Network Monitoring with Zeek

The Snort rules from the previous room Detection Engineering with Snort are now firing on the Finance subnet. Every new beacon from WKST-FINANCE-04 to the AS44477 infrastructure triggers an alert, indicating that the detection layer has finally caught up to where the attacker has been operating.

What detection cannot do is fill in the hours that came before. The Cobalt Strike beacon from 10.14.22.88 had been running since 02:38 UTC on 2025-11-14, and the 5.3 MB HTTP POST to 185.213.154.201 happened at 03:15 UTC. Snort started watching only after the rules were loaded, which means everything that happened before that point is sitting in a gap, waiting for us to read it.

The Finance subnet perimeter includes a Zeek sensor. Zeek is a passive network monitor that watches, parses, and writes structured log entries for every connection, every DNS query, every TLS handshake, and every file transfer it sees. Each protocol analyser produces its own log file, and every entry from the same network session shares a unique identifier called a uid. An analyst who follows that uid across the log set can reconstruct the entire session without ever touching a packet, and that is the investigative pattern this room will teach.

Learning Objectives

In this room, we will:

• Read conn.log, dns.log, http.log, ssl.log, and files.log with zeek-cut and standard Unix tools.
• Recognize beaconing, DNS tunneling, MIME mismatches, and certificate anomalies in structured logs.
• Follow a uid across log types to reconstruct a complete network session.
• Read and modify a Zeek script that uses the Notice framework to fire on custom conditions.

Prerequisites

It is expected that you have gone through or explored the following rooms and topics before starting this room:

• The Zeek room: installation, log structure basics, first exposure to conn.log.
• Detection Engineering with Snort: Produces the alerts whose context we will now investigate.
• Linux command-line: grep, awk, sort, pipes, and redirection.
• Networking foundations: TCP, UDP, DNS, HTTP, and TLS at a working level.

Lab Setup

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting the Target Machine, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.

Lab machine

Status:Off

Start Lab Machine

Click the Start Machine button shown above, and give the lab about 3 minutes to start. Once connected, open the terminal, we land in our home directory /home/ubuntu, where every lab artefact is laid out as follows:

• logs/: the six pre-generated Zeek logs (conn.log, dns.log, http.log, ssl.log, files.log, notice.log)
• pcaps/finance-sensor.pcap: the upstream packet capture behind those logs
• scripts/dns_notice.zeek: the starter detection script we will edit later in the room
• threat-feed.csv: the reference threat feed used in the file-hash exercise

Every command in this room runs from /home/ubuntu, so we will reference these artifacts using relative paths like logs/conn.log, pcaps/finance-sensor.pcap, and threat-feed.csv.

Let us begin our investigation.