Zéèk (ZTF)14h ago

- Your opinion of me or my art is none of my business -

#ztf #zéèk #indiemusic #indieartist #alternativemusician

Caria Giovanni - HarpocratesMar 16

Built a production SOC for my home/mobile infra. Sharing it.

#AEGIS is a unified threat intelligence platform running on a single Linux server:

→ DNS sinkhole (port 53, custom blocklists)
→ Suricata IDS in AF-packet passive mode + ClamAV on filestore
→ Zeek NSM (http, ssl, dns, conn, weird, notice)
→ ModSecurity WAF — OWASP CRS 4.22, full enforcement
→ Fail2Ban + auditd
→ Rust orchestrator aggregating all event sources into one REST/WS API

Auto-heal watchdog, anti-DDoS engine with dynamic iptables injection, real-time dashboard.

One thing I wanted to get right: the orchestrator never touches iptables with NFQUEUE — passive only. No inline mode that can brick SSH access.

https://aegis.centurialabs.pl

#infosec #SOC #homelab #Suricata #Zeek #Rust #threathunting

AEGIS SOC — Universal Threat Intelligence Platform

Production-grade SOC for any connected device — phones, tablets, Android Auto, CarPlay, IoT. DNS sinkholing, IDS, WAF, NSM — unified under one orchestrator.

Centuria Labs
The Zeek Network Security MonitorMar 13

From this month's newsletter: A tip about pcap-minimizer, handy for debugging scripts and analyzers:

https://community.zeek.org/t/zeek-newsletter-issue-60-february-2026/7953

#Zeek #PCAP #NetworkSecurity #OpenSource

Zeek Newsletter - Issue 60 - February 2026

Welcome to the Zeek Newsletter. In this Issue: Community News Zeek Techniques Community Call Recap Development Updates Packages Get Involved TL;DR: Zeek 8.2 development is underway with strong ZeroMQ performance improvements. CERN workshop registration is full but waitlist spots are available, and the Leadership Team is drafting an AI contribution policy. Community News & Reminders Zeek Workshop at CERN (Mar. 25-26): Registration for our upcoming workshop is currently full. Sign up for...

Zeek
Zéèk (ZTF)Mar 13

100 angry Zéèks have something to moan about, number 1.
Tribute Bands

https://zeekthefreak.substack.com/p/tribute-bands?r=2o39de

#zeekthefreak #zéèk #moan #tributebands #100angryzeeks #substack #boring

The Zeek Network Security MonitorMar 11

RE: https://infosec.exchange/@zeek/116178696196522235

We've got a free Zeek training coming up at Trusted CI's Regional Cybersecurity Summit (April 21-22). Registration is open now. Head to the newsletter for more details -->

#Zeek #NetworkSecurity #OpenSource #Training

The Zeek Network Security MonitorMar 10

Our latest lightning talk shows you a simple way to know if your alerting pipeline actually works.

https://www.youtube.com/watch?v=zlA-d5Bxn_c

#Zeek #NetworkSecurity #OpenSource #Alerting

Test Your Zeek Alerting Pipeline with a Simple Script

YouTube
The Zeek Network Security MonitorMar 9

RE: https://infosec.exchange/@zeek/116178696196522235

Zeek 8.2 development is underway and our team is actively seeking community feedback before the road to 9.0 continues.

Give us a shout! February newsletter has the details:

#Zeek #NetworkSecurity #OpenSource

The Zeek Network Security MonitorMar 4

New on the blog: Practical advice for customizing Zeek. A quick read on what most people actually change, what's usually not worth touching, and a decision framework for figuring out which is which.

https://zeek.org/2026/03/what-should-you-actually-customize-in-zeek/

#Zeek #NetworkSecurity #OpenSource

garyMar 4

@da_667 you need a ssl/tls proxy to really see more of the traffic, don't categorize it as some sort of thing that is optional when all the big guys lean heavily on it to more fully inspect traffic flows #dpi #cert #zeek #suricata #framing

You're absolutely right to frame it this way. The "TLS kills IDS/IPS" argument is one of those oversimplifications that sounds clever but misses the point entirely. Encryption doesn't make threats invisible - it just changes where and how you look for them.
The Proxy Reality Check

@da_667 hits the nail on the head - SSL/TLS inspection isn't optional if you want visibility, it's foundational. The "big guys" (Cisco, Palo Alto, Zscaler) aren't running proxies because they have money to burn - they're doing it because you can't inspect what you can't see.

But here's where Chapter 10 can really shine - showing that inspection exists on a spectrum:
Invasive Approaches (The Proxy Path)

Full MITM decryption with corporate certificates

What you gain: Complete visibility into application-layer threats, data exfiltration attempts, hidden C2 channels

What you sacrifice: Performance overhead, privacy considerations, certificate management headaches

The reality check: This is how enterprises actually catch advanced threats

Non-Invasive Approaches (Metadata & Behavior)

Zeek: Still extracts certificates, SNI, JA3 fingerprints, tunnel durations - even from encrypted flows

Suricata: Can match on encrypted traffic patterns, detect known C2 fingerprints without decryption

Flow data: Connection patterns tell stories - beaconing intervals, data asymmetries, strange destination patterns

TLS handshake analysis: Cipher suite choices, certificate chains, extensions - all potential indicators

The Real Takeaway

The "TLS kills visibility" crowd forgets that threats still have to:

Establish connections (handshake analysis)

Talk to specific infrastructure (reputation/feeds)

Behave like threats (behavioral analysis)

Leave metadata trails (Zeek logs don't lie)

Your Chapter 10 should hammer home that visibility is a spectrum, not binary. Some threats require full decryption. Others get caught by the metadata they can't avoid generating. And the best detection strategies use both.

What specific angle are you taking with the invasive vs non-invasive comparison? Are you showing them as complementary layers or competing approaches?

The Zeek Network Security MonitorFeb 24

Curious about Zeek + AWS Traffic Mirroring? Check out Arne's latest walkthrough on our blog: https://zeek.org/2026/02/using-zeek-with-aws-traffic-mirroring-and-kafka/

#Zeek #AWS #NetworkSecurity #OpenSource