SOC Lab Day 6 - Trust But Verify

Since the MVP is set up I'm trying to get in my "analyst reps". I've been out of the IT game a few years and I need to knock the rust off and learn the basics of what I think a SOC Analyst 1 would do.

Had to work from a cafe today and I thought this is a perfect moment to make sure my traffic is encrypted. I ran a tcpdump on the cafe's WiFi while generating live SSH traffic to the lab.

What an eavesdropper on the same network would see:

- All UDP - no TCP, no port 22

- Port pair 41641 ↔ 33170 - WireGuard on both ends

- No readable content in any packet

One finding worth noting: mid-capture the lab server sent from port 1028 alongside 33170. Same endpoints, same encrypted UDP - Tailscale path discovery probing for a lower-latency route. Expected behavior, but the kind of thing you want to recognize rather than flag as an anomaly.

Tunnel verified. Analyst rep 1 cleared for today.

0 comments