creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Anthropic-Cybersecurity-Skills/skills/implementing-network-traffic-analysis-with-arkime/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.0 KiB
Raw Permalink Blame History

API Reference: Arkime Network Traffic Analysis

Authentication

HTTPDigestAuth(username, password)

All API requests require Digest authentication.

Session Search

GET /api/sessions
Parameter Type Description
date int Time range in hours (1=last hour)
expression string Arkime search expression
length int Max results to return
order string Sort field:direction (e.g. lastPacket:desc)
fields string Comma-separated field list

PCAP Download

GET /api/sessions/pcap
GET /api/sessions/pcapng
Parameter Description
date Time range in hours
expression Filter expression
Returns raw PCAP/PCAPNG binary data.

Connection Graph

GET /api/connections

Returns nodes (IPs) and links (connections) for network graph visualization.

SPI View (Field Statistics)

GET /api/spiview
Parameter Description
spi Comma-separated fields (e.g. srcIp,dstIp,dstPort)
Returns top values and counts for each field.

Session Fields

Field Description
srcIp Source IP address
dstIp Destination IP address
srcPort Source port
dstPort Destination port
srcBytes Bytes sent by source
dstBytes Bytes sent by destination
lastPacket Timestamp of last packet (ms)
srcJa3 JA3 fingerprint of client TLS
tls.issuerCN TLS certificate issuer CN
tls.subjectCN TLS certificate subject CN
tls.notAfter Certificate expiry (ms epoch)

Search Expressions

ip.src == 10.0.0.0/8
port.dst == 443
protocols == tls
country.src == CN
bytes > 1000000

Beaconing Detection Logic

  • Collect connection timestamps per (src, dst, port) tuple
  • Calculate intervals between consecutive connections
  • Compute jitter ratio: std_dev / avg_interval
  • Jitter < 0.05 = high confidence C2, < 0.15 = medium
Reference in New Issue View Git Blame Copy Permalink