Detects what Darktrace, Vectra, and ExtraHop miss. Protocol-level steganographic analysis across DNS, ICMP, HTTP/S, timing channels, and IP/TCP header fields.
Every alert maps to one or more MITRE ATT&CK techniques. No signatures — pure statistical and behavioral analysis.
| Detector | What it catches | Real-World APTs | MITRE |
|---|---|---|---|
| DNS | Subdomain entropy, encoded labels (Base32/64/hex), TXT abuse, high query rate, NXDOMAIN signaling | OilRig, SUNBURST, Saitama, DarkHydrus, xHunt | T1071.004, T1048.003, T1568.002 |
| ICMP | Oversized/high-entropy echo payloads, tunnel rate, sequence anomalies | ptunnel, icmptunnel, APT slow C2 | T1095 |
| HTTP | C2 beaconing regularity, Cobalt Strike UA/URI fingerprints, custom headers | Cobalt Strike, Metasploit, DarkCasino | T1071.001, T1001.003, T1029 |
| Timing | Inter-packet timing quantization, beaconing autocorrelation | SUNBURST sleep-based C2, Cobalt Strike | T1029, T1001 |
| Headers | IP ID entropy, TOS/DSCP abuse, TCP Urgent Pointer encoding | Various nation-state APTs | T1001.001 |
| Vendor | Gap | GhostWatch covers it |
|---|---|---|
| Darktrace | Behavioral ML on flows — no per-packet entropy | ✓ Per-label, per-payload entropy analysis |
| Vectra AI | Good on encrypted C2 flows — not protocol field abuse | ✓ IP ID/TOS/TCP URG header analysis |
| ExtraHop | Strong on DPI — no timing channel quantization | ✓ IPT quantization + beaconing score |
| All major NDRs | No DNS label encoding detection (Base32/64) | ✓ Per-label encoding pattern match |
git clone https://github.com/yourname/ghostwatch
cd ghostwatch
# Start everything: detector + Grafana dashboard + Prometheus
IFACE=eth0 docker compose up
# Dashboard → http://localhost:3000 (admin / ghostwatch)
# API → http://localhost:9001pip install -r requirements.txt
# Analyze a pcap file (no root needed)
python3 ghostwatch.py --pcap capture.pcap --output report.json
# Live capture (requires root)
sudo python3 ghostwatch.py --iface eth0 --api --api-port 9001
# Run tests (no root, no network)
python3 tests/test_production.pyEvery alert is consistent across all detectors:
{
"id": "uuid-v4",
"schema_ver": "2.0",
"timestamp": 1700000000.0,
"timestamp_iso": "2024-01-01T12:00:00Z",
"severity": "HIGH",
"detector": "DNS",
"source": "10.1.2.3",
"indicators": [
"Subdomain entropy 4.31 — encoded payload pattern (Base32/64/hex subdomains consistent with DNS tunnel)",
"Encoded label ratio 78% — majority of subdomains match Base32/64/hex encoding patterns"
],
"mitre": [
{
"technique_id": "T1071.004",
"tactic": "Command and Control",
"name": "Application Layer Protocol: DNS",
"url": "https://attack.mitre.org/techniques/T1071/004/"
}
],
"mitre_ids": ["T1071.004", "T1048.003"],
"metrics": {
"avg_entropy": 4.31,
"avg_subdomain_len": 52.0,
"query_rate_pm": 38.2,
"encoded_ratio": 0.78
}
}| Endpoint | Method | Description |
|---|---|---|
/health |
GET | Health check + uptime |
/status |
GET | Full multi-detector summary |
/alerts |
GET | All alerts (?limit=N&severity=HIGH) |
/alerts/live |
GET | Server-Sent Events — real-time push |
/detectors/dns |
GET | DNS detector detail |
/detectors/icmp |
GET | ICMP detector detail |
/detectors/http |
GET | HTTP detector detail |
/detectors/timing |
GET | Timing detector detail |
/detectors/headers |
GET | Header abuse detail |
/mitre |
GET | Full MITRE ATT&CK technique index |
# Examples
curl http://localhost:9001/status | python3 -m json.tool
curl "http://localhost:9001/alerts?severity=HIGH&limit=20"
curl http://localhost:9001/mitreAll thresholds are tuned against known tool baselines:
| Detector | Metric | Warn | Alert | Tuned against |
|---|---|---|---|---|
| DNS | Subdomain entropy | >3.8 | >4.2 | Iodine=4.8, clean=2.1 |
| DNS | Query rate/min | >15 | >40 | dnscat2=60+, clean=2 |
| DNS | Encoded label ratio | >20% | >45% | OilRig=70%+, clean=<5% |
| ICMP | Payload entropy | >6.5 | >7.5 | ptunnel=7.9, clean=3.2 |
| ICMP | Payload size (avg) | >100B | >500B | Tunnel=800B+, ping=40B |
| HTTP | Beacon regularity | >0.65 | >0.85 | CS=0.95, browser=0.1 |
| Timing | Quantization score | >0.60 | >0.80 | Timing channel=0.90+ |
To adjust, set detector.THRESHOLD_NAME = value in your code or subclass.
GhostWatch alert JSON is compatible with:
- Elastic SIEM — ingest via Logstash JSON input or direct API
- Splunk — HTTP Event Collector (HEC) with the alert JSON payload
- Microsoft Sentinel — via custom log analytics table
- Any SIEM — alerts follow a stable schema (schema_ver: "2.0")
ghostwatch/
├── core/
│ ├── mitre.py MITRE ATT&CK technique library + mapping
│ ├── schema.py Standardized alert schema (v2.0)
│ ├── dns_detector.py DNS covert channel detection
│ ├── proto_detectors.py ICMP + timing + header abuse detection
│ └── http_detector.py HTTP/S C2 detection
├── tests/
│ └── test_production.py Full test suite (45 tests, no root needed)
├── deploy/
│ ├── grafana/ Grafana provisioning + dashboard
│ └── prometheus.yml Prometheus scrape config
├── ghostwatch.py Unified engine + CLI + REST API
├── Dockerfile
├── docker-compose.yml One-command full deployment
├── requirements.txt
└── README.md
GhostWatch uses three layers of FP reduction:
- Multi-indicator corroboration — MEDIUM/HIGH requires ≥2 independent indicators
- Allow-listing — trusted resolvers (8.8.8.8, 1.1.1.1) and CDN domains (cloudfront.net, etc.) are skipped
- Alert cooldown — repeated alerts for the same source are suppressed for configurable intervals
- PCAP benchmark suite against public malware traffic datasets (malware-traffic-analysis.net)
- Threat intelligence feed integration (Abuse.ch, OTX)
- TLS JA3/JA3S fingerprinting for encrypted C2 detection
- STIX/TAXII export for threat sharing
- Kubernetes Helm chart deployment
GhostWatch is a passive read-only detection tool. It does not modify, block, or interfere with network traffic. Deploy only on networks you own or are explicitly authorized to monitor.
Built by a solo founder. Looking for a technical co-founder passionate about network security. Open to contributors and feedback — open an issue or reach out via GitHub.
MIT — see LICENSE.