• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Multi threading and Snort and Programming questions

Scheduled Pinned Locked Moved IDS/IPS
5 Posts 1 Posters 784 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    JonathanLee
    last edited by JonathanLee Dec 17, 2021, 3:51 PM Dec 17, 2021, 3:47 PM

    Hello does anyone know if Snort utilizes multi threading? I was looking at the open source code it does not seem to from the sections I looked at. I am a currently a college programming student that is specializing in cyber security. I also noticed that decoy scans with Nmaps if set to the same IP of the host caused issues with Palo Alto Firewalls that they would block that IP and close the connection to the routers when lab testing.

    I was wondering if there is a way to code a black hole area for this situation with a separate thread, the hacker would think it worked however system stays online. I was also working last week on a lab and noticed a scan when ran on a host it had the ability to kick back thousands of http get requests to the attacker to stall him, one just returned nothing but ABCDE.... What if we could make it return positive things when scans are ran?

    Screenshot_20211217-074519.png

    Positive scan returns that mimic the scans so the hacker has confusion and only sees positive words of encouragement. This is my code in Python. If it had threads you could have this reply running and keep working.

    Make sure to upvote

    J 1 Reply Last reply Dec 17, 2021, 3:57 PM Reply Quote 0
    • J
      JonathanLee @JonathanLee
      last edited by Dec 17, 2021, 3:57 PM

      @jonathanlee

      decoyscan.JPG

      Imagine the faces of the guys running decoy scans non stop if this was the reply.

      decoy.JPG

      I get hit with more decoy scans with UDP scans over anything else. Nothing stops hackers like positive words coming from the firewall. A firewalls that is Adaptable, empowering, and honorable sorry I spelled that wrong in file for the array it was iterating over with use of pop.

      Make sure to upvote

      J 1 Reply Last reply Dec 17, 2021, 5:10 PM Reply Quote 0
      • J
        JonathanLee @JonathanLee
        last edited by Dec 17, 2021, 5:10 PM

        @jonathanlee

        We could maybe adapt the reply that is returned when the endless UDP scans are ran. They get worse every day like something is being planned same IP addresses on my system also. Why UDP scans? why not TCP? I don't know what has prompted the attackers to do this. However, I thought why not use the code I worked on in Sierra College's Python class.

        ALLPERMUATIONS.JPG

        I was also doing a lab and I was confused because one scan kicked back replies that were actually HTTP GET requests directed at my system because I was scanning. However I feel that would make an attacker more angry. Positive words like this would confuse an attacker and he might just move on.

        Make sure to upvote

        J 1 Reply Last reply Dec 17, 2021, 5:13 PM Reply Quote 0
        • J
          JonathanLee @JonathanLee
          last edited by Dec 17, 2021, 5:13 PM

          @jonathanlee

          You could even add a custom reply like System Secured centered at the top.

          secured.JPG

          Make sure to upvote

          J 1 Reply Last reply Dec 17, 2021, 5:14 PM Reply Quote 0
          • J
            JonathanLee @JonathanLee
            last edited by Dec 17, 2021, 5:14 PM

            @jonathanlee

            And, if they move to make this reply as a DOS move it to HTTP get requests at that point and disable this reply for a pre set timer.

            Make sure to upvote

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received