creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-network-covert-channels-in-malware/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.5 KiB
Raw Blame History

API Reference: Network Covert Channel Detection

Scapy - Packet Analysis

DNS Tunneling Detection

from scapy.all import rdpcap, DNS, DNSQR, IP

packets = rdpcap("capture.pcap")
for pkt in packets:
    if pkt.haslayer(DNSQR):
        qname = pkt[DNSQR].qname.decode().rstrip(".")
        src = pkt[IP].src
        qtype = pkt[DNSQR].qtype  # 1=A, 16=TXT, 28=AAAA

ICMP Payload Extraction

from scapy.all import ICMP, Raw

for pkt in packets:
    if pkt.haslayer(ICMP) and pkt.haslayer(Raw):
        payload = bytes(pkt[Raw].load)
        icmp_type = pkt[ICMP].type  # 8=echo-request, 0=echo-reply

Zeek - Covert Channel Detection

DNS Tunneling Indicators

@load base/protocols/dns
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count) {
    if (|query| > 60)
        print fmt("Long DNS query: %s from %s", query, c$id$orig_h);
}

Configuration

zeek -r capture.pcap local
# Outputs: dns.log, conn.log, weird.log

tshark - Protocol Filtering

DNS Analysis

tshark -r capture.pcap -Y "dns" -T fields \
  -e ip.src -e dns.qry.name -e dns.qry.type -e frame.len

# Filter long DNS queries
tshark -r capture.pcap -Y "dns.qry.name matches \"^.{60,}\"" -T fields -e dns.qry.name

ICMP Payload Analysis

tshark -r capture.pcap -Y "icmp && data.len > 64" -T fields \
  -e ip.src -e ip.dst -e icmp.type -e data.len -e data.data

DNS Tunneling Tools

Tool Technique Detection Method
iodine TXT/NULL/CNAME records High entropy subdomains
dns2tcp TXT records Encoded query names
dnscat2 TXT/CNAME/MX/A records Base32/Base64 subdomain patterns
DNSExfiltrator TXT records High query volume to single domain

Entropy Thresholds

Range Interpretation
< 2.0 Normal domain labels (English words)
2.0-3.5 Possibly encoded but may be legitimate
3.5-5.0 Likely Base32/Base64 encoded (tunneling)
> 5.0 Encrypted/random data (strong tunneling indicator)

Covert Channel Categories

Channel Type Protocol Detection Method
DNS Tunneling DNS (53/udp) Subdomain entropy, query volume
ICMP Tunnel ICMP (type 8/0) Payload size, entropy, volume
HTTP Header HTTP (80/tcp) Cookie size, custom header entropy
Protocol Abuse IP options, GRE Unusual protocol numbers
Timing Channel TCP Inter-packet timing analysis
Reference in New Issue View Git Blame Copy Permalink