker to a honeypot).

4. TCP Reset Counter-Attacks

For high-priority threats, Sentinelle can forge TCP RST packets. This effectively "kills" a connection on both ends without needing complex firewall rules, providing an instantaneous stop to an ongoing attack.

Code Spotlight: The Sniffer Loop

Here is a simplified look at how Sentinelle processes traffic. This loop is non-blocking and handles packets at high speed.

from scapy.all import sniff, IP, TCP
from sentinelle.logic import SignatureEngine

def guardian_loop(interface="eth0"):
    print(f"[*] Sentinelle active on {interface}...")

    # We use a BPF filter to capture only IP traffic
    sniff(iface=interface, 
          filter="ip", 
          prn=process_packet, 
          store=0)

def process_packet(pkt):
    if pkt.haslayer(IP):
        # Pass the packet to our signature engine
        threat = SignatureEngine.check(pkt)

        if threat.is_critical:
            # Drop the connection immediately
            mitigate_threat(pkt)
            print(f"[!] Blocked critical threat from {pkt[IP].src}")

def mitigate_threat(pkt):
    # Forging a TCP Reset packet
    if pkt.haslayer(TCP):
        rst_pkt = IP(src=pkt[IP].dst, dst=pkt[IP].src)/TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="R")
        send(rst_pkt, verbose=0)

Lessons Learned

Building a real-time defense system in Python comes with challenges, primarily around performance. To overcome this, Sentinelle uses:

Standardized Events: All modules communicate via MirageEvent (JSON), ensuring interoperability.
Multiprocessing: Offloading heavy analysis to separate cores.
Kernel Integration: Using Python to decide and IPTables to execute.

What's Next?

The next phase for Sentinelle involves eBPF integration to move packet filtering even deeper into the Linux kernel for near-zero latency.

Are you building security tools with Python? I'd love to hear your thoughts on automated mitigation vs. manual intervention in the comments!

Find the project on GitHub | Connect with me on LinkedIn

python #cybersecurity #networking #devops #opensourcepython, #7Bhil, #Bhildollars

Technical Reference Manual: SCAN Module (MIRAGE)

Bhilal. Chitou — Thu, 28 May 2026 12:15:00 +0000

This document serves as the technical guide for the SCAN module. It is designed to provide a comprehensive understanding of the component's inner workings, implementation details, and defensive capabilities for technical presentations and architectural reviews.

Module Philosophy

The SCAN module is fundamentally designed as an Autonomous Diagnostic Expert System rather than a traditional, passive network scanner. Its primary objective is to evaluate target infrastructures by adopting an offensive reconnaissance posture, quantifying security risks through predefined metrics, and executing immediate mitigations or hotfixes.

Internal Architecture and Component Workflow

The codebase is structured into specialized python scripts, executing sequentially to form an automated assessment pipeline:

[ discovery.py ] ──(IPs/MAC)──> [ port_scanner.py ] ──(Services)──> [ vulnerability_scanner.py ]
                                                                             │
[ auto_patcher.py ] <──(Mitigation Order)── [ resolution_engine.py ] <──────┘

1. Network Discovery — `discovery.py`

Mechanism: Maps the local area network (LAN) topology by broadcasting raw Address Resolution Protocol (ARP) requests.
Implementation Details: Leverages the Scapy library to forge custom network packets from scratch. Unlike standard ICMP ping requests, which are frequently dropped or restricted by modern host-based firewalls, ARP resolution is technically mandatory for local subnet communications. This architectural choice makes the discovery phase resilient against standard stealth configurations.
Collected Data: Target IP addresses, MAC addresses, and resolved hostnames.

2. Surface Reconnaissance — `port_scanner.py`

Mechanism: Probes designated network interfaces to identify active listener ports and available attack surfaces.
Core Engine: Integrates the OWASP Nettacker framework to ensure industrial-grade reliability, multi-threading capabilities, and native JSON output formatting.
Output: A structured mapping of open ports associated with their respective network transport protocols and services (e.g., HTTP on port 80, SSH on port 22).

3. Vulnerability Assessment — `vulnerability_scanner.py`

Mechanism: Inspects the application layer of identified open services to detect known misconfigurations and software flaws.
Targeted Checks:
- Software Version Heuristics: Banner grabbing to identify outdated software components exposed to known CVEs.
- Information Disclosure: Scanning for orphaned repositories, exposed metadata, or backup files (e.g., .git directories, backup.zip).
- Web Application Flaws: Verifying the absence of essential security headers, such as anti-clickjacking directives.

4. Resolution Engine & Scoring Matrix — `resolution_engine.py`

This component serves as the core algorithmic decision layer of the pipeline.

Expert System Knowledge Base: Utilizes a static dictionnaire (RESOLUTION_GUIDES) that maps specific vulnerability signatures to explicit technical remediation scripts.
Fail-Safe Mechanism (Generic Alerting): In the event that the scanner encounters an undocumented or highly specialized flaw, the pipeline handles the exception without crashing. It generates a Generic Alert that enforces system logging and prompts administrative intervention, ensuring no anomaly goes unnoticed.
Quantitative Scoring Algorithm:
- Each target host initializes with a baseline security posture score of 100.
- Deductions are dynamically calculated and subtracted from the total based on the CVSS-aligned severity of discovered vulnerabilities.
Posture Classifications:
- Safe (>80): Healthy security posture; low risk profile.
- At Risk (50-80): Noticeable configuration drifts; remediation required.
- Critical (<50): Immediate risk of system compromise or intrusion.

5. Automated Remediation — `auto_patcher.py`

Mechanism: Operates as an automated maintenance agent to enforce immediate threat mitigation.
Concrete Operations: Programmatically modifies local service configurations (e.g., hardening encryption parameters within /etc/ssh/sshd_config) and injects strict access control rules into the Uncomplicated Firewall (UFW) subsystem to apply the principle of least privilege.

Subsystem Interactions: SCAN vs SENTINELLE

The table below outlines the operational boundaries and synergies between the proactive assessment layer (SCAN) and the reactive monitoring layer (SENTINELLE):

Operational Metric	SCAN Module	SENTINELLE Module
Operational Mode	Proactive (Audit & Hardening)	Reactive (Detection & Blocking)
Temporal Layout	Execution via cron scheduling or manual trigger.	Continuous background daemon execution (Real-time).
Port Management	Identifies open ports and restricts unauthorized ones.	Monitors inbound connections to detect external port scans.
System Analogy	An inspector verifying physical structural integrity.	A security guard and motion sensor monitoring access.

Operational Synergy: If the SCAN module leaves a port open to accommodate specific business requirements, the SENTINELLE module monitors traffic anomalies on that vector. If unauthorized or malicious activity occurs, SENTINELLE isolates the threat vector and blocks the source IP address immediately.

Technical Design Decisions & Defensive FAQ

Why implement OWASP Nettacker over Nmap?

While Nmap remains an industry standard for raw network discovery and packet-level manipulation, Nettacker is natively structured around vulnerability assessment workflows. Its plugin architecture and modular JSON outputs integrate seamlessly with a centralized cloud database, simplifying data parsing for the resolution engine.

What are the operational risks of automated patching?

Automated patching introduces risks regarding service availability and configuration regression. To mitigate this, the feature can be toggled by the system administrator. However, on critical or highly exposed infrastructures, automating remediation significantly decreases the window of exposure—the time elapsed between vulnerability discovery and patch deployment.

How does the SCAN module patch remote hosts without inbound SSH access?

MIRAGE utilizes a decoupled, asynchronous messaging architecture. When the SCAN module identifies a vulnerability on a remote host, it does not connect directly to the target machine. Instead, it publishes the diagnostic report and a standardized remediation order to a central cloud instance (MongoDB Atlas). The remote target runs a local SENTINELLE agent that maintains an outbound connection to this database cluster. Upon receiving the JSON-encoded command, the local agent executes the instructions natively via its own auto_patcher.py script. This eliminates the requirement to expose administrative management ports to the network.

# The 3 AM Epiphany: How a Hacking Video Saved My FinTech App From a Rookie Mistake

Bhilal. Chitou — Sun, 24 May 2026 10:25:36 +0000

Introduction

We’ve all been there. It’s the middle of the night, you’re fast asleep, and suddenly your brain snaps awake because you realized you left a massive vulnerability in your code.

A few days ago, I was watching a live-streamed web hacking session. It was fascinating to analyze the entire spectacle as an ethical hacker meticulously uncovered and exploited one vulnerability after another, breaking down the application's defense layer by layer.

I went to bed thinking about it, but mid-sleep, panic set in. My brain connected the dots, and I remembered a rookie mistake I had made about two weeks ago on one of my own active projects—the exact same flaw highlighted in that video.

The Midnight Race Against the Clock

Driven by pure adrenaline and precipitation, I jumped out of bed, fired up my IDE, and started scrambling to fix the issue. When you are building software, especially in the financial space, security isn't just an afterthought—it's the core foundation.

But as I dove into the codebase to implement a patch, I stumbled upon a pleasant surprise: I had already fixed the vulnerability days ago without even consciously realizing it. Past-me had looked at the code, refactored it cleanly, and patched the loophole as part of a routine update. The relief was indescribable, but it taught me a valuable lesson about how deeply security practices embed themselves into your muscle memory when you train your mind to think like an attacker.

What Am I Building? (The Vision)

For those wondering what this project actually is: I am building a FinTech infrastructure designed to make transferring money seamless, lightning-fast, and, most importantly, with significantly lower transaction fees than current mainstream options.

Security, high performance, and accessibility are the pillars of this platform. You can check out the current deployment here: https://vitch.vercel.app/

The Admin Dashboard Discovery

While investigating and securing the platform, I also checked the administration dashboard and noticed some highly suspicious activity: multiple unrecognized accounts had already been created, including two specific "pentest" accounts and an unauthorized "admin users" account.

This reinforces my commitment to absolute transparency and aggressive security hardening. Because of this, I am actively encouraging anyone in the cybersecurity community—pentesters, bug hunters, and security engineers—to audit the platform. If you can find a vulnerability, bypass my defenses, or spot a flaw in my architecture, I want to know about it.

Turning Panic into Evolution: Integrating Crypto?

Waking up to think about security also made me rethink the entire architecture of the project. As I sat there looking at my system design, a new idea sparked:

What if I integrated a dedicated cryptocurrency or token framework into this ecosystem?

Leveraging a digital currency layer could potentially bypass traditional banking rails entirely, dropping transaction fees even lower, ensuring near-instant cross-border settlements, and adding an extra layer of decentralized security.

Over to You: Let’s Discuss!

Before I write the next line of code for this feature, I want to hear from the community:

Have you ever had a "3 AM security panic" that turned out to be a false alarm (or a real one)?
If you were building a low-cost FinTech transfer system today, would you rely strictly on optimized Web2 fiat APIs, or would you bridge it with a Web3/Crypto infrastructure? What are the biggest regulatory or architectural roadblocks you've faced with hybrid systems?

I’m eager to hear your thoughts, advice, and critiques. You can explore, audit, and test the platform directly at https://vitch.vercel.app/ — let's see what you can find and let's build secure things together.

Comment j’ai survécu au développement d'une app de messagerie totalement chiffrée en React Native"

Bhilal. Chitou — Sat, 16 May 2026 19:36:25 +0000

Aujourd'hui, tout le monde veut créer la prochaine alternative à WhatsApp, Signal ou Telegram. Sécurisée, chiffrée de bout en bout (E2EE), légère, infaillible.

Quand j'ai décidé de construire l'application de messagerie Anonyme en utilisant React Native (Expo) et Supabase, je me suis dit : "Combien est-ce que ça peut être difficile ? On génère deux clés, on chiffre, on envoie sur des WebSockets, on déchiffre. Terminé."

Mais la cryptographie dans l'écosystème mobile JavaScript... c'est une autre paire de manches. Entre l'asynchronie capricieuse et les limites des outils de dev, voici comment cette architecture, théoriquement simple, a failli me rendre fou.

L'Échec de l'Algorithme Maison & L'Enfer d'Expo Go

L'histoire commence bien avant les premières lignes de code. Cela faisait un an que je réfléchissais à un algorithme de chiffrement personnalisé avec un camarade. Le plan était parfait sur le papier. Mais dès qu'on l'a intégré au projet mobile : black-out. Le déchiffrement refusait catégoriquement de fonctionner.

Pendant une semaine complète, j'ai revu mes calculs mathématiques, retourné le code dans tous les sens... en vain. Pour couronner le tout, à force de recharger l'application pour tester mes modifications algorithmiques, j'ai totalement épuisé ma limite d'utilisation sur Expo Go. Bloqué au milieu du tunnel.

J'ai dû me rendre à l'évidence : pour avancer, il fallait temporairement laisser tomber notre algo maison et basculer sur des standards plus basiques (comme X25519 avec TweetNaCl.js). Mais ce n'est que partie remise, ça finira par fonctionner.

Cette frustration m'a poussé à une réflexion cruciale : la sécurité d'une application ne dépend pas uniquement de la complexité de son algorithme de chiffrement. J'ai donc réorienté mon énergie vers des fonctionnalités de sécurité terrain massives pour blinder l'application.

1. Le Cauchemar du TextEncoder Manquant

En cryptographie standard, tout fonctionne avec des tableaux d'octets (Uint8Array). Ton mot de passe ? Uint8Array. Ton message secret "Salut !" ? Uint8Array.

Pour passer d'une chaîne de texte JavaScript vers un Uint8Array, tous les navigateurs utilisent TextEncoder. Le problème ? React Native ne possède pas de TextEncoder ou TextDecoder natif en V8/JSC.

Je me retrouvais face à des écrans rouges explosifs à chaque tentative de chiffrement car l'application ne savait pas comment convertir des strings JavaScript. J'ai dû implémenter le polyfill text-encoding-polyfill au sommet de l'arbre d'exécution (_layout.tsx) juste pour forcer l'environnement mobile à lire de simples phrases :

import 'react-native-get-random-values';
import 'text-encoding-polyfill';

2. Le Base64 : Un Espion Infiltré

Une fois les données chiffrées, il fallait bien envoyer ces bits illisibles via Supabase. La méthode classique : encoder le Uint8Array chiffré en Base64 dans une base Postgres.

Mais au moment de récupérer les messages via les requêtes temps-réel (subscribe) de Supabase, mes boîtes de dialogue affichaient... un null massif.

Pourquoi ? L'encodage Base64 n'est pas un standard si universel. Des caractères générés par certaines librairies venaient corrompre la vérification de longueur de TweetNaCl. J'ai été forcé d'ajouter une couche de nettoyage draconienne et une stricte validation d’encodage via le module buffer :

const cleanBase64 = (str: string) => {
  return str.replace(/-/g, '+').replace(/_/g, '/').replace(/\\s/g, '');
};

const decodedData = Buffer.from(cleanBase64(encrypted_content), 'base64');

3. La Base de Données Éphémère & "Tu ne supprimeras point"

Pour pousser le concept "Zéro Trace" à l'extrême, j'ai configuré la base de données pour qu'elle agisse comme une simple boîte aux lettres : le serveur ne stocke le message chiffré que si le destinataire est hors ligne. Dès que le client est connecté, récupère le payload et le déchiffre localement, l'application exécute un supabase.delete.

C'est là que le Row Level Security (RLS) de Supabase est entré en guerre contre moi. Les règles de sécurité serveur empêchaient silencieusement l’utilisateur de déclencher l'action DELETE sur les lignes qui ne lui appartenaient pas "strictement" en droit total. La fonction échouait sans crasher, gardant le flag is_read = false sur le serveur et faisant s'emballer mon compteur de messages non-lus sur l'accueil.

La Solution Architecturale :

N'ayant pas de contrôle total sur le Back-End du cloud, j'ai appliqué une double stratégie :

La rustine serveur : Un supabase.update({is_read: true}) pour contourner la barrière du Delete total.
La timeline locale : J'ai utilisé AsyncStorage pour sauvegarder la milliseconde précise de fermeture d'un chat (last_opened_chat). L'application filtre désormais d'elle-même : si un message sur le serveur est daté d'avant cette marque temporelle, il est considéré comme consommé et ignoré, peu importe l'état du flag sur le serveur.

4. Chronomètres Éphémères et Décalage Spatio-Temporel

Je voulais intégrer un mode "Message Éphémère" avec un délai d'auto-suppression personnalisable (par exemple 30 secondes), digne de la NSA.

Première version : J'insérais la limite sur le serveur au moment de l'envoi (created_at + 30s). Résultat catastrophique : si le destinataire n'ouvrait pas l'app pendant une minute, le message périssait sur le serveur avant même d'arriver sur son téléphone ! Pire : si l'expéditeur se déconnectait, il perdait son propre historique car le chronomètre avait enterré le message à distance.

J'ai totalement modifié la chorégraphie du minuteur. Le temps ne doit pas s'écouler pendant le voyage ; il ne s'active qu'à destination :

const expirySeconds = msg.type?.split(':')[1] ? parseInt(msg.type.split(':')[1], 10) : null;

// Le chronomètre ne commence... EXACTEMENT MAINTENANT chez le destinataire.
const localExpiresAt = new Date(Date.now() + expirySeconds * 1000).toISOString();

Le serveur n'a aucune idée de la "Date Limite". C'est conféré dans le payload sécurisé transféré au destinataire. Le message attend sagement, et explose sous les yeux de l'utilisateur 30 secondes après l'ouverture.

Le Blindage Final : Zéro Capture d'Écran

Pour parfaire cette suite de sécurité, il restait une faille humaine : la capture d'écran. Chiffrer de bout en bout ne sert à rien si l'utilisateur peut photographier la discussion.

J'ai intégré des modules natifs pour bloquer instantanément toute tentative de screenshot ou d'enregistrement vidéo dès qu'on entre dans l'écran de discussion. Sur Android, l'application force le système à retourner un écran noir complet.

Conclusion

Construire un système End-To-End Encrypted va bien au-delà de la simple théorie mathématique. C'est affronter les décalages de synchro des bases de données temps réel, débugger les lacunes du moteur JavaScript de React Native sur des modules noyaux comme Buffer, et réajuster ses ambitions quand l'environnement de dev lâche prise.

Mais à la fin, quand tes requêtes passent, que les clignotants de l'authentification asymétrique passent au vert et que ton système est scellé ?

C'est là que réside toute la beauté de l'ingénierie logicielle.

(N'hésitez pas à me suivre, d'autres aventures de debugs brutaux arrivent bientôt !)

Introduction to Bhilal: A Hybrid Language for Developers and Security Researchers

Bhilal. Chitou — Fri, 15 May 2026 10:25:54 +0000

Bhilal is a modern, object-oriented programming language designed to streamline the creation of security tools. It combines a user-friendly syntax with a powerful hybrid engine to bridge
the gap between high-level scripting and low-level network auditing.

The Architecture: Node.js meets Go

The core of Bhilal is built on a hybrid architecture. While the lexer, parser, and high-level logic are handled by Node.js for maximum flexibility, the security-critical modules are
powered by Go. This allows the language to perform multi-threaded tasks, such as port scanning and DNS brute forcing, with native performance.

Key Technical Features

Localized Syntax: Bhilal uses French keywords (soit, montre, si, tantque, classe) making it a unique entry in the world of specialized languages.
Built-in Security Arsenal: Unlike general-purpose languages, Bhilal includes native functions for penetration testing:
- scan_ports(host, ports)
- dirbuster(url)
- dns_resolve(hostname)
- subnet_scan(cidr)
Full OOP Implementation: It supports classes, inheritance, and clean object instantiation.

Quick Code Example

1 # Simple security audit script
2 montre("Starting network analysis...")
3 soit target = "127.0.0.1"
4 soit results = scan_ports(target, [22, 80, 443, 3306])
5
6 pour chaque res dans results {
7     si res.open {
8         montre("Found open port: " + res.port)
9     }

Resources and Installation

Bhilal can be installed globally via npm:
npm install -g bhilal

Official Documentation: https://bhil-documentations.netlify.app/
Source Code: https://github.com/7Bhil/Language-Bhilal

Bhilal is an open-source project. We are looking for contributors to help expand the standard library and the Go-based security modules.

How I built a Virtual Currency Wallet with NestJS & Next.js (Beta out!) The "500 Million" Surprise

Bhilal. Chitou — Thu, 14 May 2026 12:54:59 +0000

A few days ago, I looked at my account and saw 500 million. No, I didn't hack a bank. It’s Vitch, my latest Fintech project, and the beta is officially live!
What is Vitch?

Vitch is a virtual currency platform designed for scalability. To make the onboarding fun, every new user automatically receives a welcome bonus (500 FCFA, 1€, or 1$ depending on their geographical location) upon registration.
The Tech Stack

I wanted to build something robust and secure, so I chose a modern fullstack architecture:

Backend: NestJS (Node.js) for a structured and scalable API.

Frontend: Next.js / React for a fast and SEO-friendly interface.

Styling: Tailwind CSS (aiming for a minimalist/modern UI).

Deployment: Vercel (for that sweet global CDN and speed).

What I learned

Building a fintech app from scratch is addictive. You have to think about currency logic, secure authentication, and real-time balance updates. There’s nothing like the feeling of seeing the transaction logic work perfectly for the first time.
I need your Brutal Honesty

I'm sharing this with the Dev.to community because I don't want compliments; I want to improve.

UX/UI: How does the flow feel? (A fellow dev already suggested adding Google Auth, which is on my roadmap!).

Security: Pentesters, feel free to poke around.

Logic: Is the virtual wallet architecture sound?

Live Demo: vitch.vercel.app
Open Source

I believe in "Building in Public". If you are working on a similar wallet idea, don't start from zero. You can check my repositories here:

Frontend (Next.js): 7Bhil/wallet-next

Backend (NestJS): 7Bhil/wallet-nest

Let's discuss in the comments! Are you working on any Fintech projects lately?

showdev #webdev #fintech #opensource #javascript