Zeek Connection and TLS Hunting

Purpose and Scope

Beyond HTTP and DNS, Zeek generates connection logs for all TCP/UDP sessions, TLS handshake metadata, and file extraction records. These logs reveal encrypted C2 channels, unusual network behavior, and file based attacks that application layer logs miss.

Prerequisites

• Zeek deployment: Sensors with conn, ssl, x509, and files logs enabled
• Log retention: Sufficient history for baseline comparison
• Query platform: SIEM or analysis tool with aggregation capabilities
• Network knowledge: Understanding of expected traffic patterns

Zeek Connection Log Fields

Key fields in conn.log:

• ts: Connection start time
• uid: Unique connection identifier (links to other logs)
• id.orig_h, id.orig_p: Source IP and port
• id.resp_h, id.resp_p: Destination IP and port
• proto: Transport protocol (tcp, udp, icmp)
• service: Application protocol detected
• duration: Connection length
• orig_bytes, resp_bytes: Bytes transferred each direction
• orig_pkts, resp_pkts: Packet counts
• conn_state: Connection state (S0, SF, REJ, etc.)
• history: Connection history string
• orig_ip_bytes, resp_ip_bytes: Total IP bytes including headers

Connection State Codes

• S0: SYN sent, no reply (scan or filtered)
• S1: Connection established, not terminated
• SF: Normal connection close
• REJ: Connection rejected (RST from responder)
• RSTO: Originator sent RST
• RSTR: Responder sent RST
• OTH: Midstream traffic, no handshake observed

Zeek TLS Log Fields

Key fields in ssl.log:

• ts: Timestamp
• uid: Links to conn.log
• version: TLS version negotiated
• cipher: Cipher suite used
• server_name: SNI (Server Name Indication)
• subject: Certificate subject DN
• issuer: Certificate issuer DN
• validation_status: Certificate validation result
• ja3: Client TLS fingerprint (legacy)
• ja3s: Server TLS fingerprint (legacy)
• ja4: Next generation client fingerprint (with JA4+ package)
• ja4s: Server response fingerprint (with JA4+ package)

Zeek Files Log Fields

Key fields in files.log:

• ts: File seen time
• fuid: File unique identifier
• source: Protocol that transferred file
• mime_type: Detected MIME type
• filename: Extracted filename if available
• md5, sha1, sha256: File hashes
• total_bytes: File size
• seen_bytes: Bytes captured
• extracted: Whether file was carved to disk

Connection Hunting Techniques

Long Duration Connections

C2 channels often maintain persistent connections:

• Filter connections longer than expected for the service
• Look for long lived connections to external IPs
• Compare against baselines for legitimate long connections

High Byte Ratios

• Exfiltration: high orig_bytes, low resp_bytes
• C2 download: low orig_bytes, high resp_bytes
• Calculate ratios and identify outliers

Port and Protocol Anomalies

• HTTP service on non standard port
• SSH to external hosts from workstations
• High port to high port connections
• Services on ports that do not match (dns on 443)

Failed Connection Patterns

• High rate of S0 (scan activity)
• REJ from multiple hosts (port sweep)
• Connection attempts to bogons or unroutable space

Beaconing in Connection Data

• Regular interval connections to same destination
• Consistent packet and byte counts
• Statistical analysis of timing patterns

TLS Hunting Techniques

JA3 Fingerprint Analysis (Legacy)

JA3 hashes identify client software based on TLS handshake parameters:

• Compare JA3 hashes against known malware databases
• Identify rare JA3 values in your environment
• Detect mismatches (JA3 does not match expected application)
• Resources: ja3er.com, abuse.ch JA3 feeds

Note: JA3 is being superseded by JA4 for improved accuracy and resistance to evasion.

JA4+ Fingerprinting (FoxIO)

JA4+ is the next generation of TLS fingerprinting developed by FoxIO. It addresses JA3 limitations and provides more granular, human readable fingerprints:

JA4 Fingerprint Components

• JA4: TLS client fingerprint with protocol, version, SNI, cipher count, extension count, and ALPN
• JA4S: TLS server response fingerprint
• JA4H: HTTP client fingerprint based on headers
• JA4X: X.509 certificate fingerprint
• JA4T: TCP client fingerprint (window size, options, MSS)
• JA4TS: TCP server fingerprint
• JA4SSH: SSH traffic fingerprint
• JA4L: Light distance and locality fingerprint

JA4 Format

JA4 uses a human readable format: t13d1516h2_8daaf6152771_e5627efa2ab1

• First section: protocol (t=TCP), TLS version (13=1.3), SNI (d=domain present), cipher count, extension count, ALPN first value
• Second section: truncated hash of sorted cipher suites
• Third section: truncated hash of sorted extensions

The readable prefix allows quick pattern matching without hash lookups.

JA4+ Hunting Use Cases

• Malware detection: Many malware families have unique JA4 fingerprints in threat feeds
• Tool identification: Distinguish between browsers, curl, wget, Python requests, and custom implants
• Cobalt Strike detection: Default Cobalt Strike configurations have known JA4 signatures
• Sliver and other C2: Open source C2 frameworks leave distinctive fingerprints
• Baseline deviation: Identify clients that do not match expected application fingerprints
• JA4H for HTTP: Detect scripted requests vs browser traffic by header fingerprint
• JA4T for network: Identify operating systems and detect tunneled traffic

JA4+ Implementation

Enable JA4+ in Zeek:

• Install the JA4 Zeek package from FoxIO
• JA4 fields appear in ssl.log alongside JA3
• JA4H requires HTTP logging enabled
• JA4T requires connection logging with TCP options

Example JA4 Hunting Query

index=zeek sourcetype=zeek_ssl
| where NOT cidrmatch("10.0.0.0/8", id_resp_h)
| stats count by ja4, server_name
| where count < 10
| sort -count

Known Malicious JA4 Signatures

• Check FoxIO JA4 database for known malware fingerprints
• Integrate JA4 feeds into your SIEM for automated detection
• Monitor for C2 framework defaults (Cobalt Strike, Sliver, Mythic, Havoc)
• Track JA4 first seen dates for new fingerprints in your environment

Certificate Anomalies

• Self signed certificates on external connections
• Certificates with unusual subjects or issuers
• Short validity periods
• Validation failures
• Certificates with IP addresses in CN or SAN

SNI Mismatches

• SNI does not match certificate subject
• Missing SNI on HTTPS connections
• SNI to IP address or localhost

Deprecated TLS Versions

• SSLv3 or TLS 1.0 connections to external hosts
• May indicate legacy malware or misconfigured tools

Files Hunting Techniques

Executable Transfers

• Filter for PE, ELF, Mach O MIME types
• Check hashes against VirusTotal or threat feeds
• Identify downloads from suspicious sources
• Track files transferred over non standard protocols

Archive and Script Files

• ZIP, RAR, 7z containing executables
• JavaScript, VBScript, PowerShell in transfers
• Office documents with macros (by extension pattern)

Hash Hunting

• Match extracted hashes against IOC feeds
• Track first seen dates for new hashes
• Identify files seen across multiple hosts

Example Queries

Long Duration External Connections (SPL)

index=zeek sourcetype=zeek_conn duration>3600
| where NOT cidrmatch("10.0.0.0/8", id_resp_h)
| table _time id_orig_h id_resp_h id_resp_p duration orig_bytes resp_bytes

Self Signed Certificates (SPL)

index=zeek sourcetype=zeek_ssl validation_status="self signed certificate"
| where NOT cidrmatch("10.0.0.0/8", id_resp_h)
| table _time id_orig_h id_resp_h server_name subject issuer

Executable File Transfers

index=zeek sourcetype=zeek_files
mime_type IN ("application/x-dosexec", "application/x-executable")
| table _time source tx_hosts rx_hosts filename md5 sha256

Validation and False Positives

• VPN and remote access tools create long duration connections
• Internal PKI may use self signed certificates
• Software updates transfer legitimate executables
• Validate against asset inventory and approved applications
• Correlate with endpoint telemetry for context

Escalation Guidance

Escalate when:

• JA3 matches known malware fingerprint
• File hash matches threat intelligence
• Certificate or connection anomalies combined with other indicators
• Beaconing pattern confirmed with TTP correlation
• Data exfiltration volume thresholds exceeded

References

• Zeek Documentation: docs.zeek.org
• JA4+ by FoxIO: github.com/FoxIO-LLC/ja4
• JA4 Database: ja4db.com
• JA3 Project (legacy): github.com/salesforce/ja3
• Abuse.ch SSL Blacklist: sslbl.abuse.ch
• MITRE ATT&CK: Encrypted Channel (T1573)
• MITRE ATT&CK: Ingress Tool Transfer (T1105)