mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 20:55:17 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.9 KiB
2.9 KiB
API Reference: Malware Network Traffic Analysis
dpkt - Python Packet Parsing
PCAP Reading
import dpkt
with open("malware.pcap", "rb") as f:
pcap = dpkt.pcap.Reader(f)
for ts, buf in pcap:
eth = dpkt.ethernet.Ethernet(buf)
ip = eth.data
tcp = ip.data
HTTP Parsing
http_req = dpkt.http.Request(tcp.data)
http_req.method # GET, POST
http_req.uri # Request URI
http_req.headers # Header dict
http_req.body # POST body
http_resp = dpkt.http.Response(tcp.data)
http_resp.status # Status code
http_resp.body # Response body
IP Address Conversion
dpkt.utils.inet_to_str(ip.src) # bytes -> "1.2.3.4"
dpkt.utils.inet_aton("1.2.3.4") # "1.2.3.4" -> bytes
Wireshark Display Filters for Malware
C2 Detection
http.request.method == "POST" && http.content_length > 0
tls.handshake.type == 1 # TLS Client Hello
tcp.flags.syn == 1 && tcp.flags.ack == 0 # New connections
dns.qry.type == 16 # TXT records
Payload Analysis
tcp.payload contains "MZ" # PE downloads
http.response.code == 200 && http.content_type contains "octet"
frame.len > 1400 # Large packets
tshark - Field Extraction
HTTP Requests
tshark -r malware.pcap -Y "http.request" -T fields \
-e http.request.method -e http.host -e http.request.uri \
-e http.user_agent -e http.content_length
TLS/JA3 Fingerprinting
tshark -r malware.pcap -Y "tls.handshake.type==1" -T fields \
-e ip.src -e ip.dst -e tls.handshake.ja3
DNS Queries
tshark -r malware.pcap -Y "dns.qr==0" -T fields \
-e ip.src -e dns.qry.name -e dns.qry.type
Stream Follow
tshark -r malware.pcap -z follow,tcp,ascii,0
tshark -r malware.pcap -z follow,http,ascii,0
Suricata Rule Syntax
HTTP Rules
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE C2 Beacon";
flow:established,to_server;
http.method; content:"POST";
http.uri; content:"/gate.php";
sid:9000001; rev:1;
)
DNS Rules
alert dns $HOME_NET any -> any any (
msg:"MALWARE DNS Tunneling";
dns.query; pcre:"/^[a-z0-9]{20,}\./";
threshold:type threshold, track by_src, count 10, seconds 60;
sid:9000002; rev:1;
)
TLS Rules
alert tls $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE JA3 Match";
ja3.hash; content:"a0e9f5d64349fb13191bc781f81f42e1";
sid:9000003; rev:1;
)
RITA - Beacon Analysis
Syntax
rita import zeek_logs dataset_name
rita analyze dataset_name
rita show-beacons dataset_name
rita show-long-connections dataset_name
rita show-dns-fqdn-lengths dataset_name
NetworkMiner
CLI Syntax
NetworkMiner --inputfile malware.pcap --outputdir /tmp/extracted
Extracts files, sessions, credentials, DNS from PCAP