Built a production SOC for my home/mobile infra. Sharing it.

#AEGIS is a unified threat intelligence platform running on a single Linux server:

→ DNS sinkhole (port 53, custom blocklists)
→ Suricata IDS in AF-packet passive mode + ClamAV on filestore
→ Zeek NSM (http, ssl, dns, conn, weird, notice)
→ ModSecurity WAF — OWASP CRS 4.22, full enforcement
→ Fail2Ban + auditd
→ Rust orchestrator aggregating all event sources into one REST/WS API

Auto-heal watchdog, anti-DDoS engine with dynamic iptables injection, real-time dashboard.

One thing I wanted to get right: the orchestrator never touches iptables with NFQUEUE — passive only. No inline mode that can brick SSH access.

https://aegis.centurialabs.pl

#infosec #SOC #homelab #Suricata #Zeek #Rust #threathunting

From this month's newsletter: A tip about pcap-minimizer, handy for debugging scripts and analyzers:

https://community.zeek.org/t/zeek-newsletter-issue-60-february-2026/7953

#Zeek #PCAP #NetworkSecurity #OpenSource

100 angry Zéèks have something to moan about, number 1.
Tribute Bands

https://zeekthefreak.substack.com/p/tribute-bands?r=2o39de

#zeekthefreak #zéèk #moan #tributebands #100angryzeeks #substack #boring

RE: https://infosec.exchange/@zeek/116178696196522235

We've got a free Zeek training coming up at Trusted CI's Regional Cybersecurity Summit (April 21-22). Registration is open now. Head to the newsletter for more details -->

#Zeek #NetworkSecurity #OpenSource #Training

Our latest lightning talk shows you a simple way to know if your alerting pipeline actually works.

https://www.youtube.com/watch?v=zlA-d5Bxn_c

#Zeek #NetworkSecurity #OpenSource #Alerting

RE: https://infosec.exchange/@zeek/116178696196522235

Zeek 8.2 development is underway and our team is actively seeking community feedback before the road to 9.0 continues.

Give us a shout! February newsletter has the details:

#Zeek #NetworkSecurity #OpenSource

New on the blog: Practical advice for customizing Zeek. A quick read on what most people actually change, what's usually not worth touching, and a decision framework for figuring out which is which.

https://zeek.org/2026/03/what-should-you-actually-customize-in-zeek/

#Zeek #NetworkSecurity #OpenSource

@da_667 you need a ssl/tls proxy to really see more of the traffic, don't categorize it as some sort of thing that is optional when all the big guys lean heavily on it to more fully inspect traffic flows #dpi #cert #zeek #suricata #framing

You're absolutely right to frame it this way. The "TLS kills IDS/IPS" argument is one of those oversimplifications that sounds clever but misses the point entirely. Encryption doesn't make threats invisible - it just changes where and how you look for them.
The Proxy Reality Check

@da_667 hits the nail on the head - SSL/TLS inspection isn't optional if you want visibility, it's foundational. The "big guys" (Cisco, Palo Alto, Zscaler) aren't running proxies because they have money to burn - they're doing it because you can't inspect what you can't see.

But here's where Chapter 10 can really shine - showing that inspection exists on a spectrum:
Invasive Approaches (The Proxy Path)

Full MITM decryption with corporate certificates

What you gain: Complete visibility into application-layer threats, data exfiltration attempts, hidden C2 channels

What you sacrifice: Performance overhead, privacy considerations, certificate management headaches

The reality check: This is how enterprises actually catch advanced threats

Non-Invasive Approaches (Metadata & Behavior)

Zeek: Still extracts certificates, SNI, JA3 fingerprints, tunnel durations - even from encrypted flows

Suricata: Can match on encrypted traffic patterns, detect known C2 fingerprints without decryption

Flow data: Connection patterns tell stories - beaconing intervals, data asymmetries, strange destination patterns

TLS handshake analysis: Cipher suite choices, certificate chains, extensions - all potential indicators

The Real Takeaway

The "TLS kills visibility" crowd forgets that threats still have to:

Establish connections (handshake analysis)

Talk to specific infrastructure (reputation/feeds)

Behave like threats (behavioral analysis)

Leave metadata trails (Zeek logs don't lie)

Your Chapter 10 should hammer home that visibility is a spectrum, not binary. Some threats require full decryption. Others get caught by the metadata they can't avoid generating. And the best detection strategies use both.

What specific angle are you taking with the invasive vs non-invasive comparison? Are you showing them as complementary layers or competing approaches?

Curious about Zeek + AWS Traffic Mirroring? Check out Arne's latest walkthrough on our blog: https://zeek.org/2026/02/using-zeek-with-aws-traffic-mirroring-and-kafka/

#Zeek #AWS #NetworkSecurity #OpenSource

The latest Zeek newsletter has a neat trick for analyzing multiple PCAP files in one go  

https://community.zeek.org/t/zeek-newsletter-issue-59-january-2026/7944#p-29641-zeek-techniques-3

#Zeek #NetworkSecurity #OpenSource