Skip to main content

Network Security

Purpose

Analyses network traffic for DDoS, intrusion attempts, DNS tunnelling, protocol anomalies, reconnaissance, exfiltration, and VPN/remote-access anomalies. Read+act posture (firewall rules, blocking).

MCP Domains

DomainDescription
networkFlow analysis, firewall rule management
siemLog search, event correlation
network_capturePCAP analysis, stream extraction, protocol decoding

Tools

ToolDescription
analyze_flowsNetFlow/sFlow statistical analysis
detect_dns_tunnelingDNS anomaly detection
block_ipFirewall IP blocking
capture_trafficStart packet capture
analyze_pcapDeep packet inspection
extract_streamsExtract TCP/UDP streams from PCAP
protocol_decodeDecode application-layer protocols

Input schema

{
"query": "string",
"time_range": {"start": "ISO8601", "end": "ISO8601"},
"analysis_type": "flow | dns | intrusion | exfiltration | all",
"target_segment": "string"
}

Output schema

{
"severity": "Critical | High | Medium | Low | Info",
"confidence": "float",
"threat_type": "string",
"affected_networks": ["string"],
"flow_analysis": "string",
"dns_analysis": "string",
"mitre_techniques": ["string"],
"iocs": [
{"type": "string", "value": "string", "confidence": "float"}
],
"recommended_firewall_rules": [
{
"rule_logic": "string",
"rationale": "string",
"revert_guidance": "string"
}
],
"sigma_rules": [
{
"title": "string",
"description": "string",
"level": "string",
"logsource": {"category": "string", "product": "string"},
"detection": {"selection": {}, "condition": "string"}
}
]
}

Memory config

ParameterValue
sliding_window30
enable_episodictrue
enable_threat_intelfalse
auto_persist_interval20

Allow-list

network, siem, network_capture