一键导入
network-security-traffic-analysis
Network traffic analysis, PCAP parsing, IDS/IPS rule creation, firewall configuration auditing, and network anomaly detection
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Network traffic analysis, PCAP parsing, IDS/IPS rule creation, firewall configuration auditing, and network anomaly detection
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Passive and active reconnaissance, subdomain enumeration, DNS analysis, technology fingerprinting, and OSINT data correlation for authorized security assessments
Dependency auditing, CVE detection, configuration security review, CVSS scoring, and prioritized vulnerability reporting
Proof-of-concept development, payload crafting, shellcode analysis, and exploitation technique research for authorized security testing
Binary analysis, assembly interpretation, disassembly, decompilation, firmware RE, and protocol reverse engineering
Static and dynamic malware analysis, YARA rule generation, sandbox configuration, behavioral profiling, and malware family classification
IOC extraction, threat intelligence correlation, MITRE ATT&CK mapping, hunt hypothesis generation, and detection rule creation
| name | Network Security & Traffic Analysis |
| description | Network traffic analysis, PCAP parsing, IDS/IPS rule creation, firewall configuration auditing, and network anomaly detection |
| version | 3.0.0 |
| author | Masriyan |
| tags | ["cybersecurity","network","traffic-analysis","pcap","ids","ips","firewall","snort","suricata","zeek"] |
Enable Claude to assist with network security operations including traffic analysis from PCAP files, IDS/IPS rule authoring for Snort and Suricata, firewall rule auditing, network anomaly detection, and network architecture security reviews.
This skill activates when the user asks about:
pip install scapy dpkt requests
Recommended tools:
Wireshark / tshark — Packet capture and GUI analysisSuricata — Modern IDS/IPS engineSnort 3 — Classic IDS/IPS engineZeek (Bro) — Network analysis and scripting frameworktcpdump — Command-line packet captureNetworkMiner — PCAP artifact extractionnmap — Network scanning and discoveryWhen the user provides a PCAP file or asks to analyze network traffic:
# Quick summary with tshark
tshark -r capture.pcap -q -z io,phs # Protocol hierarchy
tshark -r capture.pcap -q -z conv,tcp # TCP conversations
tshark -r capture.pcap -q -z endpoints,ip # IP endpoints
# Extract HTTP requests
tshark -r capture.pcap -Y http.request -T fields -e ip.src -e http.host -e http.request.uri
# Extract DNS queries
tshark -r capture.pcap -Y dns.flags.response==0 -T fields -e ip.src -e dns.qry.name
# Extract files
tshark -r capture.pcap --export-objects http,./extracted_files/
tshark -r capture.pcap --export-objects smb,./smb_files/
# Run automated analysis
python scripts/pcap_analyzer.py --file capture.pcap --output analysis.json
python scripts/pcap_analyzer.py --file traffic.pcapng --dns --http --top-talkers 20
Traffic Analysis Checklist:
[ ] Protocol distribution — any unexpected protocols?
[ ] Top talkers — unusual source/destination combinations
[ ] DNS analysis — DGA domains, unusually long queries, high volume
[ ] HTTP analysis — suspicious user agents, unusual methods, encoded data
[ ] TLS analysis — invalid certificates, unusual SNI, cert fingerprints
[ ] ICMP analysis — large payloads (tunneling), ping sweeps
[ ] SMB analysis — authentication attempts, file access patterns
[ ] Data volume — large uploads (exfiltration?), irregular transfer sizes
[ ] Timing analysis — regular interval beaconing patterns
Beaconing Detection: Beaconing shows as consistent time intervals between outbound connections:
# tshark: extract connection timestamps to check for regularity
tshark -r capture.pcap -Y "ip.dst == 203.0.113.10 and tcp.flags.syn==1" \
-T fields -e frame.time_epoch | \
awk 'NR>1{printf "%.0f\n", ($1-prev)} {prev=$1}' | sort | uniq -c | sort -rn
# Consistent counts at specific intervals = beaconing
DNS Tunneling Detection:
# Long DNS query names (>50 chars for subdomain) = likely tunneling
tshark -r capture.pcap -Y "dns.qry.name.len > 50" \
-T fields -e ip.src -e dns.qry.name | head -50
# High-volume DNS to single domain = tunneling
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | \
awk -F. '{print $(NF-1)"."$NF}' | sort | uniq -c | sort -rn | head -20
When the user asks to create Suricata IDS rules:
Suricata Rule Syntax Reference:
action protocol src_ip src_port -> dst_ip dst_port (options)
Rule Templates:
# Template: C2 Beaconing over HTTP
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE Suspicious C2 Beacon - Regular Interval HTTP POST";
flow:established,to_server;
http.method; content:"POST";
http.uri; content:"/api/check" endswith;
http.header; content:"User-Agent: Mozilla/4.0 (compatible)";
threshold:type both, track by_src, count 5, seconds 300;
classtype:trojan-activity;
sid:9000001;
rev:1;
metadata:affected_product Windows_XP_Vista_7_8_10_Server, attack_target Client_Endpoint,
created_at 2025_05_28, deployment Perimeter;
)
# Template: DNS Tunneling Detection
alert dns $HOME_NET any -> any any (
msg:"POLICY Possible DNS Tunneling - Long Subdomain Query";
dns.query;
content:".";
byte_test:1,>,50,0,relative; # Query length > 50 chars
threshold:type both, track by_src, count 20, seconds 60;
classtype:policy-violation;
sid:9000002;
rev:1;
)
# Template: Lateral Movement via SMB
alert smb $HOME_NET any -> $HOME_NET 445 (
msg:"LATERAL-MOVEMENT PsExec Lateral Movement Detected";
flow:established,to_server;
content:"PSEXESVC";
nocase;
classtype:trojan-activity;
sid:9000003;
rev:1;
)
# Template: Data Exfiltration - Large Upload
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"EXFILTRATION Possible Data Exfiltration - Large HTTP POST";
flow:established,to_server;
http.method; content:"POST";
http.request_body; content:!"";
dsize:>1000000; # > 1MB body
threshold:type both, track by_src, count 3, seconds 300;
classtype:policy-violation;
sid:9000004;
rev:1;
)
# Template: Malicious TLS Certificate (self-signed with suspicious CN)
alert tls $EXTERNAL_NET any -> $HOME_NET any (
msg:"MALWARE Suspicious TLS Certificate - Self-Signed C2";
tls.cert_subject; content:"CN=localhost";
tls.cert_issuer; content:"CN=localhost";
classtype:trojan-activity;
sid:9000005;
rev:1;
)
# Template: Web Shell Access
alert http $EXTERNAL_NET any -> $HOME_NET 80 (
msg:"WEBSHELL Possible Web Shell Access";
flow:established,to_server;
http.uri; content:".php";
http.request_body; content:"cmd="; nocase;
content:"exec"; nocase; distance:0;
classtype:web-application-attack;
sid:9000006;
rev:1;
)
Suricata Testing:
# Test rules against PCAP (offline)
suricata -r capture.pcap -S custom.rules -l ./logs/
# Test rule syntax
suricata --dump-config
# Check for rule performance issues
suricata -r test.pcap -S rules.rules --runmode single 2>&1 | grep "perf"
# Snort 3 format — note different syntax from Snort 2
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (
msg:"WEB-ATTACK SQL Injection Attempt";
flow:established,to_server;
http_uri;
content:"' OR '1'='1";
nocase;
sid:9001001;
rev:1;
classtype:web-application-attack;
)
# Detect connections with unusually regular intervals (beaconing)
module BeaconDetect;
export {
redef enum Log::ID += { LOG };
type Info: record {
ts: time &log;
src: addr &log;
dst: addr &log;
interval: interval &log;
};
}
global connection_times: table[addr, addr] of vector of time;
event connection_established(c: connection) {
local key = [c$id$orig_h, c$id$resp_h];
if (key !in connection_times)
connection_times[key] = vector();
connection_times[key] += network_time();
}
event connection_state_remove(c: connection) {
local key = [c$id$orig_h, c$id$resp_h];
if (key in connection_times && |connection_times[key]| > 5) {
# Calculate intervals and check for regularity
# Flag if standard deviation < 5% of mean
}
}
When the user provides firewall rules or asks to audit:
iptables Review Checklist:
# View current rules
iptables -L -n -v --line-numbers
iptables -L INPUT -n -v --line-numbers
iptables -L OUTPUT -n -v --line-numbers
# Check for dangerous rules:
iptables -L | grep "ACCEPT" # List all ACCEPT rules
iptables -L | grep "0.0.0.0" # Any-source rules
iptables Security Checklist:
[ ] Default policy is DROP (not ACCEPT) for all chains
[ ] INPUT chain: only established/related + specific allowed services
[ ] OUTPUT chain: restrict to necessary outbound (optional but best practice)
[ ] FORWARD chain: DROP by default unless this is a router
[ ] Management access (SSH/22) restricted to specific source IPs
[ ] No rules accepting from 0.0.0.0/0 to ALL ports
[ ] Logging enabled for DROPPED packets
[ ] Anti-spoofing rules for RFC 1918 addresses on external interfaces
[ ] ICMP restricted (allow echo-reply/time-exceeded, block ping from internet)
[ ] Port 0 blocked (often used in scans)
AWS Security Group Audit:
Rules that should NEVER exist in production:
✗ Inbound: 0.0.0.0/0 → Port 22 (SSH open to internet)
✗ Inbound: 0.0.0.0/0 → Port 3389 (RDP open to internet)
✗ Inbound: 0.0.0.0/0 → Port 0-65535 (any port from internet)
✗ Outbound: 0.0.0.0/0 → Port 0-65535 (unrestricted outbound)
Rules that are acceptable:
✓ Inbound: 0.0.0.0/0 → Port 443 (HTTPS for public web service)
✓ Inbound: 10.0.0.0/8 → Port 22 (SSH from internal VPC only)
✓ Inbound: [known IP] → Port 22 (SSH from jump box)
Firewall Audit Report Template:
## Firewall Audit Report — [Device/Platform]
**Risk Summary:**
| Severity | Count |
|----------|-------|
| Critical | 2 |
| High | 5 |
| Medium | 8 |
**CRITICAL: SSH exposed to internet**
- Rule: `iptables -A INPUT -p tcp --dport 22 -j ACCEPT`
- Risk: Exposed to brute-force and CVE exploitation
- Fix: `iptables -A INPUT -p tcp --dport 22 -s [admin_ip] -j ACCEPT`
**HIGH: No default deny policy**
- Current: `-P INPUT ACCEPT`
- Fix: `-P INPUT DROP` + explicit allow rules
When the user describes or provides a network architecture:
Review Framework:
Zone Model (most to least trusted):
Internal (Core) → DMZ → Internet
Checkpoints:
[ ] Clear network zones with enforced boundaries
[ ] DMZ properly isolated from internal network
[ ] No direct internet-to-internal traffic allowed
[ ] East-west traffic controls between internal zones (microsegmentation)
[ ] Management network isolated from production
[ ] Out-of-band management for network devices
[ ] VPN gateway in DMZ, not directly on internal segment
[ ] DNS resolvers not exposed to internet
[ ] Log aggregation on separate isolated segment
pcap_analyzer.pypython scripts/pcap_analyzer.py --file capture.pcap --output analysis.json
python scripts/pcap_analyzer.py --file traffic.pcapng --dns --http --top-talkers 20
python scripts/pcap_analyzer.py --file capture.pcap --detect-beaconing --output beacons.json
| Condition | Adjacent Skill |
|---|---|
| Discovered services from recon | ← Skill 01 (Recon & OSINT) |
| Network IOCs for threat correlation | → Skill 06 (Threat Hunting) |
| Network evidence for IR timeline | → Skill 07 (Incident Response) |
| Automate alert responses | → Skill 11 (CSOC Automation) |
Encrypted-traffic-era analysis:
conn, ssl, http, dns, x509, and JA4 logs as the analysis substrate; write detections against Zeek notices.Precision rule: report flows with the 5-tuple, JA4 fingerprint, bytes/duration, and a confidence-scored verdict; provide both a Suricata rule and a Zeek detection where applicable.