DEV Community

Snf Labs
Snf Labs

Posted on

How SNF Detects C2 Beacons on Air-Gapped Networks Without Ever Touching the Internet

#rust #cybersecurity #networking #security

How SNF Detects C2 Beacons on Air-Gapped Networks Without Ever Touching the Internet

Most threat detection tools phone home. They pull threat feeds, push telemetry, verify licenses, or at minimum require a DNS resolver to function. That assumption is baked so deep into modern NDR that nobody questions it anymore.

SNF questions it.

SNF (Shadow Network Fingerprinting) is a passive network intelligence engine written entirely in Rust. It was designed from day one for environments where outbound connectivity is not just unavailable but prohibited: air-gapped defense networks, nuclear infrastructure, industrial control systems, classified SOCs.

The architecture enforces this. There are no configuration flags to disable telemetry, no license server to bypass, no optional cloud sync to turn off. The binary makes zero network calls. Ever. If you audit the source, you will not find a single outbound socket.

SNF coming soon page live at shadownf.com

What SNF Actually Does

SNF captures raw packets passively, reconstructs TCP/UDP flows, and runs them through 14 deterministic protocol analyzers in a fixed order:

DNS, TLS, HTTP/1.1, HTTP/2, QUIC, DHCP, ICMP, SMB, mDNS, ICS, Enterprise, Discovery, DoH, and DoT.

On top of that it fingerprints TLS sessions using JA3 and JA4, detects C2 beacon patterns by analyzing packet timing and jitter, catches DGA domains through statistical entropy analysis, identifies DNS tunnels by payload size and query frequency, and covers the full ICS/SCADA protocol suite including Modbus, S7comm, EtherNet-IP, PROFINET, and DNP3.

Everything it finds gets emitted as structured NDJSON with a deterministic guarantee: run the same PCAP with the same config on the same version and you get bit-identical output, verified by SHA-256. This matters in forensic and legal contexts where reproducibility is not optional.

Here is SNF running against a real Emotet epoch 3 + Trickbot infection PCAP. No internet connection. No threat feed pulled at runtime.

SNF session report on Emotet epoch 3 + Trickbot PCAP showing 23 IOC hits and 52 threat matches

23 IOC hits. 52 threat matches. JA3 fingerprinting attributed the TLS session directly to the Emotet/Trickbot loader. The stealth detector flagged three external IPs for portscan, tunnel, and exfil activity simultaneously. A DGA candidate scored 85 on a .onion domain.

SNF behavioral alerts showing Emotet_C2_epoch3 IOC matches, JA3 threat actor attribution, and DGA candidate with score 85

Parse errors: 0. Capture errors: 0.

Why Determinism Matters

Most tools produce slightly different output across runs because of timing, threading, or probabilistic components. SNF uses BTreeMap for all output so field ordering is always identical. It has a tamper-resistant monotonic session clock. It produces cryptographically signed evidence bundles that hold up in court.

Same dataset plus same config plus same version equals identical SHA-256 output. Every single time.

This is not a nice-to-have. In a DFIR investigation, in a government audit, or in a legal proceeding, output that changes between runs is inadmissible. SNF was built around this constraint from the first commit, not bolted on after.

Performance on Real Data

On the MAWI backbone dataset (14.9 million packets, a real-world traffic sample used by network researchers globally), SNF processes at roughly 155,000 packets per second on a single core, sustaining around 1.25 Gbps throughput. On a 4-core VM it scales to 2.3x that with multi-worker mode.

What You Actually Get Out of a Run

One command. One PCAP. SNF writes structured output automatically, split by category and timestamped to the session.

SNF output files: all_flows, devices, dns, fingerprints, ioc_hits, threats, tls, top_flows in both NDJSON and CSV

Every run produces flows, devices, DNS, TLS fingerprints, IOC hits, threat matches, and a full session report in both NDJSON and CSV. No post-processing scripts. No manual export. Ready for SIEM import or court submission as-is.

The Open-Core Layer

The capture layer, flow reconstruction engine, and protocol parsers are open source under Apache 2.0 as snf-core on GitHub. The intelligence layer covering behavioral detection, fingerprinting, stealth mode, graph analysis, evidence bundles, SIEM export, and the threat databases is proprietary.

If you work in DFIR, ICS security, or blue team work in regulated environments, the repo is worth a look. Contributions to the open-core layer are welcome.

Website: https://shadownf.com
GitHub: https://github.com/padigeltejas/snf-core
LinkedIn: https://www.linkedin.com/company/snflabs/

Top comments (0)