Network forensics for the encrypted traffic era.
Shrike is a Python network forensics tool that detects threats in PCAP files without reading encrypted payloads. It uses behavioral analysis, flow statistics, and timing patterns to identify C2 beaconing, port scans, data exfiltration, DNS tunneling, lateral movement, and more β mapping every finding to MITRE ATT&CK.
Named after the shrike β a predatory bird that impales its prey on thorns. Shrike impales threats on evidence.
git clone https://github.com/fevra-dev/Shrike.git
cd Shrike
pip install -e .
# Analyze a PCAP
shrike analyze capture.pcap
# Generate an interactive HTML report
shrike analyze capture.pcap -o report.html
# JSON output
shrike analyze capture.pcap --json-out -o results.json| Detection Module | Technique | MITRE ATT&CK |
|---|---|---|
| C2 Beaconing | Inter-arrival time regularity, coefficient of variation analysis | T1071.001, T1573 |
| Port Scanning | SYN/NULL/XMAS scan detection via unique port enumeration | T1046 |
| Data Exfiltration | Upload/download ratio anomaly, volume thresholds | T1048 |
| DNS Tunneling | Entropy scoring, subdomain length, query frequency | T1071.004 |
| HTTP/2 C2 | SETTINGS frame analysis, ping-based covert channels | T1071.001 |
| NTLM Relay | LLMNR poisoning, SMB relay chain detection | T1557.001 |
| Kerberoasting | SPN request anomalies, AS-REP roasting patterns | T1558 |
| Cloud C2 | Slack/Teams/DevTunnels webhook abuse detection | T1102.002 |
| IPv6 Attacks | Rogue RA, NA poisoning, SLAAC abuse | T1557.001 |
| OT/ICS Attacks | Modbus write coils, DNP3 control relay, OT scanning | T0855, T0846 |
| WebSocket C2 | Persistent WebSocket channels with C2 patterns | T1071.001 |
| mTLS C2 | Sliver/Mythic mutual TLS fingerprinting | T1573.002 |
| DNS Rebinding | TTL anomaly, IP flip detection | T1557 |
| QUIC/HTTP3 C2 | Transport parameter fingerprinting, ALPN analysis | T1095 |
| Supply Chain | Package manager traffic deviation (npm/pip/cargo) | T1195.002 |
| DGA Detection | Character n-gram perplexity, LLM-generated domain scoring | T1568.002 |
| WASM Malware | WebAssembly binary detection in HTTP traffic | T1059 |
| MCP Traffic | Model Context Protocol anomaly detection | T1071.001 |
| Timing Channels | ISN covert channels, inter-packet timing analysis | T1205 |
| CT Log Correlation | Newly-issued certificate age anomaly | T1587.003 |
| Tor Exit Detection | Live consensus verification of exit relays | T1090.003 |
PCAP File
β
βΌ
ββββββββββββββββββββββββββββββββββ
β PCAP Parser β
β Scapy (primary) + dpkt β
β Normalized packet dicts β
ββββββββββββββββ¬ββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββ
β Flow Builder β
β Bidirectional 5-tuple flows β
β Forward/reverse tracking β
β Payload + timestamp capture β
ββββββββββββββββ¬ββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββ
β Detection Registry β
β β
β 25+ detection modules β
β Per-packet + per-flow analysisβ
β BaseDetector interface β
ββββββββββββββββ¬ββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββ
β Output β
β Interactive HTML dashboard β
β JSON report Β· CLI summary β
β MITRE ATT&CK mapping β
β SARIF (CI/CD integration) β
ββββββββββββββββββββββββββββββββββ
The --output report.html flag generates a self-contained interactive dashboard with 26 analysis tabs:
- Summary β Severity breakdown, key metrics, attack chain visualization
- Findings β All detections with evidence, filterable by severity
- Timeline β Chronological attack reconstruction
- MITRE ATT&CK β Technique heatmap with hit counts
- Network Graph β D3 force-directed host communication map
- Protocols β Traffic distribution with Chart.js visualization
- Fingerprints β JA3/JA4/JARM/HASSH/QUIC transport parameter table
- DNS β Entropy scoring, DGA analysis, tunnel detection
- Beaconing β Interval analysis charts, CV scoring
- IOCs β Indicators of compromise with enrichment data
- CVE Intelligence β Matched CVE signatures with CISA KEV status
- eBPF Attribution β Process-to-flow mapping (when available)
- And more: OT/ICS, Cloud C2, WebSocket, QUIC, IPv6, Kubernetes...
Shrike/
βββ shrike/
β βββ __init__.py
β βββ cli.py # Click CLI entry point
β βββ engine.py # Analysis orchestrator
β βββ models.py # Finding, FlowRecord, Severity
β βββ core/
β β βββ parser.py # PCAP parsing (Scapy + dpkt)
β β βββ flow_builder.py # Bidirectional flow aggregation
β β βββ zeek_navigator.py # Zeek log ingestion + ATT&CK Navigator
β βββ detection/
β β βββ base.py # BaseDetector abstract class
β β βββ registry.py # Detector fan-out + error isolation
β β βββ adapters.py # Built-in: port scan, exfil, beaconing
β β βββ http2_c2.py # HTTP/2 covert channel detection
β β βββ dns_rebinding.py # DNS rebinding attack detection
β β βββ ntlm_relay.py # NTLM relay + LLMNR poisoning
β β βββ cloud_c2.py # Cloud platform C2 detection
β β βββ ot_attacks.py # OT/ICS protocol attack detection
β β βββ k8s_attacks.py # Kubernetes attack detection
β β βββ websocket_c2.py # WebSocket C2 detection
β β βββ mtls_c2.py # Mutual TLS C2 fingerprinting
β β βββ ipv6_attacks.py # IPv6 attack detection
β β βββ quic_alpn.py # QUIC/HTTP3 C2 detection
β β βββ mcp_traffic.py # MCP protocol anomaly detection
β β βββ wasm_detector.py # WebAssembly malware detection
β β βββ timing_firmware.py # Timing channel + firmware analysis
β β βββ ... # 25+ total detection modules
β βββ ml/
β β βββ anomaly.py # IsolationForest flow anomaly
β β βββ clustering.py # HDBSCAN flow clustering
β β βββ dga_detector.py # DGA + LLM-DGA scoring
β β βββ injection_scorer.py # LLM prompt injection classifier
β βββ enrichment/
β β βββ ct_logs.py # Certificate Transparency correlation
β β βββ tor_consensus.py # Tor exit relay verification
β βββ mitre/
β β βββ mapper.py # ATT&CK technique lookup + enrichment
β βββ reporting/
β β βββ html_reporter.py # Jinja2 interactive HTML dashboard
β β βββ sarif_reporter.py # SARIF 2.1.0 output
β βββ templates/
β β βββ report.html # 26-tab HTML report template
β βββ cve/
β β βββ sync.py # CVE database sync
β βββ ebpf/
β β βββ attribution.py # eBPF process-to-flow attribution
β βββ fingerprinting/
β βββ quic_tp.py # QUIC transport parameter fingerprinting
βββ tests/
β βββ test_models.py # Data model unit tests
β βββ test_parser.py # PCAP parser tests
β βββ test_flow_builder.py # Flow aggregation tests
β βββ test_registry.py # Detection registry tests
β βββ test_adapters.py # Detector adapter tests
β βββ test_engine.py # Engine integration test
β βββ test_cli.py # CLI end-to-end tests
β βββ test_html_reporter.py # HTML report generation test
β βββ test_mitre_mapper.py # MITRE mapper tests
β βββ test_integration.py # Full pipeline integration tests
βββ pyproject.toml
βββ README.md
# Install in development mode
pip install -e .
# Run tests
pytest tests/ -v
# Run a specific test
pytest tests/test_engine.py::test_engine_detects_port_scan -v- Create a new class extending
BaseDetectorinshrike/detection/ - Implement
analyze_flow(flow: FlowRecord) -> list[Finding] - Optionally implement
analyze_packet()andfinalize() - Register in
shrike/detection/adapters.pyβget_all_detectors()
from shrike.detection.base import BaseDetector
from shrike.models import Finding, Severity, FlowRecord
class MyDetector(BaseDetector):
name = "my_detector"
description = "Detects something suspicious"
mitre_ids = ["T1234"]
def analyze_flow(self, flow: FlowRecord) -> list[Finding]:
if some_condition(flow):
return [Finding(
detector=self.name,
finding_type="SUSPICIOUS_THING",
severity=Severity.HIGH,
src_ip=flow.src_ip,
dst_ip=flow.dst_ip,
...
)]
return []Fevra β Security Developer
MIT License β see LICENSE for details.
MITRE ATT&CK is a registered trademark of The MITRE Corporation.