Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi threading and Snort and Programming questions

    IDS/IPS
    1
    5
    762
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee
      last edited by JonathanLee

      Hello does anyone know if Snort utilizes multi threading? I was looking at the open source code it does not seem to from the sections I looked at. I am a currently a college programming student that is specializing in cyber security. I also noticed that decoy scans with Nmaps if set to the same IP of the host caused issues with Palo Alto Firewalls that they would block that IP and close the connection to the routers when lab testing.

      I was wondering if there is a way to code a black hole area for this situation with a separate thread, the hacker would think it worked however system stays online. I was also working last week on a lab and noticed a scan when ran on a host it had the ability to kick back thousands of http get requests to the attacker to stall him, one just returned nothing but ABCDE.... What if we could make it return positive things when scans are ran?

      Screenshot_20211217-074519.png

      Positive scan returns that mimic the scans so the hacker has confusion and only sees positive words of encouragement. This is my code in Python. If it had threads you could have this reply running and keep working.

      Make sure to upvote

      JonathanLeeJ 1 Reply Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee @JonathanLee
        last edited by

        @jonathanlee

        decoyscan.JPG

        Imagine the faces of the guys running decoy scans non stop if this was the reply.

        decoy.JPG

        I get hit with more decoy scans with UDP scans over anything else. Nothing stops hackers like positive words coming from the firewall. A firewalls that is Adaptable, empowering, and honorable sorry I spelled that wrong in file for the array it was iterating over with use of pop.

        Make sure to upvote

        JonathanLeeJ 1 Reply Last reply Reply Quote 0
        • JonathanLeeJ
          JonathanLee @JonathanLee
          last edited by

          @jonathanlee

          We could maybe adapt the reply that is returned when the endless UDP scans are ran. They get worse every day like something is being planned same IP addresses on my system also. Why UDP scans? why not TCP? I don't know what has prompted the attackers to do this. However, I thought why not use the code I worked on in Sierra College's Python class.

          ALLPERMUATIONS.JPG

          I was also doing a lab and I was confused because one scan kicked back replies that were actually HTTP GET requests directed at my system because I was scanning. However I feel that would make an attacker more angry. Positive words like this would confuse an attacker and he might just move on.

          Make sure to upvote

          JonathanLeeJ 1 Reply Last reply Reply Quote 0
          • JonathanLeeJ
            JonathanLee @JonathanLee
            last edited by

            @jonathanlee

            You could even add a custom reply like System Secured centered at the top.

            secured.JPG

            Make sure to upvote

            JonathanLeeJ 1 Reply Last reply Reply Quote 0
            • JonathanLeeJ
              JonathanLee @JonathanLee
              last edited by

              @jonathanlee

              And, if they move to make this reply as a DOS move it to HTTP get requests at that point and disable this reply for a pre set timer.

              Make sure to upvote

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.