In this module

NF1.7 Sensor Validation

10 hours · Module 1 · Free

What you already know

You've installed Zeek and Suricata separately and verified each produces output. This sub validates the complete sensor — both tools processing the same traffic, Community ID correlation working, all expected log files present, and no evidence gaps.

Operational Objective

A sensor that appears to work can have silent failures — Zeek dropping a protocol analyzer, Suricata loading with zero rules, Community ID not matching between tools, or packet loss going undetected. Validation catches these before they become evidence gaps in a real investigation.

This sub runs a structured validation test: process a known PCAP through both tools, verify all expected outputs, confirm cross-tool correlation, and establish a baseline for sensor health checks going forward.

Deliverable: A validated sensor with documented proof that Zeek produces complete logs, Suricata fires expected alerts, Community ID correlation works, and no evidence gaps exist for the test PCAP.

Estimated completion: 30 minutes

Figure NF1.7 — The four validation checks. All four must pass before the sensor is considered operational. Failing any check means an evidence gap that will affect investigations in subsequent modules.

The Validation Test

Run this complete validation script against a known-malicious PCAP. Download a PCAP from malware-traffic-analysis.net that contains identifiable C2 traffic (the site labels them by malware family — pick one that includes HTTP or TLS traffic for the fullest log coverage).

#!/bin/bash
# Sensor Validation Script — run from /opt/sensor/
PCAP="/opt/sensor/pcap/validation-test.pcap"
ZEEK_OUT="/opt/sensor/zeek-logs/validation/"
SURI_OUT="/opt/sensor/suricata-logs/"

echo "=== SENSOR VALIDATION ==="
echo "PCAP: $PCAP"
echo "Date: $(date -u)"
echo ""

# Step 1: Run Zeek
mkdir -p "$ZEEK_OUT" && cd "$ZEEK_OUT"
rm -f *.log 2>/dev/null
zeek -r "$PCAP"
echo "--- ZEEK LOG FILES ---"
ls -lh *.log 2>/dev/null
CONN_COUNT=$(grep -v '^#' conn.log 2>/dev/null | wc -l)
DNS_COUNT=$(grep -v '^#' dns.log 2>/dev/null | wc -l)
echo "Connections: $CONN_COUNT"
echo "DNS queries: $DNS_COUNT"
echo "Community ID present: $(head -20 conn.log | grep -c community_id)"
echo ""

# Step 2: Run Suricata
rm -f "$SURI_OUT/eve.json" 2>/dev/null
sudo suricata -r "$PCAP" -l "$SURI_OUT" \
  --set classification-file=/etc/suricata/classification.config \
  --set reference-config-file=/etc/suricata/reference.config 2>/dev/null
ALERT_COUNT=$(cat "$SURI_OUT/eve.json" 2>/dev/null | jq 'select(.event_type=="alert")' | grep -c '"alert"')
echo "--- SURICATA ---"
echo "Alerts: $ALERT_COUNT"
echo ""

# Step 3: Community ID correlation
echo "--- COMMUNITY ID CORRELATION ---"
CID=$(cat "$SURI_OUT/eve.json" | jq -r 'select(.event_type=="alert") | .community_id' 2>/dev/null | head -1)
if [ -n "$CID" ] && [ "$CID" != "null" ]; then
  MATCH=$(grep -c "$CID" "$ZEEK_OUT/conn.log")
  echo "Suricata CID: $CID"
  echo "Zeek conn.log match: $MATCH entries"
else
  echo "No alerts with Community ID found"
fi
echo ""

# Step 4: Packet loss
echo "--- PACKET LOSS ---"
if [ -f "$ZEEK_OUT/capture_loss.log" ]; then
  LOSS=$(grep -v '^#' "$ZEEK_OUT/capture_loss.log" | wc -l)
  echo "capture_loss entries: $LOSS"
else
  echo "No capture_loss.log (good — no loss detected)"
fi

echo ""
echo "=== VALIDATION COMPLETE ==="

Save this script as /opt/sensor/validate-sensor.sh and run it:

chmod +x /opt/sensor/validate-sensor.sh
/opt/sensor/validate-sensor.sh

Interpreting Results

Zeek logs complete: You should see conn.log with hundreds or thousands of entries, dns.log with query records, and at least one protocol-specific log (ssl.log for HTTPS traffic, http.log for HTTP). If conn.log is empty, Zeek failed to process the PCAP — check for error messages.

Suricata alerts fire: If the PCAP contains known malicious traffic and the ET Open rules are loaded, you should see alerts. If the alert count is zero, either the PCAP doesn't contain traffic matching ET rules, or the rules aren't loaded. Verify with wc -l /var/lib/suricata/rules/suricata.rules.

Community ID match: The same Community ID should appear in both a Suricata alert and a Zeek conn.log entry. If the IDs don't match, verify both tools have Community ID enabled and are using the same hash algorithm version.

Zero packet loss: For PCAP replay, there should be no packet loss (the file is read from disk, not captured live). If capture_loss.log has entries, it may indicate Zeek couldn't process packets fast enough — unlikely for offline replay, but possible with extremely large PCAPs on low-spec VMs.

After all four checks pass, take a VM snapshot: "Sensor validated — ready for NF2." This is your known-good state. If anything breaks in later modules, restore to this snapshot.

Guided Procedure — Run the Full Validation

Step 1. Download a known-malicious PCAP and save it to /opt/sensor/pcap/.

Expected output: A PCAP file from malware-traffic-analysis.net. Choose one labeled with a known malware family (Emotet, IcedID, Qbot) that includes TLS traffic.

If the download site is blocked: Use the course lab pack PCAP (NF0 lab pack) which is designed for validation.

Step 2. Run the validation script and review the output.

Expected output: All four checks pass: Zeek logs present with data, Suricata alerts > 0, Community ID correlation successful, zero packet loss.

If Zeek passes but Suricata shows zero alerts: The PCAP may not trigger ET rules. This isn't a sensor failure — it means the specific traffic doesn't match any signature. Try a PCAP known to contain C2 traffic (Cobalt Strike, Emotet).

Step 3. Take a VM snapshot labeled "Sensor validated."

Expected output: Snapshot created. You can restore to this point if configuration changes in later modules break the sensor.

If snapshot fails due to disk space: Delete previous snapshots you no longer need. The "Pre-tool-install" snapshot from NF1.2 can be deleted now that validation has passed.

Decision point

Your validation shows Zeek producing logs and Suricata firing alerts, but the Community ID from Suricata doesn't match any entry in Zeek's conn.log.

This can happen when the Community ID implementation differs between versions — Zeek and Suricata must both use Community ID v1 for the hashes to match. Alternatively, the Suricata alert may reference a flow that Zeek classified differently (e.g., Suricata sees it as a TCP flow, Zeek sees it as part of a different connection due to TCP reassembly differences).

The fix: verify Zeek has @load policy/protocols/conn/community-id-logging in local.zeek. Verify Suricata has community-id: enabled: true in suricata.yaml. Re-run both tools against the same PCAP. If the hashes still don't match, extract the 5-tuple (source IP, source port, destination IP, destination port, protocol) from the Suricata alert and search for it manually in conn.log — this confirms the same flow exists in both tools even if the hash calculation differs.

Compliance Myth: "Once the sensor is installed and validated, it's done — no ongoing maintenance needed"

A sensor that ran perfectly in April can fail silently in June. Suricata rules expire as threat intelligence evolves. Zeek protocol parsers can break after OS updates. Disk space fills. NTP synchronisation drifts. The sensor process crashes at 03:00 and nobody notices until the next investigation discovers a 12-hour evidence gap.

Sensor maintenance is ongoing — NF1.9 covers the maintenance checklist. Validation isn't a one-time event. Run the validation script monthly, after any system update, and after any Zeek or Suricata version upgrade.

NF1.8 — First Investigation Queries. Your sensor is validated. NF1.8 teaches the query patterns you'll use in every module — the foundational zeek-cut and jq commands for investigating Zeek logs.

Try it: Run the full validation and document the results

Setup. Your sensor VM with Zeek and Suricata installed, a PCAP containing identifiable malicious traffic.

Task. Run the validation script from this sub. Save the output to a file: /opt/sensor/validate-sensor.sh | tee /opt/sensor/validation-$(date +%Y%m%d).txt. Review the output and verify all four checks pass.

Expected result. A validation report saved to disk showing: Zeek log file list with row counts, Suricata alert count, Community ID correlation match, and packet loss status. All checks green.

Debugging branch. If any check fails, re-read the specific NF1 sub that covers that component: Zeek (NF1.3), Suricata (NF1.5), Community ID (NF1.3 and NF1.5 configuration sections).

Checkpoint — before moving on

1. Run the sensor validation script and confirm all four checks pass: Zeek logs, Suricata alerts, Community ID correlation, zero packet loss. (§ The Validation Test)

2. Take a VM snapshot labeled "Sensor validated" that you can restore to if later configuration changes break the sensor. (§ Guided Procedure Step 3)

3. Explain what a Community ID mismatch means and how to diagnose it. (§ Decision Point)

Operational Artifact — Sensor Validation Script

Location: Save as /opt/sensor/validate-sensor.sh, chmod +x.

Run it: After initial deployment, after any OS update, after any Zeek or Suricata upgrade, and monthly as part of sensor health checks.

The four checks: (1) Zeek produces logs with data, (2) Suricata fires alerts against known-bad traffic, (3) Community ID correlates across both tools, (4) zero packet loss.

Pass criteria: All four green. A snapshot labeled "Sensor validated" captures the known-good state.

Fail triage: Zeek no logs → reporter.log. Zero Suricata alerts → rule update + suricata -T. Community ID mismatch → version check on both tools. Packet loss > 0 in offline replay → unusual, check CPU headroom.

Extended reference — validation PCAPs, pass-criteria rationale, and proof-of-validation artefacts

Choosing a validation PCAP. The PCAP you validate against determines what you're actually proving. Three categories, each with different purpose.

Generic malicious traffic from malware-traffic-analysis.net exercises the full protocol stack — HTTP, DNS, TLS, SMB — against a variety of malware families. Good for first validation. The site publishes a new sample most weeks; the sample includes PCAP plus writeup. Use one that's at least 30 days old so ET Open rules have had time to include signatures.

A course-provided lab-pack PCAP exercises the specific scenarios the Ridgeline course threads. Use when you want validation to cover the NE-environment scenarios the course depends on. Lives in the NF0 lab pack.

A capture from your own environment (after sanitisation) validates against your actual traffic patterns. Use this after a few weeks of running the sensor — it catches environment-specific issues (unusual protocols, non-standard ports, enterprise-specific tools that Zeek misclassifies) that generic PCAPs don't expose.

Pass-criteria rationale. Why these four checks specifically.

Zeek producing logs with data. Confirms the capture pipeline works: interface up, BPF filter permissive enough, Zeek process running, disk writeable, no parser crashes. A sensor that produces empty or zero-byte logs is dead even though pgrep zeek succeeds.

Suricata firing alerts. Confirms the alert pipeline works end-to-end: rules loaded, engine processing packets, fast.log writeable. Zero alerts from a known-malicious PCAP means rules aren't loaded or Suricata isn't receiving packets from the replay — both silent failures.

Community ID correlation. Confirms the two tools agree on what a flow is. This is the single most useful cross-tool identifier — when it works, you can pivot from a Suricata alert to the Zeek connection with one field match. When it fails, pivoting requires reconstructing the 5-tuple manually for every alert, which is painful at scale.

Zero packet loss. For offline replay this should always be zero. For live capture, anything above 0.1% means evidence is missing and the investigation has gaps. Monitoring packet loss as a standing metric (not just at validation) is the way to catch capacity problems before they affect an incident.

Proof-of-validation artefacts. Save every validation run. Each successful validation produces a dated text file in /opt/sensor/validations/ showing the four checks passing. This is evidence for two situations: after a known-good-for-weeks period the sensor starts producing bad data and you need to identify when the problem started (compare recent validations to last-known-good); and after an incident where the defence might question sensor reliability (the validation files demonstrate continuous known-good operation across the incident window).

Retain these files for the same period as sensor logs — typically 90 days minimum. The files are small (a few KB each); storage isn't a concern.

Validation in continuous-deployment environments. If the sensor infrastructure is managed by config-as-code (Ansible, Terraform, Chef), every deployment should run validation automatically before declaring the deployment successful. The script's exit codes are the integration point — a non-zero exit on any check blocks the deployment from being marked complete. This pattern prevents a silently-broken deployment from sitting in production until the next manual validation cycle.

Edge cases the simple script doesn't cover. Four specific scenarios worth deeper validation when the sensor deployment is high-stakes.

One, dual-stack IPv6. Validate against a PCAP containing IPv6 traffic (many default PCAPs are IPv4-only). Zeek handles IPv6 natively; Suricata rules may not cover the IPv6 variants of IPv4-tested attacks.

Two, high-rate traffic. Replay a PCAP at sustained high packet rates using tcpreplay instead of reading from disk. This validates whether the sensor holds up under real-world throughput, not just against slow replay.

Three, fragmented traffic. Some PCAP samples contain fragmented IP packets. Zeek reassembles; Suricata should too. Misconfiguration of reassembly produces silent detection gaps for fragmentation-based evasion.

Four, TLS without SNI. Older TLS versions and some connection types lack SNI. Confirm ssl.log entries are produced even when server_name is empty; a rule that requires ssl.server_name to be set will miss these connections.

Re-validation triggers. The monthly cadence catches drift; specific events warrant out-of-cycle validation. After any OS package upgrade. After any Zeek or Suricata version change. After any kernel update (can affect AF_PACKET behaviour). After any hardware change (NIC swap, storage expansion that touches mount points). After any config change to the sensor's node.cfg, local.zeek, or suricata.yaml. After any change to BPF filters on the capture interface. Each of these has the potential to introduce silent failure; re-validation takes 5 minutes and confirms the sensor still produces correct output.

You've built the sensor and mapped the evidence landscape.

NF0 established why network evidence matters when every other source is compromised. NF1 built your Zeek + Suricata sensor with the 10 investigation query patterns. From here, every module teaches protocol-specific investigation against real attack scenarios.

DNS deep dive (NF3) — tunnelling detection, DGA analysis, passive DNS infrastructure mapping, and the INC-NE-2026-0227 AiTM phishing DNS trail
Protocol analysis (NF4–NF7) — HTTP/HTTPS, SMB lateral movement, SSH tunnelling, and email protocol investigation with Zeek metadata and PCAP
Detection and hunting (NF8–NF11) — Suricata rule writing, C2 beacon detection with JA3, NetFlow analytics, and proactive network threat hunting
NSM architecture (NF13) — production sensor deployment at 1–10 Gbps with Arkime, Security Onion, and enterprise storage planning
INC-NE-2026-0830 capstone (NF14) — multi-stage investigation using only network evidence: phishing → domain-fronted C2 → lateral movement → DNS tunnel exfiltration

Unlock the full course with Premium See Full Syllabus

Cancel anytime

← Previous Next →