Skill72 estrellas del repoactualizado 11d ago
Network Security & Traffic Analysis
Network traffic analysis, PCAP parsing, IDS/IPS rule creation, firewall configuration auditing, and network anomaly detection
Instalar en Claude Code
Copiargit clone --depth 1 https://github.com/Masriyan/Claude-Code-CyberSecurity-Skill /tmp/network-security-traffic-analysis && cp -r /tmp/network-security-traffic-analysis/skills/08-network-security ~/.claude/skills/network-security-traffic-analysisDespués abre una sesión nueva de Claude Code; el skill carga automáticamente.
Definición
SKILL.md
# Network Security & Traffic Analysis
## Purpose
Enable Claude to assist with network security operations including traffic analysis from PCAP files, IDS/IPS rule authoring for Snort and Suricata, firewall rule auditing, network anomaly detection, and network architecture security reviews.
---
## Activation Triggers
This skill activates when the user asks about:
- Analyzing PCAP or PCAPNG files for suspicious activity
- Creating Snort or Suricata detection rules
- Writing Zeek (Bro) scripts for network analysis
- Reviewing firewall rules (iptables, nftables, pf, cloud security groups)
- Detecting C2 beaconing, DNS tunneling, or data exfiltration in network traffic
- Network architecture security review
- IDS/IPS signature development
- Network segmentation and east-west traffic analysis
- TLS inspection and certificate analysis
---
## Prerequisites
```bash
pip install scapy dpkt requests
```
**Recommended tools:**
- `Wireshark / tshark` — Packet capture and GUI analysis
- `Suricata` — Modern IDS/IPS engine
- `Snort 3` — Classic IDS/IPS engine
- `Zeek (Bro)` — Network analysis and scripting framework
- `tcpdump` — Command-line packet capture
- `NetworkMiner` — PCAP artifact extraction
- `nmap` — Network scanning and discovery
---
## Core Capabilities
### 1. PCAP Traffic Analysis
**When the user provides a PCAP file or asks to analyze network traffic:**
```bash
# Quick summary with tshark
tshark -r capture.pcap -q -z io,phs # Protocol hierarchy
tshark -r capture.pcap -q -z conv,tcp # TCP conversations
tshark -r capture.pcap -q -z endpoints,ip # IP endpoints
# Extract HTTP requests
tshark -r capture.pcap -Y http.request -T fields -e ip.src -e http.host -e http.request.uri
# Extract DNS queries
tshark -r capture.pcap -Y dns.flags.response==0 -T fields -e ip.src -e dns.qry.name
# Extract files
tshark -r capture.pcap --export-objects http,./extracted_files/
tshark -r capture.pcap --export-objects smb,./smb_files/
# Run automated analysis
python scripts/pcap_analyzer.py --file capture.pcap --output analysis.json
python scripts/pcap_analyzer.py --file traffic.pcapng --dns --http --top-talkers 20
```
**Traffic Analysis Checklist:**
```
[ ] Protocol distribution — any unexpected protocols?
[ ] Top talkers — unusual source/destination combinations
[ ] DNS analysis — DGA domains, unusually long queries, high volume
[ ] HTTP analysis — suspicious user agents, unusual methods, encoded data
[ ] TLS analysis — invalid certificates, unusual SNI, cert fingerprints
[ ] ICMP analysis — large payloads (tunneling), ping sweeps
[ ] SMB analysis — authentication attempts, file access patterns
[ ] Data volume — large uploads (exfiltration?), irregular transfer sizes
[ ] Timing analysis — regular interval beaconing patterns
```
**Beaconing Detection:**
Beaconing shows as consistent time intervals between outbound connections:
```bash
# tshark: extract connection timestamps to check for regularity
tshark -r capture.pcap -Y "ip.dst == 203.0.113.10 and tcp.flags.syn==1" \
-T fields -e frame.time_epoch | \
awk 'NR>1{printf "%.0f\n", ($1-prev)} {prev=$1}' | sort | uniq -c | sort -rn
# Consistent counts at specific intervals = beaconing
```
**DNS Tunneling Detection:**
```bash
# Long DNS query names (>50 chars for subdomain) = likely tunneling
tshark -r capture.pcap -Y "dns.qry.name.len > 50" \
-T fields -e ip.src -e dns.qry.name | head -50
# High-volume DNS to single domain = tunneling
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | \
awk -F. '{print $(NF-1)"."$NF}' | sort | uniq -c | sort -rn | head -20
```
### 2. Suricata Rule Creation
**When the user asks to create Suricata IDS rules:**
**Suricata Rule Syntax Reference:**
```
action protocol src_ip src_port -> dst_ip dst_port (options)
```
**Rule Templates:**
```suricata
# Template: C2 Beaconing over HTTP
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE Suspicious C2 Beacon - Regular Interval HTTP POST";
flow:established,to_server;
http.method; content:"POST";
http.uri; content:"/api/check" endswith;
http.header; content:"User-Agent: Mozilla/4.0 (compatible)";
threshold:type both, track by_src, count 5, seconds 300;
classtype:trojan-activity;
sid:9000001;
rev:1;
metadata:affected_product Windows_XP_Vista_7_8_10_Server, attack_target Client_Endpoint,
created_at 2025_05_28, deployment Perimeter;
)
# Template: DNS Tunneling Detection
alert dns $HOME_NET any -> any any (
msg:"POLICY Possible DNS Tunneling - Long Subdomain Query";
dns.query;
content:".";
byte_test:1,>,50,0,relative; # Query length > 50 chars
threshold:type both, track by_src, count 20, seconds 60;
classtype:policy-violation;
sid:9000002;
rev:1;
)
# Template: Lateral Movement via SMB
alert smb $HOME_NET any -> $HOME_NET 445 (
msg:"LATERAL-MOVEMENT PsExec Lateral Movement Detected";
flow:established,to_server;
content:"PSEXESVC";
nocase;
classtype:trojan-activity;
sid:9000003;
rev:1;
)
# Template: Data Exfiltration - Large Upload
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"EXFILTRATION Possible Data Exfiltration - Large HTTP POST";
flow:established,to_server;
http.method; content:"POST";
http.request_body; content:!"";
dsize:>1000000; # > 1MB body
threshold:type both, track by_src, count 3, seconds 300;
classtype:policy-violation;
sid:9000004;
rev:1;
)
# Template: Malicious TLS Certificate (self-signed with suspicious CN)
alert tls $EXTERNAL_NET any -> $HOME_NET any (
msg:"MALWARE Suspicious TLS Certificate - Self-Signed C2";
tls.cert_subject; content:"CN=localhost";
tls.cert_issuer; content:"CN=localhost";
classtype:trojan-activity;
sid:9000005;
rev:1;
)
# Template: Web Shell Access
alert http $EXTERNAL_NET any -> $HOME_NET 80 (
msg:"WEBSHELL Possible Web Shell Access";
flow:established,to_server;
http.uri; content:".php";Del mismo repositorio
Reconnaissance & OSINT AutomationSkill
Passive and active reconnaissance, subdomain enumeration, DNS analysis, technology fingerprinting, and OSINT data correlation for authorized security assessments
Vulnerability Scanning & AssessmentSkill
Dependency auditing, CVE detection, configuration security review, CVSS scoring, and prioritized vulnerability reporting
Exploit Development & Payload EngineeringSkill
Proof-of-concept development, payload crafting, shellcode analysis, and exploitation technique research for authorized security testing
Reverse Engineering & Binary AnalysisSkill
Binary analysis, assembly interpretation, disassembly, decompilation, firmware RE, and protocol reverse engineering
Malware Analysis & SandboxingSkill
Static and dynamic malware analysis, YARA rule generation, sandbox configuration, behavioral profiling, and malware family classification
Threat Hunting & IOC AnalysisSkill
IOC extraction, threat intelligence correlation, MITRE ATT&CK mapping, hunt hypothesis generation, and detection rule creation
Incident Response & Digital ForensicsSkill
IR playbook execution, evidence collection, forensic timeline analysis, memory forensics, and post-incident reporting following NIST SP 800-61 and SANS PICERL methodology
Web Application Security TestingSkill
OWASP Top 10 testing, injection vulnerability detection, API security assessment, authentication testing, and web vulnerability reporting for authorized assessments