mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
This commit is contained in:
@@ -0,0 +1,45 @@
|
||||
# API Reference — Performing Network Packet Capture Analysis
|
||||
|
||||
## Libraries Used
|
||||
- **scapy**: PCAP parsing, protocol dissection, packet analysis
|
||||
- **subprocess**: Execute tshark for HTTP extraction and conversation analysis
|
||||
- **collections.Counter**: Traffic statistics aggregation
|
||||
|
||||
## CLI Interface
|
||||
```
|
||||
python agent.py analyze --pcap capture.pcap
|
||||
python agent.py http --pcap capture.pcap
|
||||
python agent.py suspicious --pcap capture.pcap
|
||||
python agent.py conversations --pcap capture.pcap
|
||||
```
|
||||
|
||||
## Core Functions
|
||||
|
||||
### `analyze_pcap_scapy(pcap_file)` — Protocol and IP statistics
|
||||
Returns: protocol distribution, top source/dest IPs, top destination ports, DNS queries.
|
||||
|
||||
### `extract_http_requests(pcap_file)` — HTTP request extraction via tshark
|
||||
Extracts: source/dest IP, method, host, URI, user agent from HTTP requests.
|
||||
|
||||
### `detect_suspicious_traffic(pcap_file)` — Anomaly detection
|
||||
Detects: port scanning (>=20 SYN to same target), DNS exfiltration (queries >60 chars),
|
||||
suspicious ports (4444, 31337, 6667, etc.).
|
||||
|
||||
### `conversation_analysis(pcap_file)` — TCP conversation summary
|
||||
Uses tshark `-z conv,tcp` for conversation-level statistics.
|
||||
|
||||
## Suspicious Port Detection
|
||||
4444, 5555, 6666, 8888, 9999, 1234, 31337, 12345, 6667, 6697
|
||||
|
||||
## Detection Categories
|
||||
| Finding | Severity | Trigger |
|
||||
|---------|----------|---------|
|
||||
| PORT_SCAN | HIGH | >=20 SYN packets to same target |
|
||||
| DNS_EXFILTRATION | HIGH | DNS queries >60 characters |
|
||||
| SUSPICIOUS_PORTS | MEDIUM | Traffic on known C2 ports |
|
||||
|
||||
## Dependencies
|
||||
```
|
||||
pip install scapy
|
||||
```
|
||||
System: tshark (optional, for HTTP and conversation analysis)
|
||||
Reference in New Issue
Block a user