detecting-beaconing-patterns-with-zeeklisted

Performs statistical analysis of Zeek conn.log connection intervals to detect C2 beaconing patterns. Uses the ZAT library to load Zeek logs into Pandas DataFrames, calculates inter-arrival time standard deviation, and flags periodic connections with low jitter. Use when hunting for command-and-control callbacks in network data.
adriannoes/awesome-vibe-coding · ★ 38 · AI & Automation · score 86

Install: claude install-skill adriannoes/awesome-vibe-coding

# Detecting Beaconing Patterns with Zeek ## When to Use - When investigating security incidents that require detecting beaconing patterns with zeek - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Familiarity with security operations concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions Load Zeek conn.log data using ZAT (Zeek Analysis Tools), group connections by source/destination pairs, and compute timing statistics to identify beaconing. ```python from zat.log_to_dataframe import LogToDataFrame import numpy as np log_to_df = LogToDataFrame() conn_df = log_to_df.create_dataframe('/path/to/conn.log') # Group by src/dst pair and calculate inter-arrival time for (src, dst), group in conn_df.groupby(['id.orig_h', 'id.resp_h']): times = group['ts'].sort_values() intervals = times.diff().dt.total_seconds().dropna() if len(intervals) > 10: std_dev = np.std(intervals) mean_interval = np.mean(intervals) # Low std_dev relative to mean = likely beaconing ``` Key analysis steps: 1. Parse Zeek conn.log into DataFrame with ZAT LogToDataFrame 2. Group connections by source IP and destination IP pairs 3. Calculate