creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-network-covert-channels-in-malware/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

88 lines
2.5 KiB
Markdown
Raw Blame History

# API Reference: Network Covert Channel Detection
## Scapy - Packet Analysis
### DNS Tunneling Detection
```python
from scapy.all import rdpcap, DNS, DNSQR, IP
packets = rdpcap("capture.pcap")
for pkt in packets:
if pkt.haslayer(DNSQR):
qname = pkt[DNSQR].qname.decode().rstrip(".")
src = pkt[IP].src
qtype = pkt[DNSQR].qtype # 1=A, 16=TXT, 28=AAAA
```
### ICMP Payload Extraction
```python
from scapy.all import ICMP, Raw
for pkt in packets:
if pkt.haslayer(ICMP) and pkt.haslayer(Raw):
payload = bytes(pkt[Raw].load)
icmp_type = pkt[ICMP].type # 8=echo-request, 0=echo-reply
```
## Zeek - Covert Channel Detection
### DNS Tunneling Indicators
```zeek
@load base/protocols/dns
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count) {
if (|query| > 60)
print fmt("Long DNS query: %s from %s", query, c$id$orig_h);
}
```
### Configuration
```bash
zeek -r capture.pcap local
# Outputs: dns.log, conn.log, weird.log
```
## tshark - Protocol Filtering
### DNS Analysis
```bash
tshark -r capture.pcap -Y "dns" -T fields \
-e ip.src -e dns.qry.name -e dns.qry.type -e frame.len
# Filter long DNS queries
tshark -r capture.pcap -Y "dns.qry.name matches \"^.{60,}\"" -T fields -e dns.qry.name
```
### ICMP Payload Analysis
```bash
tshark -r capture.pcap -Y "icmp && data.len > 64" -T fields \
-e ip.src -e ip.dst -e icmp.type -e data.len -e data.data
```
## DNS Tunneling Tools
| Tool | Technique | Detection Method |
|------|-----------|-----------------|
| iodine | TXT/NULL/CNAME records | High entropy subdomains |
| dns2tcp | TXT records | Encoded query names |
| dnscat2 | TXT/CNAME/MX/A records | Base32/Base64 subdomain patterns |
| DNSExfiltrator | TXT records | High query volume to single domain |
## Entropy Thresholds
| Range | Interpretation |
|-------|---------------|
| < 2.0 | Normal domain labels (English words) |
| 2.0-3.5 | Possibly encoded but may be legitimate |
| 3.5-5.0 | Likely Base32/Base64 encoded (tunneling) |
| > 5.0 | Encrypted/random data (strong tunneling indicator) |
## Covert Channel Categories
| Channel Type | Protocol | Detection Method |
|-------------|----------|-----------------|
| DNS Tunneling | DNS (53/udp) | Subdomain entropy, query volume |
| ICMP Tunnel | ICMP (type 8/0) | Payload size, entropy, volume |
| HTTP Header | HTTP (80/tcp) | Cookie size, custom header entropy |
| Protocol Abuse | IP options, GRE | Unusual protocol numbers |
| Timing Channel | TCP | Inter-packet timing analysis |
Reference in New Issue View Git Blame Copy Permalink