Hey @mathias, I'm happy to review and help-- interactive reverse shells/tunnels, large exfil, media type + extension mismatch + active thereafter, NACL variants + iptables/filter state, file extended attributes and where_from fields

theopolis: Regarding your proposed scenarios: * NACL variants + iptables/filter state: What do you mean here? I use Bro to detect the NACL variant used by an app, but for what purpose do I need the iptables/filter state here? * file extended attributes and where_from: the intention would be to see where the files that are executed are coming from?