Protocol Analysis-Decoder Framework

ChopShop is a MITRE developed framework to aid analysts in the creation and execution of pynids based decoders and detectors of APT tradecraft.

Note that ChopShop is still in perpetual beta and is dependent on libnids/pynids for the majority of its underlying functionality.

Documentation for ChopShop can be found on ReadTheDocs.

pynids is a python wrapper for libnids, a Network Intrusion Detection System library offering sniffing, IP defragmentation, TCP stream reassembly and TCP
port scan detection – Github.

Download from Github.

git clone

You can run ChopShop using a Docker container or install it directly onto the target machine (either system-wide or into a virtualenv). ChopShop requires Python 2.6 or 2.7.

Installation documentation for ChopShop can be found here.