Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From cybersecurity
Analyzes PCAP files, creates Snort/Suricata IDS/IPS rules, audits firewall configurations, and detects network anomalies like C2 beaconing or DNS tunneling.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity:08-network-securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Enable Claude to assist with network security operations including traffic analysis from PCAP files, IDS/IPS rule authoring for Snort and Suricata, firewall rule auditing, network anomaly detection, and network architecture security reviews.
Enable Claude to assist with network security operations including traffic analysis from PCAP files, IDS/IPS rule authoring for Snort and Suricata, firewall rule auditing, network anomaly detection, and network architecture security reviews.
This skill activates when the user asks about:
pip install scapy dpkt requests
Recommended tools:
Wireshark / tshark — Packet capture and GUI analysisSuricata — Modern IDS/IPS engineSnort 3 — Classic IDS/IPS engineZeek (Bro) — Network analysis and scripting frameworktcpdump — Command-line packet captureNetworkMiner — PCAP artifact extractionnmap — Network scanning and discoveryWhen the user provides a PCAP file or asks to analyze network traffic:
# Quick summary with tshark
tshark -r capture.pcap -q -z io,phs # Protocol hierarchy
tshark -r capture.pcap -q -z conv,tcp # TCP conversations
tshark -r capture.pcap -q -z endpoints,ip # IP endpoints
# Extract HTTP requests
tshark -r capture.pcap -Y http.request -T fields -e ip.src -e http.host -e http.request.uri
# Extract DNS queries
tshark -r capture.pcap -Y dns.flags.response==0 -T fields -e ip.src -e dns.qry.name
# Extract files
tshark -r capture.pcap --export-objects http,./extracted_files/
tshark -r capture.pcap --export-objects smb,./smb_files/
# Run automated analysis
python scripts/pcap_analyzer.py --file capture.pcap --output analysis.json
python scripts/pcap_analyzer.py --file traffic.pcapng --dns --http --top-talkers 20
Traffic Analysis Checklist:
[ ] Protocol distribution — any unexpected protocols?
[ ] Top talkers — unusual source/destination combinations
[ ] DNS analysis — DGA domains, unusually long queries, high volume
[ ] HTTP analysis — suspicious user agents, unusual methods, encoded data
[ ] TLS analysis — invalid certificates, unusual SNI, cert fingerprints
[ ] ICMP analysis — large payloads (tunneling), ping sweeps
[ ] SMB analysis — authentication attempts, file access patterns
[ ] Data volume — large uploads (exfiltration?), irregular transfer sizes
[ ] Timing analysis — regular interval beaconing patterns
Beaconing Detection: Beaconing shows as consistent time intervals between outbound connections:
# tshark: extract connection timestamps to check for regularity
tshark -r capture.pcap -Y "ip.dst == 203.0.113.10 and tcp.flags.syn==1" \
-T fields -e frame.time_epoch | \
awk 'NR>1{printf "%.0f\n", ($1-prev)} {prev=$1}' | sort | uniq -c | sort -rn
# Consistent counts at specific intervals = beaconing
DNS Tunneling Detection:
# Long DNS query names (>50 chars for subdomain) = likely tunneling
tshark -r capture.pcap -Y "dns.qry.name.len > 50" \
-T fields -e ip.src -e dns.qry.name | head -50
# High-volume DNS to single domain = tunneling
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | \
awk -F. '{print $(NF-1)"."$NF}' | sort | uniq -c | sort -rn | head -20
When the user asks to create Suricata IDS rules:
Suricata Rule Syntax Reference:
action protocol src_ip src_port -> dst_ip dst_port (options)
Rule Templates:
# Template: C2 Beaconing over HTTP
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE Suspicious C2 Beacon - Regular Interval HTTP POST";
flow:established,to_server;
http.method; content:"POST";
http.uri; content:"/api/check" endswith;
http.header; content:"User-Agent: Mozilla/4.0 (compatible)";
threshold:type both, track by_src, count 5, seconds 300;
classtype:trojan-activity;
sid:9000001;
rev:1;
metadata:affected_product Windows_XP_Vista_7_8_10_Server, attack_target Client_Endpoint,
created_at 2025_05_28, deployment Perimeter;
)
# Template: DNS Tunneling Detection
alert dns $HOME_NET any -> any any (
msg:"POLICY Possible DNS Tunneling - Long Subdomain Query";
dns.query;
content:".";
byte_test:1,>,50,0,relative; # Query length > 50 chars
threshold:type both, track by_src, count 20, seconds 60;
classtype:policy-violation;
sid:9000002;
rev:1;
)
# Template: Lateral Movement via SMB
alert smb $HOME_NET any -> $HOME_NET 445 (
msg:"LATERAL-MOVEMENT PsExec Lateral Movement Detected";
flow:established,to_server;
content:"PSEXESVC";
nocase;
classtype:trojan-activity;
sid:9000003;
rev:1;
)
# Template: Data Exfiltration - Large Upload
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"EXFILTRATION Possible Data Exfiltration - Large HTTP POST";
flow:established,to_server;
http.method; content:"POST";
http.request_body; content:!"";
dsize:>1000000; # > 1MB body
threshold:type both, track by_src, count 3, seconds 300;
classtype:policy-violation;
sid:9000004;
rev:1;
)
# Template: Malicious TLS Certificate (self-signed with suspicious CN)
alert tls $EXTERNAL_NET any -> $HOME_NET any (
msg:"MALWARE Suspicious TLS Certificate - Self-Signed C2";
tls.cert_subject; content:"CN=localhost";
tls.cert_issuer; content:"CN=localhost";
classtype:trojan-activity;
sid:9000005;
rev:1;
)
# Template: Web Shell Access
alert http $EXTERNAL_NET any -> $HOME_NET 80 (
msg:"WEBSHELL Possible Web Shell Access";
flow:established,to_server;
http.uri; content:".php";
http.request_body; content:"cmd="; nocase;
content:"exec"; nocase; distance:0;
classtype:web-application-attack;
sid:9000006;
rev:1;
)
Suricata Testing:
# Test rules against PCAP (offline)
suricata -r capture.pcap -S custom.rules -l ./logs/
# Test rule syntax
suricata --dump-config
# Check for rule performance issues
suricata -r test.pcap -S rules.rules --runmode single 2>&1 | grep "perf"
# Snort 3 format — note different syntax from Snort 2
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (
msg:"WEB-ATTACK SQL Injection Attempt";
flow:established,to_server;
http_uri;
content:"' OR '1'='1";
nocase;
sid:9001001;
rev:1;
classtype:web-application-attack;
)
# Detect connections with unusually regular intervals (beaconing)
module BeaconDetect;
export {
redef enum Log::ID += { LOG };
type Info: record {
ts: time &log;
src: addr &log;
dst: addr &log;
interval: interval &log;
};
}
global connection_times: table[addr, addr] of vector of time;
event connection_established(c: connection) {
local key = [c$id$orig_h, c$id$resp_h];
if (key !in connection_times)
connection_times[key] = vector();
connection_times[key] += network_time();
}
event connection_state_remove(c: connection) {
local key = [c$id$orig_h, c$id$resp_h];
if (key in connection_times && |connection_times[key]| > 5) {
# Calculate intervals and check for regularity
# Flag if standard deviation < 5% of mean
}
}
When the user provides firewall rules or asks to audit:
iptables Review Checklist:
# View current rules
iptables -L -n -v --line-numbers
iptables -L INPUT -n -v --line-numbers
iptables -L OUTPUT -n -v --line-numbers
# Check for dangerous rules:
iptables -L | grep "ACCEPT" # List all ACCEPT rules
iptables -L | grep "0.0.0.0" # Any-source rules
iptables Security Checklist:
[ ] Default policy is DROP (not ACCEPT) for all chains
[ ] INPUT chain: only established/related + specific allowed services
[ ] OUTPUT chain: restrict to necessary outbound (optional but best practice)
[ ] FORWARD chain: DROP by default unless this is a router
[ ] Management access (SSH/22) restricted to specific source IPs
[ ] No rules accepting from 0.0.0.0/0 to ALL ports
[ ] Logging enabled for DROPPED packets
[ ] Anti-spoofing rules for RFC 1918 addresses on external interfaces
[ ] ICMP restricted (allow echo-reply/time-exceeded, block ping from internet)
[ ] Port 0 blocked (often used in scans)
AWS Security Group Audit:
Rules that should NEVER exist in production:
✗ Inbound: 0.0.0.0/0 → Port 22 (SSH open to internet)
✗ Inbound: 0.0.0.0/0 → Port 3389 (RDP open to internet)
✗ Inbound: 0.0.0.0/0 → Port 0-65535 (any port from internet)
✗ Outbound: 0.0.0.0/0 → Port 0-65535 (unrestricted outbound)
Rules that are acceptable:
✓ Inbound: 0.0.0.0/0 → Port 443 (HTTPS for public web service)
✓ Inbound: 10.0.0.0/8 → Port 22 (SSH from internal VPC only)
✓ Inbound: [known IP] → Port 22 (SSH from jump box)
Firewall Audit Report Template:
## Firewall Audit Report — [Device/Platform]
**Risk Summary:**
| Severity | Count |
|----------|-------|
| Critical | 2 |
| High | 5 |
| Medium | 8 |
**CRITICAL: SSH exposed to internet**
- Rule: `iptables -A INPUT -p tcp --dport 22 -j ACCEPT`
- Risk: Exposed to brute-force and CVE exploitation
- Fix: `iptables -A INPUT -p tcp --dport 22 -s [admin_ip] -j ACCEPT`
**HIGH: No default deny policy**
- Current: `-P INPUT ACCEPT`
- Fix: `-P INPUT DROP` + explicit allow rules
When the user describes or provides a network architecture:
Review Framework:
Zone Model (most to least trusted):
Internal (Core) → DMZ → Internet
Checkpoints:
[ ] Clear network zones with enforced boundaries
[ ] DMZ properly isolated from internal network
[ ] No direct internet-to-internal traffic allowed
[ ] East-west traffic controls between internal zones (microsegmentation)
[ ] Management network isolated from production
[ ] Out-of-band management for network devices
[ ] VPN gateway in DMZ, not directly on internal segment
[ ] DNS resolvers not exposed to internet
[ ] Log aggregation on separate isolated segment
pcap_analyzer.pypython scripts/pcap_analyzer.py --file capture.pcap --output analysis.json
python scripts/pcap_analyzer.py --file traffic.pcapng --dns --http --top-talkers 20
python scripts/pcap_analyzer.py --file capture.pcap --detect-beaconing --output beacons.json
| Condition | Adjacent Skill |
|---|---|
| Discovered services from recon | ← Skill 01 (Recon & OSINT) |
| Network IOCs for threat correlation | → Skill 06 (Threat Hunting) |
| Network evidence for IR timeline | → Skill 07 (Incident Response) |
| Automate alert responses | → Skill 11 (CSOC Automation) |
Encrypted-traffic-era analysis:
conn, ssl, http, dns, x509, and JA4 logs as the analysis substrate; write detections against Zeek notices.Precision rule: report flows with the 5-tuple, JA4 fingerprint, bytes/duration, and a confidence-scored verdict; provide both a Suricata rule and a Zeek detection where applicable.
npx claudepluginhub masriyan/claude-code-cybersecurity-skill --plugin cybersecurityDeploys and configures Suricata IDS/IPS with Emerging Threats rulesets, EVE JSON logging, and custom rules for real-time network traffic inspection and SIEM integration.
Deploys and configures Suricata IDS/IPS with Emerging Threats rulesets, EVE JSON logging, and custom rules for real-time network traffic inspection and threat detection.
Analyzes PCAP files, Zeek logs, and NetFlow data to detect C2 communications, lateral movement, data exfiltration, and exploits during security incidents using Wireshark techniques.