Building a Proactive Network Guardian: Deep Dive into Sentinelle (MIRAGE Project)
Source: Dev.to
Traditional network security often acts like a security camera: it records the “crime” (an intrusion) but doesn’t stop it. By the time an administrator checks the logs, the data might already be exfiltrated.
In the context of the MIRAGE Defense Platform, I developed Sentinelle—a module designed to move from passive logging to active response.
Overview of Sentinelle
Sentinelle is the “Guardian” of the MIRAGE ecosystem. It is a Python‑based IDS/IPS (Intrusion Detection & Prevention System) that performs deep packet inspection (DPI) and implements a graduated response to threats.
- Python 3.12 – core engine
- Scapy – packet sniffing, analysis, and forging
- Suricata Rules – leveraging the Emerging Threats (ET) ruleset for signature matching
- IPTables/Netfilter – real‑time kernel‑level isolation
Sentinelle operates as a middleman between raw network traffic and the decision‑making “Brain” (ORACLE).
graph TD
Traffic[Raw Network Traffic] --> Sniffer[Scapy Sniffer]
Sniffer --> SigEngine[Signature Engine]
Sniffer --> DNSGuard[DNS Guard]
SigEngine -- Alert --> Logic{Response Logic}
DNSGuard -- Malware Domain --> Logic
Logic -->|Block| IPTables[IPTables Isolation]
Logic -->|Kill| TCPReset[TCP Reset Attack]
Logic -->|Report| Oracle[Oracle Orchestrator]Deep Packet Inspection Capabilities
Sentinelle inspects not only packet headers but also payloads. Using Scapy, it can identify patterns characteristic of:
- SQL injection attempts
- SSH/FTP brute‑forcing
- Scanning tool signatures (e.g., Nmap, ZMap)
DNS Guard
One of the most effective ways to stop malware is to break its “phone‑home” capability. Sentinelle watches DNS traffic transparently; if a local machine tries to resolve a domain flagged by Threat Intelligence (e.g., URLhaus), the request is intercepted and the resolution is blocked before the connection can start.
Graduated Response Levels
Not every alert requires a total shutdown. Sentinelle implements a tiered response:
| Level | Action |
|---|---|
| 1 – Info | Log locally and monitor |
| 2 – Warning | Throttle bandwidth for the suspicious IP |
| 3 – Critical | Immediate isolation via IPTables and trigger the GHOST module (redirect attacker to a honeypot) |
For high‑priority threats, Sentinelle can forge TCP RST packets, instantly killing a connection on both ends without complex firewall rules.
Simplified Processing Loop (Python)
from scapy.all import sniff, IP, TCP, send
from sentinelle.logic import SignatureEngine
def guardian_loop(interface="eth0"):
print(f"[*] Sentinelle active on {interface}...")
# Capture only IP traffic using a BPF filter
sniff(
iface=interface,
filter="ip",
prn=process_packet,
store=0
)
def process_packet(pkt):
if pkt.haslayer(IP):
# Pass the packet to the signature engine
threat = SignatureEngine.check(pkt)
if threat.is_critical:
# Drop the connection immediately
mitigate_threat(pkt)
print(f"[!] Blocked critical threat from {pkt[IP].src}")
def mitigate_threat(pkt):
# Forge a TCP Reset packet
if pkt.haslayer(TCP):
rst_pkt = IP(src=pkt[IP].dst, dst=pkt[IP].src) / \
TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="R")
send(rst_pkt, verbose=0)Performance Considerations
Building a real‑time defense system in Python presents performance challenges. Sentinelle addresses them with:
- Standardized Events – all modules communicate via
MirageEvent(JSON), ensuring interoperability. - Multiprocessing – heavy analysis is offloaded to separate cores.
- Kernel Integration – Python decides; IPTables executes the enforcement.
Future Work
The next phase involves eBPF integration to move packet filtering deeper into the Linux kernel, achieving near‑zero latency.
Are you building security tools with Python? I’d love to hear your thoughts on automated mitigation vs. manual intervention in the comments!
Find the project on GitHub (replace with actual URL)