Sign In
In this module

NF1.11 Interactive Lab — Build and Validate Your Sensor

10 hours · Module 1 · Free
Lab Objective

This lab validates your complete sensor build. You'll process a Northgate Engineering PCAP through both Zeek and Suricata, verify the output, demonstrate Community ID correlation, and run investigation queries against the results. By the end of this lab, your sensor is confirmed operational and you're ready for the protocol analysis modules.

Deliverable: A validated sensor with documented Zeek logs, Suricata alerts, Community ID correlation, and investigation query results from an NE scenario PCAP.

Estimated completion: 45 minutes

Lab Setup

Download the NF1 lab pack from the course downloads page. The pack contains a PCAP from the INC-NE-2026-0418 ransomware scenario — the same incident used in the NF0 lab, but with a larger time window (72 hours vs the NF0 excerpt).

Save the PCAP to /opt/sensor/pcap/nf1-lab.pcap.

Exercise 1 — Process with Zeek

mkdir -p /opt/sensor/zeek-logs/nf1-lab && cd /opt/sensor/zeek-logs/nf1-lab
zeek -r /opt/sensor/pcap/nf1-lab.pcap
echo "Log files generated: $(ls *.log | wc -l)"
echo "Connections: $(grep -v '^#' conn.log | wc -l)"
echo "DNS queries: $(grep -v '^#' dns.log | wc -l)"
echo "TLS sessions: $(grep -v '^#' ssl.log 2>/dev/null | wc -l)"

Expected: At least conn.log, dns.log, ssl.log with non-zero entry counts.

Exercise 2 — Process with Suricata

sudo suricata -r /opt/sensor/pcap/nf1-lab.pcap \
  -l /opt/sensor/suricata-logs/ \
  --set classification-file=/etc/suricata/classification.config \
  --set reference-config-file=/etc/suricata/reference.config

echo "Alerts: $(cat /opt/sensor/suricata-logs/eve.json | jq 'select(.event_type=="alert")' | grep -c '"alert"')"

Expected: One or more alerts. List them:

cat /opt/sensor/suricata-logs/eve.json | jq -r 'select(.event_type=="alert") | "\(.timestamp) | \(.alert.signature) | \(.src_ip) → \(.dest_ip)"'

Exercise 3 — Community ID Correlation

Take the first Suricata alert's Community ID and find it in Zeek:

CID=$(cat /opt/sensor/suricata-logs/eve.json | jq -r 'select(.event_type=="alert") | .community_id' | head -1)
echo "Alert CID: $CID"
echo "--- Zeek conn.log match ---"
grep "$CID" /opt/sensor/zeek-logs/nf1-lab/conn.log | head -3

Expected: The Community ID appears in both tools, confirming the same flow is tracked.

Exercise 4 — Investigation Queries

Using the 10 patterns from NF1.8, answer these questions:

Q1: What are the top 5 external destination IPs by connection count? (Pattern 3)

Q2: Which internal host transferred the most data outbound? (Pattern 4)

Q3: Are there any connections lasting more than 1 hour? If so, to which destination? (Pattern 5)

Q4: Pick one suspicious connection. Use the UID pivot (Pattern 7) to find its TLS certificate details in ssl.log.

Q5: If you found a C2 IP from Q3, how many unique internal hosts communicated with it? (Pattern 9)

Lab Debrief

If you completed all five exercises, your sensor is validated and you've demonstrated the core investigation workflow: process traffic → generate metadata → fire alerts → correlate across tools → query for investigation findings.

This sensor is the tool you'll use for every remaining module. NF2 teaches PCAP acquisition and management. NF3 begins protocol-specific investigation with DNS — the protocol that sees everything.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've built the sensor and mapped the evidence landscape.

NF0 established why network evidence matters when every other source is compromised. NF1 built your Zeek + Suricata sensor with the 10 investigation query patterns. From here, every module teaches protocol-specific investigation against real attack scenarios.

  • DNS deep dive (NF3) — tunnelling detection, DGA analysis, passive DNS infrastructure mapping, and the INC-NE-2026-0227 AiTM phishing DNS trail
  • Protocol analysis (NF4–NF7) — HTTP/HTTPS, SMB lateral movement, SSH tunnelling, and email protocol investigation with Zeek metadata and PCAP
  • Detection and hunting (NF8–NF11) — Suricata rule writing, C2 beacon detection with JA3, NetFlow analytics, and proactive network threat hunting
  • NSM architecture (NF13) — production sensor deployment at 1–10 Gbps with Arkime, Security Onion, and enterprise storage planning
  • INC-NE-2026-0830 capstone (NF14) — multi-stage investigation using only network evidence: phishing → domain-fronted C2 → lateral movement → DNS tunnel exfiltration
Unlock the full course with Premium See Full Syllabus

Cancel anytime

← Previous Next →