Zeek HTTP and DNS Hunting

Purpose and Scope

Zeek (formerly Bro) generates detailed network metadata logs that are invaluable for threat hunting. HTTP and DNS logs capture application layer activity that reveals C2 communication, data exfiltration, phishing callbacks, and other malicious behavior invisible to flow data alone.

Prerequisites

• Zeek deployment: Zeek sensors monitoring relevant network segments
• Log aggregation: HTTP and DNS logs ingested into SIEM or analysis platform
• Query access: Ability to search and aggregate log data
• Baseline knowledge: Understanding of normal HTTP and DNS patterns in your environment

Zeek HTTP Log Fields

Key fields in http.log:

• ts: Timestamp of the request
• uid: Unique connection identifier
• id.orig_h, id.orig_p: Source IP and port
• id.resp_h, id.resp_p: Destination IP and port
• method: HTTP method (GET, POST, etc.)
• host: Host header value
• uri: Request URI path
• referrer: Referrer header
• user_agent: User agent string
• request_body_len: Size of request body
• response_body_len: Size of response body
• status_code: HTTP response code
• resp_mime_types: Content type of response
• orig_filenames, resp_filenames: Extracted filenames

Zeek DNS Log Fields

Key fields in dns.log:

• ts: Timestamp
• uid: Unique connection identifier
• id.orig_h: Client making the query
• id.resp_h: DNS server
• query: Queried domain name
• qtype_name: Query type (A, AAAA, TXT, MX, etc.)
• rcode_name: Response code (NOERROR, NXDOMAIN, etc.)
• answers: DNS response records
• TTLs: Time to live values
• rejected: Whether query was rejected

HTTP Hunting Techniques

Rare User Agents

Malware often uses unique or malformed user agent strings:

• Stack user agents by frequency, investigate the rare ones
• Look for user agents missing expected components
• Search for known malicious user agent patterns
• Identify user agents that do not match the host OS

Suspicious URI Patterns

• Long, random looking URI paths
• Base64 encoded data in URIs
• Numeric only paths that may be encoded commands
• URIs ending in unusual extensions (.php on static hosting)
• Repeated patterns suggesting automated traffic

POST Requests to Uncommon Destinations

• POST requests to IP addresses instead of domains
• POST to newly registered or low reputation domains
• Large POST body sizes to external hosts
• POST requests without referrer from internal hosts

Beaconing Patterns

• Regular interval connections to same host
• Similar request sizes with periodic timing
• Low jitter in connection timing
• Small response bodies with regular polling

Executable Downloads

• Responses with executable MIME types
• PE headers in response content
• Downloads from unusual ports or paths
• Executable downloads initiated by scripts

DNS Hunting Techniques

High Entropy Domain Names

Domain generation algorithms (DGAs) create random looking names:

• Calculate entropy of queried domain names
• Flag domains with high character randomness
• Look for patterns in the randomness (length, character set)
• Compare against known DGA families

DNS Tunneling Indicators

• Very long subdomain strings (encoded data)
• High volume of queries to same parent domain
• TXT record queries with encoded responses
• Unusual query types (NULL, PRIVATE) from workstations
• Large response sizes for DNS

Newly Observed Domains

• Compare queries against historical baseline
• Flag domains never queried before in environment
• Correlate with threat intel for new IOCs
• Check registration date for recently created domains

NXDOMAIN Patterns

• High rate of failed queries from single host may indicate DGA malware
• Clusters of NXDOMAIN to similar domains suggest domain enumeration
• Sinkholed domains returning NXDOMAIN after takedown

Query Type Anomalies

• TXT queries from hosts that should not make them
• MX queries from non mail servers
• ANY queries often used in amplification or recon
• Queries to known malicious DNS servers

Example Queries

Rare User Agents (Splunk SPL)

index=zeek sourcetype=zeek_http
| stats count by user_agent
| where count < 10
| sort count

High Entropy DNS Queries (Elastic)

Use a script to calculate entropy and filter high values. Alternatively, look for very long query names:

dns.question.name:* AND NOT dns.question.name:*.local
| length(dns.question.name) > 50

Large POST Requests to External (SPL)

index=zeek sourcetype=zeek_http method=POST
| where NOT cidrmatch("10.0.0.0/8", id_resp_h)
| where request_body_len > 10000
| table _time id_orig_h host uri request_body_len

Validation and False Positives

• Software update services generate legitimate beacon like traffic
• CDNs and cloud services create high volume DNS queries
• Security tools may have unusual user agents
• Validate findings against asset inventory and authorized software
• Check with application owners before escalating

Escalation Guidance

Escalate when you observe:

• Confirmed C2 beaconing patterns with threat intel correlation
• DNS queries to known malicious domains
• Large data uploads to unexpected destinations
• Executable downloads followed by suspicious process execution
• DNS tunneling with data exfiltration indicators

References

• Zeek Documentation: docs.zeek.org
• Zeek Log Files: Log Files Reference
• MITRE ATT&CK: Application Layer Protocol (T1071)
• MITRE ATT&CK: DNS (T1071.004)
• SANS Internet Storm Center DGA Analysis