Stats
Actions
Tags
Detects C2 beaconing patterns in Zeek conn.log by analyzing connection intervals for low jitter using ZAT, Pandas, and NumPy. Useful for network threat hunting.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:detecting-beaconing-patterns-with-zeekThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
使用 ZAT(Zeek 分析工具)加载 Zeek conn.log 数据,按源/目标对分组连接,并计算时序统计信息以识别信标行为。
使用 ZAT(Zeek 分析工具)加载 Zeek conn.log 数据,按源/目标对分组连接,并计算时序统计信息以识别信标行为。
from zat.log_to_dataframe import LogToDataFrame
import numpy as np
log_to_df = LogToDataFrame()
conn_df = log_to_df.create_dataframe('/path/to/conn.log')
# 按源/目标对分组并计算到达时间间隔
for (src, dst), group in conn_df.groupby(['id.orig_h', 'id.resp_h']):
times = group['ts'].sort_values()
intervals = times.diff().dt.total_seconds().dropna()
if len(intervals) > 10:
std_dev = np.std(intervals)
mean_interval = np.mean(intervals)
# 相对于均值标准差低 = 可能是信标行为
关键分析步骤:
from zat.log_to_dataframe import LogToDataFrame
log_to_df = LogToDataFrame()
df = log_to_df.create_dataframe('conn.log')
print(df[['id.orig_h', 'id.resp_h', 'ts', 'duration']].head())
npx claudepluginhub killvxk/cybersecurity-skills-zhAnalyzes Zeek conn.log connection intervals for C2 beaconing patterns using ZAT to load data into Pandas, computes inter-arrival time std dev, flags low-jitter beacons for threat hunting.
Analyzes Zeek conn.log data using ZAT and Pandas to detect C2 beaconing by computing inter-arrival time standard deviation and flagging low-jitter periodic connections.
Analyzes Zeek conn.log data using ZAT and Pandas to detect C2 beaconing by computing inter-arrival time standard deviation and flagging low-jitter periodic connections.