Network Security: Packet-Level Lockdown
Network ops wield Zeek for Bro scripts—e.g., event dns_request(c: connection) flags T1071 tunneling. Snort triggers on malformed IP frags—alert ip any any -> $HOME_NET any (fragbits:M; msg:"Frag Attack";). eBPF hooks (bpf_probe_write_user) sandbox mmap calls, killing T1562 evasion. nftables enforces L3/L4 policy—table inet filter { chain input { tcp flags syn / syn,rst drop } }. Consult IDs open sockets; paid builds DPI-driven killzones, thwarting pivots like PsExec (T1021).

