Module 6: Network Detection & Forensics

Attacks cross the network. Catch them and dissect them.

Tools:Suricata + EveBoxWireshark / tshark
8
Lessons
7
Hands-on Labs
Operation Shadow Broker Thread

You'll see the same C2 callback (update-service.darknet.top) that Wazuh detected — now from Suricata's network perspective.

Lessons & Labs

What NIDS Sees

Sensor placement, network visibility, protocol metadata, where NIDS fits in defense-in-depth

Lab 6.1 — Network Alert Triage

Categorize 25+ Suricata alerts across 5 categories: scan/recon, exploit, C2, DNS anomaly, policy violation. Escalate the 5 most critical.

Intermediate

Suricata Rules & EveBox

Rule anatomy (action, header, options), severity categories, navigating alerts in EveBox

Lab 6.2 — Read a Suricata Rule

Analyze a C2 detection rule keyword-by-keyword, find the matching alert in EveBox, then modify the rule to catch a second C2 pattern.

Intermediate

Protocol Analysis: HTTP, TLS & SMB

Normal vs suspicious traffic patterns, User-Agents, JA3 fingerprints, SMB lateral movement indicators

DNS as a Weapon

DNS tunneling, DGA domains, DNS over HTTPS, entropy analysis

Lab 6.3 — Suspicious DNS

Hunt DNS tunneling, DGA domains, and suspicious TLDs in EveBox. Calculate subdomain entropy and explain why each domain is suspicious.

Intermediate

Network + SIEM Correlation

Same attack from two perspectives — correlating network and endpoint alerts into a unified timeline

Lab 6.4 — Two Views, One Attack

The same attack generates both Suricata network alerts and Wazuh endpoint alerts. Correlate them by timestamp, IP, and hostname into a unified kill-chain timeline.

Advanced

PCAP Analysis with Wireshark

Wireshark fundamentals, display filters, following TCP streams, protocol hierarchy, hands-on PCAP analysis

Lab 6.5 — PCAP Analysis with Wireshark

Open a PCAP in Wireshark/tshark. Follow TCP streams, extract HTTP objects, identify C2 beacons, and build a network forensic timeline.

Intermediate

Network Forensics: File Extraction & C2 Detection

Extracting files from PCAPs, identifying C2 beacon patterns, DNS forensics, building network forensic timelines

Lab 6.6 — Network Forensics Challenge

Given a PCAP from a compromised network: extract exfiltrated files, identify the C2 channel, calculate beacon intervals, and map the full attack chain.

Advanced

tcpdump: The Command-Line Packet Analyzer

CLI packet capture when no GUI is available — BPF filters, reading output, common one-liners, writing PCAPs for Wireshark

Lab 6.7 — tcpdump Capture Challenge

Use tcpdump to capture DNS traffic, isolate a suspicious IP, extract HTTP requests, and identify a C2 beacon from raw packet output.

Intermediate