creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-dns-logs-for-exfiltration/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.6 KiB
Raw Blame History

API Reference: DNS Exfiltration Detection Tools

Shannon Entropy Calculation

Python Implementation

import math
from collections import Counter

def shannon_entropy(text):
    counter = Counter(text.lower())
    length = len(text)
    return -sum((c/length) * math.log2(c/length) for c in counter.values())

Threshold Values

Entropy Classification
< 2.5 Normal domain (e.g., "google")
2.5 - 3.5 Borderline (monitor)
> 3.5 Suspicious (likely DGA/tunneling)
> 4.0 High confidence malicious

Splunk DNS Queries

Tunneling Detection

index=dns sourcetype="stream:dns"
| eval subdomain_len=len(mvindex(split(query,"."),0))
| where subdomain_len > 50
| stats count by registered_domain, src_ip

DGA Detection

index=dns
| eval sld=mvindex(split(query,"."), -2)
| where len(sld) > 12
| stats count, dc(query) AS unique by src_ip

Volume Anomaly

index=dns earliest=-24h
| bin _time span=1h
| stats count AS queries by src_ip, _time
| eventstats avg(queries) AS avg_q, stdev(queries) AS stdev_q by src_ip
| eval z_score=(queries - avg_q) / stdev_q
| where z_score > 3

TXT Record Abuse

index=dns query_type="TXT"
| stats count AS txt_queries by src_ip
| where txt_queries > 100

Zeek DNS Log Format

Log Fields (dns.log)

Column Field Description
0 ts Timestamp
2 id.orig_h Source IP
4 id.resp_h DNS server IP
9 query Query domain name
13 qtype_name Query type (A, TXT, CNAME)
15 rcode_name Response code
21 answers Response answers

Zeek CLI Analysis

cat dns.log | zeek-cut query qtype_name id.orig_h | sort | uniq -c | sort -rn

DNS Tunneling Tools (Detection Signatures)

Tool DNS Pattern
iodine *.pirate.sea (TXT/NULL records)
dnscat2 *.dnscat. prefix in queries
dns2tcp *.dns2tcp. pattern
Cobalt Strike DNS Periodic TXT queries with encoded payloads

Passive DNS Lookup APIs

Farsight DNSDB

curl -H "X-API-Key: $KEY" \
  "https://api.dnsdb.info/dnsdb/v2/lookup/rrset/name/evil.com/A"

VirusTotal Domain Resolutions

curl -H "x-apikey: $KEY" \
  "https://www.virustotal.com/api/v3/domains/evil.com/resolutions"

Cisco Umbrella (OpenDNS) Investigate API

Domain Categorization

curl -H "Authorization: Bearer $TOKEN" \
  "https://investigate.api.umbrella.com/domains/categorization/evil.com"

Security Information

curl -H "Authorization: Bearer $TOKEN" \
  "https://investigate.api.umbrella.com/security/name/evil.com"
Reference in New Issue View Git Blame Copy Permalink