Lesson 3 of 7·13 min read·Includes quiz

Protocol Analysis: HTTP, TLS & SMB

Normal vs suspicious traffic patterns, User-Agents, JA3 fingerprints, SMB lateral movement indicators

What You'll Learn

  • Distinguish normal from suspicious HTTP traffic by analyzing User-Agents, URIs, and response codes
  • Understand TLS/SSL handshakes and what metadata remains visible to NIDS (SNI, JA3/JA3S fingerprints, certificates)
  • Identify SMB lateral movement indicators in network traffic
  • Read Suricata's protocol logs (http, tls, smb event types in eve.json)
  • Apply protocol analysis to classify alerts as true or false positives

Why Protocol Analysis Matters

Signature-based rules catch known-bad patterns — a specific exploit payload, a blacklisted IP, a malicious file hash. But what about threats that don't match any signature? What about the attacker who uses a legitimate tool with default settings, or the malware that communicates over standard HTTPS?

This is where protocol analysis becomes essential. Instead of asking "does this match a known-bad pattern?", you're asking "does this behavior look normal for this protocol?"

In Lessons 3.1 and 3.2, you learned how Suricata monitors traffic and fires alerts when rules match. Now we go deeper. Rules tell you something happened. Protocol analysis tells you what it means. A rule fires on a suspicious User-Agent — but is it really suspicious? A TLS connection goes to an unusual domain — but is the certificate legitimate? An SMB session opens between two workstations — but should those machines be talking?

A skilled analyst reads protocol headers the way a detective reads body language. The words might say one thing, but the posture, timing, and context reveal the truth.

HTTP Protocol Analysis — Normal vs Suspicious indicators

HTTP — The Most Analyzed Protocol

HTTP is the most common protocol on any network and the most frequently abused. Web applications, APIs, file downloads, C2 communications, data exfiltration — all of it can ride on HTTP. Because HTTP headers are transmitted in cleartext (or visible before TLS encryption in the case of HTTPS), they provide a wealth of metadata for analysis.

User-Agent Analysis

The User-Agent header identifies the client software making the request. Legitimate browsers announce themselves with long, specific strings. Attack tools often use distinctive or lazy User-Agents.

User-AgentVerdictWhy
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36NormalStandard Chrome browser string
python-requests/2.28.1SuspiciousPython scripting library — not a human browsing
sqlmap/1.5#stableMaliciousSQL injection tool self-identifies
Mozilla/4.0 (compatible; MSIE 6.0)SuspiciousIE6 hasn't been common since 2010 — often used by malware for compatibility
curl/7.88.1Context-dependentLegitimate for APIs, suspicious hitting login pages
(empty)SuspiciousMost legitimate clients send a User-Agent

Attackers Can Fake User-Agents. A sophisticated attacker will spoof a legitimate Chrome User-Agent to blend in. But many tools use their default User-Agent, and even spoofed agents often have subtle inconsistencies — a Chrome User-Agent from a Linux server that never runs browsers, or a mobile Safari agent connecting to an admin API endpoint. Context is what makes User-Agent analysis powerful.

URI Analysis

The URI (path and query string) reveals what the client is requesting. Normal URIs follow predictable patterns. Attack URIs contain payloads, probing patterns, or access to files that shouldn't exist.

URI PatternVerdictWhat It Indicates
/index.html, /api/users, /images/logo.pngNormalStandard web resources
/login?id=1' OR '1'='1MaliciousSQL injection attempt in query parameter
/uploads/cmd.php?cmd=whoamiMaliciousWeb shell command execution
/../../etc/passwdMaliciousPath traversal — attempting to read system files
/wp-admin/, /phpmyadmin/SuspiciousProbing for admin panels (common in automated scans)
/api/v2/internal/configSuspiciousAccessing internal endpoints — may indicate insider or compromised creds

HTTP Methods

Standard web traffic is overwhelmingly GET and POST. Unusual methods to unexpected paths warrant investigation.

MethodNormal UseSuspicious When
GETRetrieving pages, images, API dataRarely suspicious on its own
POSTForm submissions, API writesTo unexpected paths (e.g., /uploads/shell.php)
PUTRESTful API updatesTo web roots or upload directories — possible file upload attack
DELETERESTful API deletesTo critical paths — data destruction attempt
OPTIONSCORS preflightExcessive OPTIONS to many paths — recon

Response Code Analysis

The response code tells you whether the server fulfilled the request. A 200 OK to a web shell path is far more alarming than a 404.

ScenarioResponseSeverity
SQL injection attempt → 404Not FoundLow — attack failed, path doesn't exist
SQL injection attempt → 500Server ErrorMedium — server choked on the payload, suggesting the parameter is processed
SQL injection attempt → 200OKHigh — server returned content, injection may have succeeded
Web shell access → 200OKCritical — the shell exists and is responding
Admin panel → 401/403Unauthorized/ForbiddenLow-Medium — access denied, but the path exists

In the Operation Wire Tap lab scenario, you will see HTTP alerts triggered by sqlmap User-Agent scans against the web server and web shell command execution at /uploads/cmd.php. Pay attention to the response codes — the 200 responses to the web shell confirm it was successfully deployed and actively used by the attacker.

TLS — What You Can Still See Through Encryption

A common misconception is that HTTPS makes traffic invisible to network monitoring. Encryption protects the payload — the actual data being exchanged. But the TLS handshake that establishes encryption happens in cleartext, leaking valuable metadata.

The TLS Handshake (Simplified)

  1. Client Hello — Client announces supported cipher suites, extensions, and the target domain (SNI)
  2. Server Hello — Server selects cipher suite and sends its certificate
  3. Key Exchange — Both sides agree on encryption keys
  4. Encrypted Session — All subsequent data is encrypted

Steps 1 and 2 happen in cleartext. This is where NIDS extracts metadata.

TLS Handshake — What NIDS can and cannot see

SNI — Server Name Indication

SNI is part of the Client Hello message. It tells the server which domain the client wants to connect to (necessary because multiple domains can share one IP via virtual hosting). NIDS sees this and logs it.

Why it matters: Even though the payload is encrypted, you can see that a workstation connected to update.malware-c2.com. The domain name alone can be an IOC.

JA3 / JA3S Fingerprints

JA3 is a method of fingerprinting TLS clients by hashing specific parameters from the Client Hello message: TLS version, cipher suites, extensions, elliptic curves, and EC point formats. JA3S does the same for the Server Hello.

The result is an MD5 hash that is unique to the application, not the network or user. The same application produces the same JA3 hash regardless of what domain it connects to or what IP it uses.

Why it matters for detection:

ToolJA3 HashNote
Chrome 120cd08e31494f9531f560d64c695473da9Consistent across all Chrome 120 users
Cobalt Strike Beacon72a589da586844d7f0818ce684948eeaKnown C2 framework fingerprint
Metasploit Meterpreter5d65ea3fb1d4aa7d826733d2f2cbf7dfKnown pentest framework fingerprint
Python requestsb32309a26951912be7dba376398abc3bScripting library — not a browser
💡

JA3 fingerprints are becoming a critical detection method. A C2 tool might change its domain daily, rotate IP addresses hourly, and use encrypted payloads — but its JA3 hash stays the same because the TLS implementation doesn't change. It's like a fingerprint for the software itself. Threat intelligence feeds now include JA3 hashes alongside traditional IOCs.

Certificate Analysis

Suricata logs certificate details from the Server Hello: issuer, subject, validity period, and whether the certificate is self-signed. Suspicious indicators include:

  • Self-signed certificates on public-facing connections (legitimate for internal services, suspicious for external)
  • Recently issued certificates (< 7 days) on newly registered domains — common with phishing and C2
  • Mismatched subject/SNI — certificate says *.legit-company.com but SNI is malware-c2.evil
  • Unusual issuers — free CAs like Let's Encrypt are legitimate but also heavily used by attackers for short-lived C2 domains

What NIDS Cannot See

After the handshake completes and the session is encrypted:

  • HTTP request/response bodies (form data, file uploads, API payloads)
  • Specific URLs and paths (only the domain from SNI is visible)
  • Cookies and authentication tokens
  • Any application-layer data

This is why endpoint monitoring (Wazuh agent, EDR) complements network monitoring — the endpoint sees the decrypted data that the network sensor cannot.

SMB — Lateral Movement on the Wire

SMB (Server Message Block) is the Windows file sharing protocol. It's used for file access, printer sharing, remote administration, and Group Policy delivery. Because SMB is fundamental to Windows networks, it's always present — which makes it perfect cover for lateral movement.

Normal vs Suspicious SMB Traffic

PatternNormalSuspicious
Source → DestinationWorkstation → File serverWorkstation → Workstation
Shares accessedNamed shares (\server\share)Admin shares (C$, ADMIN$, IPC$)
TimingBusiness hours, consistent patternsOff-hours, first-time connections
CommandsFile read/write, directory listingService creation, named pipe access
VolumeSteady, predictableSudden spike from a single source

Attack Patterns Over SMB

PsExec-style execution: Creates a service on the target via the ADMIN$ or C$ share, uploads an executable, starts the service remotely. Suricata sees: SMB TREE_CONNECT to ADMIN$ or C$, followed by CREATE (file upload), followed by IOCTL (service start).

Pass-the-Hash / Pass-the-Ticket: Attacker uses stolen credentials to authenticate to SMB without knowing the plaintext password. The SMB session looks legitimate from a protocol perspective — detection relies on behavioral analysis (unusual source, unusual time, unusual share access pattern).

Lateral file copy: Attacker copies tools or exfiltrates data through SMB file shares. Large file transfers between workstations that don't normally communicate are a strong indicator.

SMB lateral movement is one of the hardest things to detect because it uses legitimate Windows protocols. The same SMB connection that's normal when IT admin connects to a server becomes malicious when it originates from a compromised workstation at 3 AM targeting the domain controller's C$ share. Context is everything — source, destination, share name, timing, and whether the connection pattern has ever been seen before.

Reading Suricata Protocol Logs

Suricata's eve.json output contains far more than just alerts. It logs protocol-level metadata for every connection it processes, creating a rich dataset for investigation.

Event Types Beyond Alerts

Event TypeWhat It ContainsInvestigation Value
alertRule matches with signature, severity, categoryPrimary detection — what rules flagged
httpFull HTTP request/response metadata: method, URI, User-Agent, status code, content-typeReconstruct web activity, identify web shells, analyze attack payloads
tlsSNI, JA3/JA3S hashes, certificate details (issuer, subject, validity)Identify C2 by fingerprint, detect self-signed certs, find suspicious domains
dnsQuery name, type (A, AAAA, TXT, MX), response code, answerDetect tunneling, DGA, suspicious domains (covered in Lesson 3.4)
smbCommands, share names, filenames, user accountsTrack lateral movement, file access, remote execution
flowConnection metadata: src/dst IP, ports, duration, bytes transferred, packet countIdentify long-duration C2 beacons, large data transfers, port scanning

How Protocol Logs Support Alert Investigation

When a Suricata alert fires, the alert record alone tells you what rule matched. The protocol logs tell you everything else about that connection:

  1. Alert: "ET TROJAN Possible Metasploit Payload" on 10.0.1.50 → 203.0.113.66
  2. TLS log: SNI = update.legit-looking.com, JA3 = 5d65ea3fb1d4aa7d826733d2f2cbf7df (known Metasploit hash)
  3. DNS log: update.legit-looking.com resolved to 203.0.113.66, queried 30 seconds before the connection
  4. Flow log: Connection duration 3600 seconds (1 hour), 50KB transferred — consistent with a C2 beacon

Each protocol log adds a layer of evidence. Together, they build a complete picture of the activity surrounding the alert.

💡

In EveBox, you can filter by event type (event_type:http, event_type:tls, event_type:dns) to see protocol logs alongside alerts. When investigating an alert, search for the same source/destination IP pair across all event types to reconstruct the full connection timeline. This cross-protocol correlation is one of the most powerful investigation techniques available to a network analyst.

Key Takeaways

  • HTTP analysis examines User-Agents, URIs, methods, and response codes — a 200 response to a web shell path is critical, while a 404 to the same path means the attack failed
  • TLS encryption protects payload data but the handshake leaks metadata: SNI reveals the target domain, JA3 fingerprints identify the client application, and certificate details reveal the server's identity
  • JA3 fingerprints hash TLS Client Hello parameters into a unique application identifier — C2 tools have known JA3 hashes that persist even when domains and IPs rotate
  • SMB lateral movement uses legitimate Windows protocols (file shares, admin shares, service creation), making behavioral context (source, destination, timing, share name) essential for detection
  • Suricata logs protocol-level metadata (http, tls, dns, smb, flow event types) beyond just alerts — these logs provide the context needed to investigate and classify alerts
  • Protocol analysis transforms alert triage from "rule matched" to "here's what the connection was actually doing" — this is the difference between an L1 analyst and an L2 investigator
  • Cross-protocol correlation (combining alert + TLS + DNS + flow data for the same connection) builds the most complete picture of suspicious activity

What's Next

You've learned how Suricata monitors traffic (Lesson 3.1), how rules detect specific threats (Lesson 3.2), and now how to analyze the protocols themselves to understand what's really happening on the wire. But there's one protocol we haven't covered in depth — the one that nearly every attack touches at some point.

In Lesson 3.4 — DNS as a Weapon, you'll learn why DNS is a goldmine for both attackers and defenders. DNS tunneling, Domain Generation Algorithms, suspicious TLDs, and the visibility challenge posed by DNS over HTTPS. If network traffic is the circulatory system, DNS is the nervous system — and reading it reveals the attacker's intent.

Knowledge Check: Protocol Analysis

10 questions · 70% to pass

1

A Suricata alert fires on a request to /uploads/cmd.php?cmd=whoami with a 200 OK response. What does the 200 status code tell you about the severity of this event?

2

What is SNI (Server Name Indication) and why is it valuable for NIDS monitoring?

3

A C2 tool changes its domain to a new address every day and rotates IP addresses hourly. What detection method remains effective despite these evasion techniques?

4

An analyst sees SMB connections from a workstation (10.0.1.50) to another workstation (10.0.1.55) accessing the C$ admin share at 2:30 AM. Why is this suspicious?

5

What information does Suricata's 'flow' event type provide, and how does it help with C2 detection?

6

Why is a User-Agent string of 'sqlmap/1.5#stable' considered strong evidence of malicious activity rather than just suspicious?

7

After a TLS handshake completes, which of the following is still visible to NIDS?

8

In the Operation Wire Tap scenario, you observe HTTP alerts with a 'sqlmap/1.5#stable' User-Agent targeting the web server followed by requests to /uploads/cmd.php with 200 responses. What attack sequence does this indicate?

9

In the Operation Wire Tap lab, a TLS connection from the compromised web server (10.0.1.50) to the C2 IP (203.0.113.66) shows a known Cobalt Strike JA3 hash. Why is the JA3 evidence significant even though the connection payload is encrypted?

10

In the Operation Wire Tap lab, you see SMB connections from the compromised web server (10.0.1.50) to an internal Windows server (WIN-SERVER-01) accessing the ADMIN$ share. Given what you know about the attack timeline — SQL injection, web shell, C2 beacon — what does this SMB activity most likely represent?

0/10 answered

PreviousNext