skill request: network security — Zeek for network traffic analysis and threat detection

[skyopsai]

Summary

The incident-response category covers endpoint forensics (osquery, Velociraptor) but lacks network-layer analysis beyond raw packet capture (tshark in offsec). Zeek (formerly Bro) is the standard open-source network security monitor used by enterprise SOCs and academic security teams. It transforms raw pcap into structured, queryable logs covering every protocol — enabling threat hunting, anomaly detection, and compliance logging without storing full packet captures.

Requested Skill: incident-response/detection-zeek

What to Cover

Core workflows:

1. Live traffic monitoring — run Zeek on a network interface and generate structured logs

zeek -i eth0 local
# Produces: conn.log, dns.log, http.log, ssl.log, files.log, weird.log, notice.log

2. Offline pcap analysis — analyze captured traffic for incident investigation

zeek -r capture.pcap local
zeek -r capture.pcap /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek

3. Threat hunting queries with zeek-cut

# Find all DNS queries to suspicious TLDs
zeek-cut query < dns.log | grep -E '\.(xyz|tk|ml|ga)$' | sort | uniq -c | sort -rn

# Identify long-duration connections (C2 beaconing indicator)
zeek-cut id.orig_h id.resp_h duration < conn.log | awk '$3 > 3600' | sort -k3 -rn

# Extract all HTTP user agents
zeek-cut user_agent < http.log | sort | uniq -c | sort -rn | head -20

# Find files downloaded from external IPs
zeek-cut source tx_hosts rx_hosts filename md5 < files.log | grep -v "^SSL"

4. Custom detection scripts — write Zeek scripts to detect specific MITRE ATT&CK techniques

# Detect DNS tunneling (large DNS queries)
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) {
    if (|query| > 50)
        NOTICE([$note=DNS::Tunneling_Suspected,
                $msg=fmt("Long DNS query: %s (%d chars)", query, |query|),
                $conn=c]);
}

5. Integration with Sigma rules — convert Sigma network rules to Zeek scripts

sigma convert -t zeek rules/network/dns-tunneling.yml > zeek-scripts/dns-tunneling.zeek

Key Zeek Log Types and What They Reveal

Log	What it contains	Threat hunting use
conn.log	Every network connection (duration, bytes, state)	Long-lived C2 connections, port scans
dns.log	All DNS queries and responses	DNS tunneling, DGA domains, C2 beaconing
http.log	HTTP requests (URI, user-agent, response code)	Web shells, malware downloads, credential theft
ssl.log	TLS handshakes (SNI, cert info, version)	Expired certs, weak ciphers, suspicious SNI
files.log	File transfers (MD5/SHA1, MIME type, size)	Malware delivery, data exfiltration
notice.log	Zeek-generated alerts	Scanning, policy violations
weird.log	Protocol anomalies	Evasion attempts, malformed packets

Frameworks

• MITRE ATT&CK (TA0011 C2, TA0010 Exfiltration, TA0043 Reconnaissance)
• NIST SP 800-94 (Guide to Intrusion Detection and Prevention Systems)
• PCI-DSS Req 10.6 (review logs for anomalies), Req 11.4 (IDS/IPS)
• SOC2 CC7.2 (Monitor System Components)

Relationship to Existing Skills

• Upstream: tshark (offsec/analysis-tshark) captures raw pcap → Zeek analyzes it into structured logs
• Downstream: Zeek notice.log → Sigma rules (incident-response/detection-sigma) for correlation → Wazuh for alerting (skill request: Wazuh XDR for unified EDR, SIEM, and compliance monitoring #20)
• Forensics: Zeek logs + osquery endpoint data = full kill chain reconstruction