mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-13 10:55:17 +03:00
1.8 KiB
1.8 KiB
name, description, domain, subdomain, tags, version, author, license
| name | description | domain | subdomain | tags | version | author | license | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| performing-dns-tunneling-detection | Detects DNS tunneling by computing Shannon entropy of DNS query names, analyzing query length distributions, inspecting TXT record payloads, and identifying high subdomain cardinality. Uses scapy for packet capture analysis and statistical methods to distinguish legitimate DNS from covert channels. Use when hunting for data exfiltration. | cybersecurity | security-operations |
|
1.0 | mahipal | MIT |
Performing DNS Tunneling Detection
Instructions
Analyze DNS traffic for indicators of DNS tunneling using entropy analysis and statistical methods on query name characteristics.
import math
from collections import Counter
def shannon_entropy(data):
if not data:
return 0
counter = Counter(data)
length = len(data)
return -sum((c/length) * math.log2(c/length) for c in counter.values())
# Legitimate domain: low entropy (~3.0-3.5)
print(shannon_entropy("www.google.com"))
# DNS tunnel: high entropy (~4.0-5.0)
print(shannon_entropy("aGVsbG8gd29ybGQ.tunnel.example.com"))
Key detection indicators:
- High Shannon entropy in query names (> 3.5 for subdomain labels)
- Unusually long query names (> 50 characters)
- High volume of TXT record requests to a single domain
- High unique subdomain count per parent domain
- Non-standard character distribution in labels
Examples
from scapy.all import rdpcap, DNS, DNSQR
packets = rdpcap("dns_traffic.pcap")
for pkt in packets:
if pkt.haslayer(DNSQR):
query = pkt[DNSQR].qname.decode()
entropy = shannon_entropy(query)
if entropy > 4.0:
print(f"Suspicious: {query} (entropy={entropy:.2f})")