{{ title }}

PCAP: {{ pcap }}
{% if db_path %}
Evidence DB: {{ db_path }}
{% endif %}

Executive Summary

Overall score
{{ score }}/100
Critical
{{ severity_counts.CRITICAL }}
High
{{ severity_counts.HIGH }}
Medium
{{ severity_counts.MEDIUM }}
Low
{{ severity_counts.LOW }}

Capture Metadata

{% for key, value in tshark_summary.capinfos.items() %} {% if key in ["file_name","file_type","file_encapsulation","number_of_packets","file_size","data_size","capture_duration","earliest_packet_time","latest_packet_time","average_packet_rate","sha256"] %} {% endif %} {% endfor %}
{{ key }}{{ value }}
{% if timings %}

Analysis Runtime

{% for name, seconds in timings.items() %} {% if name != "tshark_files" %} {% endif %} {% endfor %}
StageDuration
{{ name }}{{ human_duration(seconds) }}
{% endif %}

Methodology & Reference Basis

This report maps observed network behavior to selected security references. These mappings are not treated as automatic compliance violations. They are evidence-based triage indicators that require environment-specific validation.

  • CIS Controls v8.1 — secure configuration, network infrastructure management, network monitoring and defense.
  • NIST SP 800-52 Rev.2 — TLS protocol and secure transport guidance.
  • NIST SP 800-81 Rev.3 — secure DNS deployment, protective DNS, DNS logging and DNS tunneling indicators.
  • NIST SP 800-41 Rev.1 — firewall policy, allowed/denied traffic and scanning-related traffic considerations.
  • MITRE ATT&CK Enterprise — adversary behavior classification such as DNS C2, discovery, remote services and exfiltration.

Network Summary

Connections
{{ zeek_stats.connection_count }}
Internal hosts
{{ zeek_stats.internal_host_count }}
External hosts
{{ zeek_stats.external_host_count }}
DNS queries
{{ zeek_stats.dns_query_count }}
TLS sessions
{{ zeek_stats.tls_session_count }}

Top Services

{% set maxv = zeek_stats.top_services[0][1] if zeek_stats.top_services else 0 %} {% for item in zeek_stats.top_services[:15] %}
{{ item[0] }}
{{ item[1] }}
{% endfor %}

Top Talkers

{% set maxv = zeek_stats.top_talkers[0][1] if zeek_stats.top_talkers else 0 %} {% for item in zeek_stats.top_talkers[:15] %}
{{ item[0] }}
{{ item[1] }}
{% endfor %}

Top Destination Ports

{% set maxv = zeek_stats.top_ports[0][1] if zeek_stats.top_ports else 0 %} {% for item in zeek_stats.top_ports[:15] %}
{{ item[0] }}
{{ item[1] }}
{% endfor %}

Protocol Hierarchy

{% set rows = tshark_summary.protocol_hierarchy_top %} {% set maxv = rows[0].frames if rows else 0 %} {% for row in rows[:15] %}
{{ row.protocol }}
{{ row.frames }}
{% endfor %}

Top Conversations by Connections

{% set maxv = zeek_stats.top_pairs[0][1] if zeek_stats.top_pairs else 0 %} {% for item in zeek_stats.top_pairs[:12] %}
{{ item[0] }}
{{ item[1] }}
{% endfor %}

Top Endpoints by Bytes

{% set maxv = zeek_stats.top_endpoints_by_bytes[0][1] if zeek_stats.top_endpoints_by_bytes else 0 %} {% for item in zeek_stats.top_endpoints_by_bytes[:12] %}
{{ item[0] }}
{{ item[1] | human_bytes }}
{% endfor %}

Top DNS Queries

{% set maxv = zeek_stats.top_dns_queries[0][1] if zeek_stats.top_dns_queries else 0 %} {% for item in zeek_stats.top_dns_queries[:12] %}
{{ item[0] }}
{{ item[1] }}
{% endfor %}

Top HTTP Hosts / TLS SNI

HTTP hosts

{% for item in zeek_stats.top_http_hosts[:8] %}
{{ item[0] }}{{ item[1] }}
{% endfor %}

TLS SNI

{% for item in zeek_stats.top_tls_sni[:8] %}
{{ item[0] }}{{ item[1] }}
{% endfor %}

Findings

{% for finding in findings %}

{{ finding.severity }} | {{ finding.title }}

{{ finding.category }} confidence: {{ finding.confidence }} {% if finding.data_source %}{{ finding.data_source }}{% endif %}

{{ finding.description }}

Recommendation: {{ finding.recommendation }}

{% if finding.basis %}

Basis: {{ finding.basis }}

{% endif %} {% if finding.references %}
Reference mappings
{% for ref in finding.references %} {% endfor %}
SourceControl / Section / TechniqueDetail
{{ ref.source }} {{ ref.control or ref.section or ref.technique or "" }} {{ ref.detail }}
{% endif %} {% if finding.mappings %}
Technique mappings 
{{ finding.mappings | tojson(indent=2) }}
{% endif %} {% if finding.affected_hosts %}

Affected hosts: {{ finding.affected_hosts[:30] | join(", ") }}{% if finding.affected_hosts|length > 30 %} ... (+{{ finding.affected_hosts|length - 30 }} more){% endif %}

{% endif %} {% if finding.evidence %}
Evidence summary 
{{ finding.evidence | tojson(indent=2) }}
{% endif %}
{% else %}
No findings generated.
{% endfor %}

Top Risky Hosts

{% for host in hosts %} {% endfor %}
HostRiskAlertsProtocolsPeersFindings
{{ host.ip }}{{ host.risk_score }}{{ host.suricata_alerts }} {{ host.protocols | list | sort | join(", ") }}{{ host.peers | list | length }} {{ host.finding_titles[:8] | join("; ") }}{% if host.finding_titles|length > 8 %} ...{% endif %}

Evidence Locations

The report is intentionally summary-based. Full evidence is stored separately. Reference mappings use document names, controls, sections and technique IDs only; source documents are not bundled in the project.

  • triage.db — structured SQLite evidence store
  • findings.json, hosts.json, summary.json — machine-readable summaries
  • engines/zeek/ — Zeek logs
  • engines/suricata/eve.json — Suricata events
  • engines/tshark/ — compact capture/protocol summary