Code-base to go with academic paper "REdiREKT: Extracting Malicious Redirections from Exploit Kit Traffic" available @ A short video presentation and tool demo can be found here:
REdiREKT uses Zeek to process PCAPs and maps HTTP redirections (header and content-based). A combination of HTTP, redirect content-based features are extracted from each domain within a redirect chain and stored (SQLite/JSON/CSV) for future ML-based malware detection research.
PCAPs HAVE NOT BEEN INCLUDED DUE TO SIZE: malicious PCAPs were sourced from and, each of which were manually analysed and test cases created. Benign PCAPs were generated with custom Windows 10 honeypot (some code for this is also in repo). If you want a ZIP copy of the verified malicious PCAPs, contact me directly.
I don't currently don't have much time to document the repo but the code should be fairly well commented :) Any major issues/questions then I'll do my best to help if time permits.
UPDATE: Added ML-Training folder with IPython Notebooks and feature sets, to go with academic paper "LSTM RNN: Detecting Exploit Kits using Redirection Chain Sequences" available @ They are a bit of a mess as I often didn't clean up previous cells and lost track of different tasks but hopefully it can still help some future researchers.
If you use some of the code/data in your work, please cite :)