Shovel is a traffic-analysis tool for Attack-Defense CTF games. It is a free software (GPLv2) developed during ECSC Team France training. Its primary focus is to help CTF players analyze network flows to defend themselves during stressful and time-limited attack-defense events. Shovel has been successfully used by multiple teams during the last editions of FAUSTCTF, ENOWARS and European Cybersecurity Challenge (ECSC).

During Attack-Defense Capture-the-Flag (CTF) competitions, teams are given machines to protect and may attack opponents machines to get points. Efficient network analysis is mandatory to observe services exploitations and write patches. Most top CTF teams have their own private tooling for network analysis.

Shovel leverages Suricata Intrusion and Detection System through a web interface. CTF players can explore Suricata dissections of various protocols such as HTTP, SMB, DNS and WebSocket in an easy-to-use interface. Using this information, players write Suricata rules to isolate attackers traffic, then may patch vulnerabilities or/and block attacks in the firewall.

Shovel tries to create an open-source baseline to improve the overall CTF tooling ecosystem while motivating people to learn and contribute back to Suricata.