network forensicsApril 2024

Network Traffic Analysis & Threat Detection

Real-time network monitoring system using Zeek and Suricata to detect malicious traffic patterns, C2 communications, and data exfiltration attempts.

ZeekSuricataWiresharkElasticsearchGrafanaPythontcpdump

Problem

Network-based attacks often go undetected because organizations lack visibility into their traffic patterns. Traditional firewalls miss sophisticated threats that blend with legitimate traffic.

Architecture

**Components:**
- Zeek (formerly Bro) for protocol analysis and logging
- Suricata for signature-based IDS
- Filebeat for log shipping
- Elasticsearch for log storage and search
- Grafana dashboards for visualization
- Python scripts for custom analysis

**Network Tap Setup:**
1. Span port configured on core switch
2. Dedicated monitoring interface on analysis server
3. Traffic mirroring for full packet capture
4. Zeek + Suricata running in parallel

Detection Logic

**Detection Categories:**

1. **C2 Detection**
   - DNS tunneling (high entropy domains, excessive queries)
   - Beaconing patterns (regular interval connections)
   - Known bad IP/domain reputation checks
   - Unusual port usage for protocols

2. **Data Exfiltration**
   - Large outbound transfers during off-hours
   - Connections to file sharing services
   - Encrypted traffic to unknown destinations
   - DNS TXT record abuse

3. **Lateral Movement**
   - SMB/RPC traffic between workstations
   - Kerberos anomalies (Golden/Silver ticket indicators)
   - RDP from unexpected sources
   - WMI remote execution patterns

**Custom Zeek Scripts:**
- JA3/JA3S fingerprinting for TLS analysis
- HTTP header anomaly detection
- File extraction and hash checking

Outcome

Detected simulated APT activity within 3 minutes including C2 beaconing and lateral movement. Created 15+ custom Zeek scripts for organization-specific detections. Reduced false positive rate by 60% through baseline tuning.

MITRE ATT&CK Coverage

T1071.001 ↗T1071.004 ↗T1048.003 ↗T1021.001 ↗T1558.001 ↗

Click any technique ID to view details on the MITRE ATT&CK website.

$ Loading...

**Components:** - Zeek (formerly Bro) for protocol analysis and logging - Suricata for signature-based IDS - Filebeat for log shipping - Elasticsearch for log storage and search - Grafana dashboards for visualization - Python scripts for custom analysis **Network Tap Setup:** 1. Span port configured on core switch 2. Dedicated monitoring interface on analysis server 3. Traffic mirroring for full packet capture 4. Zeek + Suricata running in parallel

**Detection Categories:** 1. **C2 Detection** - DNS tunneling (high entropy domains, excessive queries) - Beaconing patterns (regular interval connections) - Known bad IP/domain reputation checks - Unusual port usage for protocols 2. **Data Exfiltration** - Large outbound transfers during off-hours - Connections to file sharing services - Encrypted traffic to unknown destinations - DNS TXT record abuse 3. **Lateral Movement** - SMB/RPC traffic between workstations - Kerberos anomalies (Golden/Silver ticket indicators) - RDP from unexpected sources - WMI remote execution patterns **Custom Zeek Scripts:** - JA3/JA3S fingerprinting for TLS analysis - HTTP header anomaly detection - File extraction and hash checking