We covered examples of analyzing cybersecurity incidents such as Anomalous DNS, phishing attacks and the Log4j vulnerability using Zeek IDS. We used Zeek IDS in offline packet analysis mode while it can still be used in a live captured mode. The examples used in the video are part of TryHackMe Zeek Exercises room which is part of the SOC Level 1 Track.

Burp Suite Practical Notes

The Complete Practical Web Application Penetration Testing Course


Zeek is a passive, open-source network traffic analyser. Many operators use Zeek as a network security monitor (NSM) to support suspicious or malicious activity investigations. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.

Run Zeek as a service to be able to perform live network packet capture or to listen to the live network traffic.
To run Zeek as a service we will need to start the “ZeekControl” module which requires superuser permissions to use. You can elevate the session privileges and switch to the superuser account to examine the generated log files with the following command: sudo su

Room Answers

Investigate the dns-tunneling.pcap file. Investigate the dns.log file. What is the number of DNS records linked to the IPv6 address?


Investigate the conn.log file. What is the longest connection duration?


There are a massive amount of DNS queries sent to the same domain. This is abnormal. Let’s find out which hosts are involved in this activity. Investigate the conn.log file. What is the IP address of the source host?

Investigate the logs. What is the suspicious source address? Enter your answer in defanged format.


Investigate the http.log file. Which domain address were the malicious files downloaded from? Enter your answer in defanged format.


Investigate the malicious document in VirusTotal. What kind of file is associated with the malicious document?


Investigate the extracted malicious .exe file. What is the given file name in Virustotal?


Investigate the malicious .exe file in VirusTotal. What is the contacted domain name? Enter your answer in defanged format.


Investigate the http.log file. What is the request name of the downloaded malicious .exe file?


Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the signature.log file. What is the number of signature hits?


Investigate the http.log file. Which tool is used for scanning?


Investigate the http.log file. What is the extension of the exploit file?


Investigate the log4j.log file. Decode the base64 commands. What is the name of the created file?


Video Walkthrough

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles