Sign In
In this section

Interactive Lab — Build and Validate Your Sensor

10 hours · Module 1 · Free
Lab Objective

This lab validates your complete sensor build. You'll process a Northgate Engineering PCAP through both Zeek and Suricata, verify the output, demonstrate Community ID correlation, and run investigation queries against the results. By the end of this lab, your sensor is confirmed operational and you're ready for the protocol analysis modules.

Deliverable: A validated sensor with documented Zeek logs, Suricata alerts, Community ID correlation, and investigation query results from an NE scenario PCAP.

Estimated completion: 45 minutes

Lab Setup

Download the NF1 lab pack from the course downloads page. The pack contains a PCAP from the INC-NE-2026-0418 ransomware scenario — the same incident used in the NF0 lab, but with a larger time window (72 hours vs the NF0 excerpt).

Save the PCAP to /opt/sensor/pcap/nf1-lab.pcap.

Exercise 1 — Process with Zeek

mkdir -p /opt/sensor/zeek-logs/nf1-lab && cd /opt/sensor/zeek-logs/nf1-lab
zeek -r /opt/sensor/pcap/nf1-lab.pcap
echo "Log files generated: $(ls *.log | wc -l)"
echo "Connections: $(grep -v '^#' conn.log | wc -l)"
echo "DNS queries: $(grep -v '^#' dns.log | wc -l)"
echo "TLS sessions: $(grep -v '^#' ssl.log 2>/dev/null | wc -l)"

Expected: At least conn.log, dns.log, ssl.log with non-zero entry counts.

Exercise 2 — Process with Suricata

sudo suricata -r /opt/sensor/pcap/nf1-lab.pcap \
  -l /opt/sensor/suricata-logs/ \
  --set classification-file=/etc/suricata/classification.config \
  --set reference-config-file=/etc/suricata/reference.config

echo "Alerts: $(cat /opt/sensor/suricata-logs/eve.json | jq 'select(.event_type=="alert")' | grep -c '"alert"')"

Expected: One or more alerts. List them:

cat /opt/sensor/suricata-logs/eve.json | jq -r 'select(.event_type=="alert") | "\(.timestamp) | \(.alert.signature) | \(.src_ip) → \(.dest_ip)"'

Exercise 3 — Community ID Correlation

Take the first Suricata alert's Community ID and find it in Zeek:

CID=$(cat /opt/sensor/suricata-logs/eve.json | jq -r 'select(.event_type=="alert") | .community_id' | head -1)
echo "Alert CID: $CID"
echo "--- Zeek conn.log match ---"
grep "$CID" /opt/sensor/zeek-logs/nf1-lab/conn.log | head -3

Expected: The Community ID appears in both tools, confirming the same flow is tracked.

Exercise 4 — Investigation Queries

Using the 10 patterns from NF1.8, answer these questions:

Q1: What are the top 5 external destination IPs by connection count? (Pattern 3)

Q2: Which internal host transferred the most data outbound? (Pattern 4)

Q3: Are there any connections lasting more than 1 hour? If so, to which destination? (Pattern 5)

Q4: Pick one suspicious connection. Use the UID pivot (Pattern 7) to find its TLS certificate details in ssl.log.

Q5: If you found a C2 IP from Q3, how many unique internal hosts communicated with it? (Pattern 9)

Lab Debrief

If you completed all five exercises, your sensor is validated and you've demonstrated the core investigation workflow: process traffic → generate metadata → fire alerts → correlate across tools → query for investigation findings.

This sensor is the tool you'll use for every remaining module. NF2 teaches PCAP acquisition and management. NF3 begins protocol-specific investigation with DNS — the protocol that sees everything.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
Unlock the Full Course See Full Course Agenda
← Previous Next →