Module 5: Network Detection & Forensics
Attacks cross the network. Catch them and dissect them.
Lessons
What NIDS Sees
Sensor placement, network visibility, protocol metadata, where NIDS fits in defense-in-depth
Suricata Rules & EveBox
Rule anatomy (action, header, options), severity categories, navigating alerts in EveBox
Protocol Analysis: HTTP, TLS & SMB
Normal vs suspicious traffic patterns, User-Agents, JA3 fingerprints, SMB lateral movement indicators
DNS as a Weapon
DNS tunneling, DGA domains, DNS over HTTPS, entropy analysis
Network + SIEM Correlation
Same attack from two perspectives — correlating network and endpoint alerts into a unified timeline
PCAP Analysis with Wireshark
Wireshark fundamentals, display filters, following TCP streams, protocol hierarchy, hands-on PCAP analysis
Network Forensics: File Extraction & C2 Detection
Extracting files from PCAPs, identifying C2 beacon patterns, DNS forensics, building network forensic timelines
Labs
Lab 3.1 — Network Alert Triage
Triage 49 pre-loaded Suricata alert groups from Operation Wire Tap. Classify alerts as True Positive, False Positive, or Informational using professional SOC methodology.
Lab 3.2 — Read a Suricata Rule
Analyze 5 Suricata rules from the Operation Wire Tap scenario — understanding header fields, content matching, flow keywords, PCRE, thresholds, and classtypes.
Lab 3.3 — Suspicious DNS
Investigate DNS-based threats from Operation Wire Tap — tunneling indicators, malicious domain queries, and DNS-based C2 patterns using EveBox.
Lab 3.4 — Two Views, One Attack
Correlate network IDS (Suricata/EveBox) and SIEM (Wazuh) data to reconstruct the full Operation Wire Tap kill chain from two complementary detection perspectives.
Lab 3.5 — PCAP Analysis with Wireshark
Analyze packet captures from Operation Wire Tap using tshark — examine TCP handshakes, extract SQL injection payloads, identify DNS tunneling, and profile C2 beacon traffic.
Lab 3.6 — Network Forensics Challenge
Challenge lab with minimal guidance — independently investigate Operation Wire Tap, extract IOCs, build a timeline, and write a professional Network Forensics Analyst Report.