# ניתוח Zeek conn.log עם Python — זיהוי Beaconing
import json
from collections import defaultdict
from statistics import stdev, mean

def detect_beaconing(conn_log_path: str) -> list:
    connections = defaultdict(list)
    
    with open(conn_log_path) as f:
        for line in f:
            if line.startswith("#"):
                continue
            event = json.loads(line)
            key = (event["id.orig_h"], event["id.resp_h"], event["id.resp_p"])
            connections[key].append(event["ts"])
    
    beaconing = []
    for (src, dst, port), timestamps in connections.items():
        if len(timestamps) < 10:
            continue
        intervals = [timestamps[i+1] - timestamps[i] for i in range(len(timestamps)-1)]
        if mean(intervals) > 0 and stdev(intervals) / mean(intervals) < 0.1:
            beaconing.append({
                "src": src, "dst": dst, "port": port,
                "interval_mean_sec": round(mean(intervals), 1),
                "beacon_count": len(timestamps)
            })
    
    return sorted(beaconing, key=lambda x: x["beacon_count"], reverse=True)

IDS/IPS — Intrusion Detection & Prevention

IDS/IPS — Intrusion Detection & Prevention

IDS/IPS — Intrusion Detection & Prevention