GhostWatch—an open-source covert channel detector for DNS tunneling, ICMP, HTTP C2 beaconing and timing channels

I built GhostWatch to detect what enterprise tools like Darktrace and
Vectra Miss—covert channels hidden inside normal-looking DNS, ICMP,
and HTTP traffic.

It uses entropy analysis and behavioral detection instead of signatures.
so it catches real APT techniques like OilRig DNS tunneling and
SUNBURST-style beaconing.

GitHub: https://github.com/ShadowHunter89/ghostwatch

Would genuinely appreciate feedback from anyone who works in networks.
security or blue team. Still early stage.