Total hits
Detector classes
unique detectors firing
Years analyzed
Pcaps · GB
Severity distribution per year
Hits per year by detector category
Top detector classes (all years combined)
Attacker IPs per year
Victim IPs per year
Detector × Year matrix
Each cell = number of hits for that detector in that year's slice. Hover for label and total.
Detector catalogue
Sortable. Click a column to sort, click a row for details.
| Detector | Category | Total hits | What it catches |
|---|
SSH client banners
Attacker-tooling fingerprints observed in SSH negotiation.
| Client banner | Connections |
|---|
HTTP User-Agents (attacker)
UAs matched against the attacker-tool regex list.
| User-Agent | Requests |
|---|
JA4 fingerprints
TLS-1.3-safe client fingerprints. Suffix-matched against C2/malware list (Cobalt Strike, Sliver, Mythic, Havoc, IcedID).
| JA4 hash / suffix | Tool / family | Count |
|---|
JA3 fingerprints
Legacy TLS client fingerprints — unreliable for TLS 1.3 because of GREASE. Prefer JA4.
| JA3 hash | Tool / family | Count |
|---|
Tool signatures (other)
NTLM workstation names (nxc/impacket fingerprints), HTTP tool labels.
| Signature | Count |
|---|
Suricata ET signatures (top 50)
Ranked by hit count. Hover SID for severity.
| Signature | SID | Severity | Count | Srcs | Dsts |
|---|
Fingerprinted tools — catalogue
Tools we have a high-confidence on-wire signature for. Click a row to filter the per-year chart below.
| Tool | Source detector | Total hits | Years seen | First seen |
|---|
All findings (… shown)
| Year | Severity | Detector | Category | Src | Dst | Port | Summary |
|---|