원클릭으로
attack-selection
How to map an operator intent to one of the attacks discovered on the attacker host. Use this before calling execute_attack.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
How to map an operator intent to one of the attacks discovered on the attacker host. Use this before calling execute_attack.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | attack-selection |
| description | How to map an operator intent to one of the attacks discovered on the attacker host. Use this before calling execute_attack. |
The attacker host exposes a catalog of attacks discovered at startup (each one is a directory under attacker_attacks_root with a README.md, Dockerfile, and entrypoint.sh). Your job is to pick the right one for the intent.
list_available_attacks() -> list[{attack_id, description, required_arguments}] — quick browse of every available attack.read_attack_definition(attack_id) -> {attack_id, description, docker_image, required_arguments, readme_excerpt} — full definition of a single attack including the README excerpt.list_available_attacks first to confirm the catalog.attack_id based on description and required arguments. Mention IPs, ports, protocols, and attack class in your reasoning.read_attack_definition(attack_id) for the candidate to inspect the README and required argument names.evasion_rationale. The deterministic guardrail in the agent will raise if the attack_id is unknown — never invent an attack_id.The required_arguments field returns a list of NAMES (e.g. ["target_ip", "target_port", "rate"]). You must produce a list of VALUES in the same order. Wrong order silently breaks the attack.
If two attacks could match the intent (e.g. both target the same protocol but differ in payload), choose the one whose required_arguments are best determined by the intent. Explain the choice in evasion_rationale.
Generate Snort 3.9.7.0 IDS rules from a natural-language operator intent. Use whenever you need to write a new rule, refine an existing one, or recover from a syntax error.
Reuse Snort rules that already fired in past experiments. ALWAYS consult this skill at the start of every cycle BEFORE writing a new rule. Validated rules are known-good detection patterns persisted per attack_id under data/validated_rules/.
How to produce an evasion variant of a previously successful attack. Use this when request_variant=True on the attacker request.
How to execute the selected attack container on the attacker host and interpret the result.
Rule-generation refinement playbook for MQTT Brute Force — credential brute force against MQTT brokers on TCP port 1883 using dictionary attacks. Load when the operator intent maps to attack_id mqtt-bruteforce.
Rule-generation refinement playbook for MQTT LWT Abuse — abuse of MQTT Last Will and Testament to publish malicious payloads under the broker's trusted identity. Load when the operator intent maps to attack_id mqtt-lwt-abuse.