back to day 5
WEEK_1 · DAY_05 · LAB
Lab 5 — DNS Tunneling Hunt
TCP/IP, OSI, ports, protocols, DNS, TLS — and what to log
LAB PROGRESS0/4 steps · 0%
Lab Objectives
- ›Speak L3-L7 fluently
- ›Memorize the must-know ports and their abuse patterns
- ›Read packet flows and Zeek logs
- ›Understand DNS as the universal protocol (and tunneling channel)
Lab Instructions
- 1Open the Splunk lab → Search.
- 2Run the pre-loaded Zeek DNS query to find abnormal subdomains.
- 3Flag any host with > 200 unique TXT queries in 10 minutes.
- 4Identify the offender and recommend a containment action.
SPL for this Lab
Top destination ports last hour open in Splunk
index=network sourcetype=zeek:conn | stats count by dest_port | sort - count | head 10
// Aggregates Zeek conn logs to find noisy destination ports.
Unusual outbound from a host open in Splunk
index=network sourcetype=zeek:conn src_ip=10.0.0.42 NOT dest_port IN (80,443,53) | table _time dest_ip dest_port bytes_out
// Surfaces non-standard egress — possible C2 or data exfil.