Stats
Actions
Tags
Detects DNS tunneling attacks by calculating Shannon entropy of query names, analyzing lengths and TXT payloads, and identifying high subdomain cardinality using scapy packet capture in Python. Useful for threat hunting in data exfiltration scenarios.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:performing-dns-tunneling-detectionThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
使用熵分析和统计方法对查询名称特征进行分析,检测 DNS 流量中的 DNS 隧道指标。
使用熵分析和统计方法对查询名称特征进行分析,检测 DNS 流量中的 DNS 隧道指标。
import math
from collections import Counter
def shannon_entropy(data):
if not data:
return 0
counter = Counter(data)
length = len(data)
return -sum((c/length) * math.log2(c/length) for c in counter.values())
# 合法域名:低熵(~3.0-3.5)
print(shannon_entropy("www.google.com"))
# DNS 隧道:高熵(~4.0-5.0)
print(shannon_entropy("aGVsbG8gd29ybGQ.tunnel.example.com"))
关键检测指标:
from scapy.all import rdpcap, DNS, DNSQR
packets = rdpcap("dns_traffic.pcap")
for pkt in packets:
if pkt.haslayer(DNSQR):
query = pkt[DNSQR].qname.decode()
entropy = shannon_entropy(query)
if entropy > 4.0:
print(f"可疑:{query}(entropy={entropy:.2f})")
npx claudepluginhub killvxk/cybersecurity-skills-zhDetects DNS tunneling using Shannon entropy analysis, query length distributions, TXT record inspection, and subdomain cardinality. Uses scapy for packet capture analysis to identify data exfiltration.
Detects DNS tunneling via Shannon entropy on query names, length distributions, TXT payloads, and subdomain cardinality using scapy packet capture and stats. For data exfiltration hunts.
Detects DNS tunneling via Shannon entropy analysis, query length distributions, TXT record inspection, and subdomain cardinality using scapy for packet capture. Use when hunting for data exfiltration.