Network Forensics with Zeek in 2024: Pivots That Actually Find C2
Cybersecurity
Zeek's conn.log, dns.log, ssl.log, and http.log are the most useful four files in DFIR most teams underuse. JA3 and JA4 pivots, TLS fingerprinting, and the C2 patterns I find by hand on real incidents.
By Arjun Raghavan, Security & Systems Lead, BIPI · July 6, 2024 · 8 min read
Zeek (formerly Bro) is the most underrated piece of DFIR plumbing in most enterprises. A sensor at every egress point, writing to a central log store, produces four files that answer most network questions you will ever ask: who talked to whom (conn.log), who resolved what (dns.log), what TLS sessions were negotiated (ssl.log), and what HTTP requests crossed the wire (http.log). You do not need a vendor NDR to do real network forensics. You need Zeek, a query tool, and a habit of looking.
conn.log is your single source of truth
Every flow you care about lives in conn.log. The fields that matter on day one: id.orig_h, id.resp_h, id.resp_p, service, duration, orig_bytes, resp_bytes, conn_state. Pivot on long-duration connections to non-corporate destinations; pivot on flows with sub-kilobyte orig_bytes but multi-megabyte resp_bytes (download); pivot on the inverse for exfil. The conn_state field tells you whether the handshake completed (SF), was rejected (REJ), or was scanned (S0). Beaconing shows up as many SF flows of similar duration to the same destination at regular intervals.
RITA and AC-Hunter, both built on Zeek logs, automate the beacon-scoring math. If you cannot deploy either, a notebook that bins inter-arrival times per (src, dst, dst_port) tuple and flags low-variance distributions will catch the same thing.
DNS is where attackers underestimate you
dns.log captures every resolution, including the ones operators forget about: AAAA records for IPv6 destinations, TXT records used as covert channels, and NXDOMAIN responses for typosquatted infrastructure. DGA-driven malware lights up the query column with high-entropy names. Cobalt Strike's default malleable profiles, before customisation, leak signature patterns in subdomain length. Even commodity remote-access trojans tend to resolve a small fixed set of dynamic-DNS providers (no-ip, duckdns, dyndns) that should be filtered as a baseline hunt.
TLS fingerprinting with JA3 and JA4
ssl.log carries JA3 (and now JA4) hashes of the client TLS fingerprint. Two facts make this powerful: most malware families ship with a TLS stack that produces a stable hash across versions, and most legitimate browsers produce hashes that change only with major version bumps. Maintain a known-bad JA3/JA4 list (abuse.ch SSLBL is a good seed) and a known-good baseline of your own corporate browsers and tools. Anything that does not match either list is a candidate.
JA4 is the 2023 successor and disambiguates more cleanly than JA3, particularly across QUIC and TLS 1.3. If you have not enabled JA4 emission in Zeek yet, do it; the rule packs that exist now will outlive your current malware feed.
http.log for the cleartext that remains
Most C2 is TLS now, but the cleartext that remains in http.log is still loud. User-Agent strings that match no real browser, POST-only URIs, requests with no Referer, requests whose URI matches the beacon checksum patterns of known frameworks (Cobalt Strike, Sliver, Mythic). Filter http.log on host, user_agent, uri and you will surface the long tail of badly configured droppers and update-checks that pretty much every commodity threat actor still relies on.
What to ask Zeek during an incident
When you are dropped into a fresh incident with a single suspect IP, the questions are always the same. Did this IP communicate outside the org? Who did it resolve before doing so? What TLS fingerprints did it present? What other internal IPs presented the same fingerprint? Did any of them exchange large data volumes in the same window? Zeek answers all of those with simple zeek-cut pipelines or a half-page of SQL if you have shipped to ClickHouse or Splunk.
Retention is the only thing that matters in March
The most valuable thing Zeek will do for you is sit there for 180 days collecting evidence you do not yet know you need. Most incidents announce themselves weeks or months after the initial intrusion, and the question you will be asked is always the same: when did the attacker first show up. A 30-day retention window means the answer is unknown. Plan for 12 months of conn.log and dns.log at minimum, even at reduced fidelity. Disk is cheaper than not having the answer.
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.