---

🔬 What I'm Building

SNF-Core — Passive Network Forensics Engine A deterministic, offline-first packet analysis engine written in Rust. Built for environments where cloud tools aren't an option. $ snf-core --forensic --pcap-file capture.pcap IOC hits : 23 ← Emotet C2 IPs matched Threat matches : 52 ← malicious JA3/JA4 fingerprints Parse errors : 0 Air-gap safe. Zero cloud. Zero network calls.

What it detects — fully offline: 🛡️ JA3/JA4 TLS fingerprinting 🎯 Offline IOC matching 🔍 Threat actor attribution 📡 18 protocol analyzers 🏭 ICS/SCADA: Modbus, DNP3, S7comm 🧬 Beacon detection + DGA scoring 🌐 DNS tunneling detection 📊 Deterministic NDJSON output Same PCAP → SHA-256 identical output. Always.

---

🚧 Currently Building

Phase	Feature	Status
✅ 19	Offline Threat Intel — IOC matching, JA3/JA4 threat actor attribution	DONE
🔨 20	PCAP Redaction Engine — anonymize IPs/MACs for safe PCAP sharing	IN PROGRESS
📋 21	Hardware Fingerprinting — passive OS/device detection from TTL, TCP window	PLANNED
📋 22	Multi-PCAP Correlation — track persistent threat actors across captures	PLANNED
📋 23	Query Extension — show flows where bytes > 1MB on stored sessions	PLANNED
📋 24	SIEM Export — Splunk/Elastic/CEF file-based export	PLANNED

---

🧰 Tech Stack

Core: Rust · pcap · etherparse · md5 · sha2 · serde
Domains: Network forensics · Threat intelligence · ICS/SCADA security · TLS fingerprinting
Platforms: RHEL 9 · Windows 11 · Cross-platform deterministic builds

---

📊 GitHub Stats

---

🏢 SNF Labs

Building the commercial edition of SNF — advanced threat detection, behavioral analysis, graph engine, timeline reconstruction, and SIEM integration. Open core model: SNF-Core is free forever. Pro edition coming soon.

---

If you work in network security, DFIR, or ICS/OT — SNF-Core might be useful to you.
Star the repo if it is ⭐