Why Protocol-Level Visibility Matters
Endpoint logs tell you what happened on the host. Network logs tell you who the host talked to and what was transferred. Zeek and Suricata are the two tools I deploy on every network tap.
Zeek for Protocol Logging
# Run Zeek on a PCAP
zeek -r suspicious_traffic.pcap
# Key log files:
# conn.log — all connections
# dns.log — all DNS queries and responses
# http.log — HTTP requests
# ssl.log — TLS metadata (JA3 hashes, SNI)
# files.log — extracted file metadata
Hunting C2 Beaconing in conn.log
zeek-cut id.orig_h id.resp_h duration < conn.log | \
awk '{print $1,$2,$3}' | \
sort | uniq -c | sort -rn | head -20
Legitimate traffic is bursty. C2 beacons have suspiciously consistent intervals.
Suricata for Signature Detection
suricata-update
systemctl restart suricata
tail -f /var/log/suricata/fast.log
JA3 for TLS Fingerprinting
zeek-cut ja3 ja3s id.orig_h id.resp_h < ssl.log | \
grep -f known_malicious_ja3.txt
Defensive Takeaways
- Zeek logs without alerting — they are your forensic record after the fact
- Suricata rules need tuning — enable one rule set at a time, measure FP rate
- JA3 hashes fingerprint TLS clients regardless of encryption; great for C2 detection
- Ship Zeek logs to your SIEM within 5 minutes — stale data misses active intrusions
Keep going
Get the next writeup in your inbox
New posts delivered when I publish. No spam.