D0kdo Orchestrator

D0kdo

Packets

팀 서버 단위 패킷 캡처 (15분 지연 · Src IP 마스킹 · fake flag 주의)

All

Suspicious (5)

Exploited (4)

Normal (3)

15분 지연 적용 · 출발지 IP 마스킹

Packet ID	Tags	Src → Dst	Proto	Size	Created
pkt-0041	suspicious exploited	0.0.0.0 → 10.60.1.1	TCP	1284B	14:17:32 (R40)
pkt-0042	suspicious	0.0.0.0 → 10.60.1.1	TCP	4096B	14:17:45 (R40)
pkt-0043	exploited FAKE?	0.0.0.0 → 10.60.1.1	TCP	832B	14:18:01 (R40)
pkt-0044	normal	0.0.0.0 → 10.60.1.1	TCP	512B	14:18:15 (R40)
pkt-0045	suspicious	0.0.0.0 → 10.60.1.1	UDP	256B	14:18:30 (R40)
pkt-0046	suspicious exploited	0.0.0.0 → 10.60.1.1	TCP	2048B	14:19:02 (R40)
pkt-0047	suspicious	0.0.0.0 → 10.60.1.1	TCP	768B	14:19:18 (R40)
pkt-0048	normal	0.0.0.0 → 10.60.1.1	TCP	128B	14:19:33 (R40)
pkt-0049	exploited FAKE?	0.0.0.0 → 10.60.1.1	TCP	3584B	14:20:01 (R40)
pkt-0050	normal	0.0.0.0 → 10.60.1.1	TCP	320B	14:20:15 (R40)

5 Suspicious

4 Exploited

3 Normal

Total: 10 packets

Suspicious Pattern으로 패킷 자동 태깅 (§3)

ID	Pattern (regex)	Mode	Preview	Created	Actions
pat-001	(?i)(union\s+select\|or\s+1\s=\s1\|'\s*--)	local	SQLi: union select, OR 1=1, comment bypass	2025-06-18 09:30
pat-002	\\x41{100,}\|\\x90{8,}\|0x004[0-9a-f]{5}	local	BOF: NOP sled, long padding, ROP address	2025-06-18 10:15
pat-003	%[0-9]*\$?[nxsph]	local	FmtStr: %x, %n, %s specifiers	2025-06-18 11:00
pat-004	(?:JTAG\|SWD\|UART)\s+(?:DUMP\|READ\|WRITE)	remote	Hardware: JTAG/SWD/UART interface access	2025-06-18 13:00
pat-005	(?:padding).{0,20}(?:oracle\|probe\|block)	remote	Crypto: padding oracle probe sequences	2025-06-18 14:00