Stats
Actions
Tags
From asi
Detects DNS tunneling via Shannon entropy on query names, length distributions, TXT payloads, and subdomain cardinality using scapy packet capture and stats. For data exfiltration hunts.
How this skill is triggered — by the user, by Claude, or both
Slash command
/asi:performing-dns-tunneling-detectionThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- When conducting security assessments that involve performing dns tunneling detection
Analyze DNS traffic for indicators of DNS tunneling using entropy analysis and statistical methods on query name characteristics.
import math
from collections import Counter
def shannon_entropy(data):
if not data:
return 0
counter = Counter(data)
length = len(data)
return -sum((c/length) * math.log2(c/length) for c in counter.values())
# Legitimate domain: low entropy (~3.0-3.5)
print(shannon_entropy("www.google.com"))
# DNS tunnel: high entropy (~4.0-5.0)
print(shannon_entropy("aGVsbG8gd29ybGQ.tunnel.example.com"))
Key detection indicators:
from scapy.all import rdpcap, DNS, DNSQR
packets = rdpcap("dns_traffic.pcap")
for pkt in packets:
if pkt.haslayer(DNSQR):
query = pkt[DNSQR].qname.decode()
entropy = shannon_entropy(query)
if entropy > 4.0:
print(f"Suspicious: {query} (entropy={entropy:.2f})")
npx claudepluginhub plurigrid/asi --plugin asiDetects DNS tunneling using Shannon entropy analysis, query length distributions, TXT record inspection, and subdomain cardinality. Uses scapy for packet capture analysis to identify data exfiltration.
Detects DNS tunneling via Shannon entropy analysis, query length distributions, TXT record inspection, and subdomain cardinality using scapy for packet capture. Use when hunting for data exfiltration.
Detects DNS tunneling attacks by calculating Shannon entropy of query names, analyzing lengths and TXT payloads, and identifying high subdomain cardinality using scapy packet capture in Python. Useful for threat hunting in data exfiltration scenarios.