WEEK_1 · DAY_05 · 1 HOUR

Networking for Defenders

TCP/IP, OSI, ports, protocols, DNS, TLS — and what to log

Learning Objectives

OSI: Physical → Data Link → Network → Transport → Session → Presentation → Application.

TCP/IP simplifies to 4 layers: Link, Internet (IP), Transport (TCP/UDP), Application.

TCP: reliable, 3-way handshake (SYN, SYN/ACK, ACK). Flags: SYN ACK FIN RST PSH URG.

UDP: unreliable, fire-and-forget. Used by DNS, NTP, DHCP, SNMP, VoIP.

TCP: 22 SSH, 23 Telnet, 25 SMTP, 53 DNS, 80 HTTP, 110 POP3, 135/445 SMB, 143 IMAP, 389 LDAP, 443 HTTPS, 3389 RDP, 5985 WinRM.

UDP: 53 DNS, 67/68 DHCP, 123 NTP, 161 SNMP, 500 IPsec.

Most-abused: 53 (tunneling), 445 (lateral), 3389 (RDP brute force), 22 (SSH brute force).

Every network action starts with DNS. Record types: A, AAAA, CNAME, TXT, MX, SRV, PTR.

Detection gold mine: DGA domains, fast-flux, tunneling via TXT, NXDOMAIN spikes.

TLS 1.2 / 1.3 — most traffic is encrypted now. Visibility comes from JA3/JA3S fingerprinting and certificate transparency.

Self-signed or expired certs to weird domains = high signal.

Firewall: src, dest, port, action, bytes.

Proxy / web gateway: full URLs, user agent, response codes.

DNS: queries + responses (including NXDOMAIN).

Zeek: conn, dns, http, ssl, files — the hunter's dataset.

Top destination ports last hour

index=network sourcetype=zeek:conn | stats count by dest_port | sort - count | head 10

// Aggregates Zeek conn logs to find noisy destination ports.

Unusual outbound from a host

index=network sourcetype=zeek:conn src_ip=10.0.0.42 NOT dest_port IN (80,443,53) | table _time dest_ip dest_port bytes_out

// Surfaces non-standard egress — possible C2 or data exfil.