1. Using A Probability-based Model To Detect Random Content In A Protocol Field Associated With Network Traffic

    December 2014

    A novel idea based upon stochastic processes derived machine learning model to identify and classify random/malicious content in network traffic.

  2. Deobfuscating Scripted Language For Network Intrusion Detection Using A Regular Expression Signature

    September 2014

    An attempt towards normalizing web scripts for network security appliances to consume and operate upon.

Talks and Demos
  1. Rudra: The Destroyer of Evil

    Rudra aims to provide a developer-friendly framework for exhaustive analysis of (PCAP and PE) files. It provides features to scan and generate reports that include file's structural properties, entropy visualization, compression ratio, theoretical minsize, etc. These details, alongwith file-format specific analysis information, help an analyst to understand the type of data embedded in a file and quickly decide if it deserves further investigation. It supports scanning PE files and can perform API scans, anti{debug, vm, sandbox} detection, packer detection, authenticode verification, alongwith Yara, shellcode, and regex detection upon them.

    Black Hat USA 2016 Arsenal

    August 3, 2016

    Black Hat Asia 2016 Arsenal

    March 31, 2016

    Black Hat EU 2015 Arsenal

    November 13, 2015

    DEF CON 23 Demo Labs

    August 8, 2015

    Black Hat USA 2015 Arsenal

    August 5, 2015

  2. Flowinspect: Network Inspection Tool on Steroids

    Flowinspect is a tool developed specifically for network monitoring and inspection purposes. It takes network traffic as input and extracts layer 4 flows from it. These flows are then passed through an inspection engine that filters and extracts interesting network sessions. For flows that meet inspection criteria, the output mode dumps match statistics to either stdout or a file or both.

    Black Hat USA 2014 Arsenal

    August 6, 2014

    Nullcon 2014

    February 14, 2014
  1. Kalpi

    December 18, 2015

    A minimal static site generator based on @ckunte's fork of Chisel. It includes several new features, including but not limited to, object-oriented code, tag cloud generation, readtime calculation, prev/next post linking, etc. This blog is created using Kalpi and serves an example of its capabilities.

  2. Cigma

    November 18, 2015

    It is a pure-Python file type identification library. It aims to provide quick and easy type identification without incurring overhead of parsing the file structure to gather additional metadata.

  3. Rudra

    August 10, 2015

    It aims to provide a developer-friendly framework for exhaustive analysis of test files. Initial releases will primarily focus on building a robust analysis architecture and support for application/*.pcap files. Later versions will add analysis capabilities for application/{octet-stream, pdf, zip,} and possibly other filetypes.

  4. Dotfiles

    June 15, 2015

    This repo contains dotfiles and bootstrap to quickly get started on newish systems.

  5. Chopshop

    February 24, 2014

    It is a MITRECND developed framework for protocol analysis and decoding. It provides a nifty wrapper over pynids, and allows one to write modules that can operate over reassembled TCP flows and UDP packets. I've contributed the shellcode_detector module that uses Libemu's x86 emulation capabilities to identify shellcode inside network flows.

  6. Cuckoo Sandbox

    December 25, 2013

    Cuckoo Sandbox is an automated dynamic malware analysis system. I've recently started working with cuckoo and like others in the community, I find it to be an integral part of my malware analysis process. I've contributed a minor typo fix in cuckoo's documentation.

  7. Pcap Generation Tool

    December 9, 2013

    PCAPGenerationTools allows you to generate pcaps using python without touching the network in any way. It uses Scapy to generate pcaps for simulated file transfers and also applies a bunch of common, protocol-aware encoding upon generated sessions. It can also be used as a library to integrate into your own tools. I've contributed the content-type identification feature and a bugfix.

  8. RE2DotGraph

    August 29, 2013

    A handy tool to visualize (non-POSIX) regexes via a dot graph. It uses pyFSA project to generate a FSM for inpur expression and then converts it to an equivalent dot file. This file is rendered as a .png image and saved to a file.

  9. PcapEdit

    August 16, 2013

    An intercative, command-line focused pcap editor developed on top of the awesome Scapy framework. It provides very simple wrappers over scapy's builtin methods, allowing easy and clean modifications of a pcap. It wraps the editing functionality and exposes only the interesting tidbits.

  10. ARPSecur

    June 4, 2013

    A set of two proof-of-concept tools that demonstrate security issues within Address Resolution Protocol (ARP) specification RFC 826. First tool, arp-posion, demonstrate how to posion ARP cache of system via spoofed replies to unexisting request. Due to the stateless nature of the protocol, such replies are considered valid, and receving systems update their MAC-IP mapping table with spoofed addresses. Second tool, arp-secur, implements ideas proposed in the Detecting ARP Spoofing: An Active Technique paper by Mr. Vivek Ramachandran and Mr. Sukumar Nandi. It uses port scanning, in a very novel way, to identify malicious ARP requests/responses.

  11. Flowinspect

    May 19, 2013

    A network inspection tool that enables regex and fuzzy string matching on arbitrary network flows. It also allows to detect presence of shellcode and Yara rules scanning over flows. If a match is found, the matching flow could be dumped to a pcap file, or the payload could be extracted for lateral analysis.