How To Analyze Network Traffic For Suspicious Activities – ITU Online IT Training

How To Analyze Network Traffic For Suspicious Activities

Ready to start learning? Individual Plans →Team Plans →

When a workstation suddenly starts calling the same outside host every 60 seconds, or a server begins talking to systems it has never touched before, you need more than a firewall log to make sense of it. Network traffic analysis is the process of inspecting communication patterns to spot anomalies, suspicious connections, and signs of compromise before the damage spreads. It sits at the center of cybersecurity monitoring, intrusion detection, and threat hunting, and it is one of the fastest ways to turn raw network data into a defensible investigation.

Featured Product

CompTIA Security+ Certification Course (SY0-701)

Discover essential cybersecurity skills and prepare confidently for the Security+ exam by mastering key concepts and practical applications.

Get this course on Udemy at the lowest price →

Quick Answer

Network traffic analysis is the practice of reviewing network communications to identify suspicious activity, unusual patterns, and indicators of compromise. The best results come from baselining normal behavior, checking packet captures and flow records, and correlating DNS, HTTP, TLS, and endpoint data. Used well, it supports early detection, incident response, and faster containment.

Quick Procedure

  1. Identify the alert source, affected host, and timestamp.
  2. Compare the traffic to a known-good baseline.
  3. Review DNS, flow, packet, and proxy evidence.
  4. Check whether the destination, port, and protocol are expected.
  5. Look for beaconing, exfiltration, lateral movement, or scans.
  6. Correlate with endpoint, identity, and change-management records.
  7. Document findings and escalate if confidence is high.
Primary GoalDetect suspicious network behavior before it becomes a larger incident
Core Data SourcesPacket captures, NetFlow/IPFIX/sFlow, DNS logs, proxy logs, and endpoint telemetry
Common ThreatsBeaconing, exfiltration, reconnaissance, lateral movement, and command-and-control traffic
Key ToolsWireshark, tcpdump, Zeek, Suricata, Snort, and SIEM platforms
Best Use CaseFinding anomalies in traffic that are normal for the network but abnormal for the environment
Security+ AlignmentDirectly supports the CompTIA® Security+™ SY0-701 course focus on monitoring and analysis

For readers preparing for the CompTIA® Security+™ Certification Course (SY0-701), this topic maps directly to the kind of practical analysis the exam expects: reading logs, spotting patterns, and understanding what evidence matters. It is also where many candidates get stuck, because suspicious traffic rarely looks dramatic at first. Most of the time, it looks slightly off.

What Is Network Traffic Analysis and Why Does It Matter?

Network traffic analysis is the inspection of traffic metadata and content to identify patterns that indicate normal operations, misuse, or active compromise. It matters because attackers rarely announce themselves; they blend into routine communication, then use that access to move laterally, steal data, or maintain command-and-control channels. The U.S. Bureau of Labor Statistics tracks strong demand for information security work, and that demand reflects how central monitoring has become to day-to-day defense; see the BLS Information Security Analysts profile.

There is an important distinction between network visibility, threat detection, and incident response. Visibility tells you what is moving across the wire. Detection tells you which patterns deserve attention. Incident response uses that evidence to contain and recover after a confirmed event. If those roles get mixed together, teams either overreact to every odd packet or miss the attack because nobody owned the analysis.

Good traffic analysis does not start with malware signatures. It starts with knowing what your environment looks like when nothing is wrong.

That is why network traffic analysis is a core skill in modern computing security and one of the practical topics covered in the CompTIA Security+ course path. You need the workflow, the vocabulary, and the discipline to ask the right questions fast. This is not about staring at packets until something “looks bad.” It is about comparing evidence to a baseline and following the trail where it leads.

For technical grounding, the NIST SP 800-61 incident handling guide is a useful reference for how monitoring feeds into triage and response. NIST’s framework is a reminder that analysis is only valuable when it supports action.

Understanding What “Normal” Network Traffic Looks Like

Baseline is the established pattern of normal traffic for a host, user group, application, or network segment. Without a baseline, every anomaly looks suspicious and every attack can hide in plain sight. A laptop that pulls updates from Microsoft at 2 a.m. may be normal for a maintenance window but highly unusual for a finance user on a weekday morning.

Good baselines break behavior down by time of day, device type, department, and application. Engineering systems often generate stable client-server chatter to Git, CI/CD, or monitoring platforms. Workstations usually make routine DNS lookups, visit a predictable set of SaaS endpoints, and maintain fairly stable bandwidth usage. When a help desk laptop begins talking to a database subnet, that is worth attention.

  • Regular DNS queries for internal services, vendor domains, and common SaaS platforms.
  • Predictable client-server sessions such as browser-to-web, workstation-to-authentication, or app-to-database flows.
  • Stable bandwidth patterns except during backups, software updates, or patch windows.
  • Role-based communication that fits the user’s job function and device purpose.

Seasonality matters. Software rollouts, cloud migrations, remote work shifts, and backup jobs can make a healthy network look noisy. That is why suspicious traffic is usually abnormal relative to the environment, not inherently “bad” on its own. A burst of traffic after a patch cycle may be expected; the same pattern from a user workstation at midnight, talking to an unapproved cloud host, is a different story.

Note

A baseline is only useful if it is updated. Old baselines become useless after new apps, new subnets, remote access changes, or business process shifts.

The CIS Controls emphasize continuous asset and data monitoring for a reason: defenders need current context before they can tell noise from threat. That same principle applies whether you are doing network traffic analysis, intrusion detection, or hands-on threat hunting.

What Suspicious Network Traffic Should You Watch For?

Suspicious traffic is communication that does not fit normal business behavior and may indicate malware, abuse, or unauthorized activity. The warning signs differ by attack type, but the logic stays the same: ask whether the traffic is expected, whether it is repeated, and whether it matches the asset’s role. This is where networking a top down approach helps, because you can start with business context and drill into the packet level only when needed.

Malware Communication and Beaconing

Malware often phones home in short, repetitive intervals. That pattern is called beaconing, and it may look like a host making small outbound connections every 30, 60, or 120 seconds to the same destination. The traffic volume is tiny, but the regularity is the clue. Repeated short connections to unusual external IPs, especially after login or at system startup, deserve a closer look.

Exfiltration and Unusual Outbound Transfers

Exfiltration is unauthorized data leaving the environment. Large outbound transfers, off-hours spikes, and traffic to cloud storage or unknown hosts are common indicators. A finance machine suddenly pushing gigabytes to an unrecognized cloud endpoint is not a “performance issue.” It may be compressed archives, stolen files, or staged content moving out in chunks.

Lateral Movement and Internal Scanning

Lateral movement happens when an attacker pivots from one compromised system to another. Signs include unusual internal scanning, connections between systems that never normally interact, and repeated authentication attempts across multiple internal hosts. If a printer starts probing workstation ports or a user laptop starts talking to administrative services, that is a strong signal that something is off.

Reconnaissance and Probing

Reconnaissance traffic often shows up as port scans, DNS probing, or repeated failed connection attempts. These activities may come from outside the perimeter, but they can also come from inside the network after an initial foothold. The point is not to panic over every failed connection. The point is to notice when failures are broad, automated, and aligned with discovery behavior.

For attacker technique mapping, the MITRE ATT&CK knowledge base is a solid reference for beaconing, scanning, credential access, and lateral movement patterns. That context helps separate generic network noise from behaviors that fit known adversary tradecraft.

What Are the Key Indicators of Compromise in Network Logs?

Indicators of compromise are observable signs that a system or network may have been breached. In network logs, they often show up before endpoint tools fire an obvious alert. The challenge is that each indicator is weak on its own. The value comes from clustering them into a consistent story.

Start with destination intelligence. Unusual destination IPs, geolocations, or autonomous systems that do not match business operations are important clues. If your organization has no reason to communicate with a hosting provider in a region where you have no staff, vendors, or customers, that destination deserves scrutiny. The same is true when traffic starts moving through infrastructure that has no business relationship to your environment.

  • Newly registered or rarely seen domains used by a host that normally visits only established services.
  • Random-looking subdomains that may indicate DNS tunneling or generated traffic.
  • Typosquatting domains that resemble legitimate brands but differ by one character or extra word.
  • Uncommon ports and protocols that do not fit the application or business function.
  • Repeating intervals that suggest scheduled beaconing or automated scripts.

Cloud security and domain reputation data can help here, but context still matters. A suspicious-looking domain from a contractor laptop may be a legitimate SaaS endpoint if it was just added through change management. The same domain from a domain controller is a very different problem. A careful analyst does not ask only “Is it bad?” The better question is “Does this make sense for this host, at this time, in this environment?”

For DNS reputation, active threats, and internet-scale abuse patterns, the Cloudflare DNS learning resources and vendor documentation can help explain how domain resolution and naming patterns work. Pair that with your internal logs, because outside intelligence is never a substitute for local evidence.

How Do Packet Captures Help Investigate Suspicious Traffic?

Packet capture is the recording of network packets so they can be examined in detail later. It shows more than logs because it preserves headers, payload clues, session timing, retransmissions, and protocol behavior. If a flow record tells you a conversation happened, a packet capture shows how it happened.

Tools like Wireshark and tcpdump are still the fastest way to inspect suspicious traffic at the packet level. In Wireshark, you can filter by IP address, port, protocol, or conversation. In tcpdump, a simple filter like tcpdump -i eth0 host 10.10.10.25 and port 443 narrows the capture quickly. If you need DNS-only evidence, udp port 53 is a common start. If you need to isolate one server, filtering by IP is often the cleanest move.

Packet inspection helps you review handshakes, DNS queries, TLS certificates, and HTTP headers for anomalies. A TLS session that presents a certificate chain that does not match the claimed service, or an HTTP request with a strange user agent and odd URI paths, is useful evidence. When content is encrypted, metadata becomes even more important. Timing, session length, SNI values, and destination consistency often reveal what the payload hides.

  • Check SYN/SYN-ACK patterns for abnormal retries or connection failures.
  • Review DNS question names for randomness, excessive length, or encoded data.
  • Inspect TLS certificates for issuer mismatch, validity problems, or unusual SAN entries.
  • Look at HTTP headers for impossible user agents or automated request patterns.

Evidence handling matters. Preserve original packet files when possible, document acquisition time, and minimize packet loss during collection. The Wireshark documentation and tcpdump project are the best starting points for tool-specific capture and decode behavior. If the evidence could support an incident response case, treat it that way from the first capture.

How Do Flow Data and NetFlow Records Help?

Flow data summarizes network conversations rather than storing full packets. It tells you who talked to whom, when the conversation started, how long it lasted, and how much data moved. That makes it efficient for large environments where full packet capture on every link would be too expensive or too noisy.

NetFlow, IPFIX, and sFlow support scalable monitoring across enterprise networks, data centers, and cloud-connected environments. These records are ideal for spotting bandwidth spikes, internal scanning, rare communication pairs, and unusual talkers. If a single workstation suddenly becomes one of the top outbound data senders in the company, flow data usually flags it quickly.

Flow Data Benefit Shows communication patterns at scale without storing every packet
Flow Data Limitation Does not show payload content or deep protocol detail

That limitation matters. Flow records can tell you that traffic occurred, but not always what was inside it. You may know a host sent 900 MB to a cloud provider at 1:14 a.m., but not whether that data was a backup, a file sync, or exfiltration. Analysts should use flow records as the first lens, then move to packets, DNS, proxy, or endpoint data when needed.

For standards and export formats, the IETF RFC 7011 for IPFIX is a useful technical reference. It explains the structure behind flow export and why consistent metadata matters for detection at scale.

Why Is DNS Analysis So Good for Hidden Threats?

DNS analysis is one of the best ways to detect suspicious behavior because nearly every networked device needs name resolution. Malware also relies on DNS to find command-and-control infrastructure, rotate destinations, and hide in normal-looking queries. If you ignore DNS, you miss one of the quietest and most useful channels on the network.

Look for excessive NXDOMAIN responses, algorithmically generated domains, and high query volumes from a single host. A legitimate client usually resolves stable hostnames. A compromised host may hammer random subdomains, query non-existent names repeatedly, or generate long, encoded-looking requests that do not match any ordinary application.

  • Long subdomains that appear encoded or patterned rather than human-readable.
  • Unusual query types such as TXT abuse or odd record types that do not fit the application.
  • DNS tunneling indicators like high entropy names and repetitive request structures.
  • Mismatch between DNS and endpoint behavior when the host resolves a domain but never uses the resulting connection normally.

Correlate DNS logs with endpoint and proxy data. If a host resolves a domain, then immediately opens a remote TLS session to the resulting IP, that is expected. If it resolves dozens of suspicious domains but never shows normal application behavior, that is much more concerning. This kind of analysis is basic but powerful, and it is one reason threat hunters lean so heavily on name-resolution telemetry.

The Google Public DNS documentation and CIS Benchmarks guidance are useful references when you need to understand DNS behavior and hardening practices. For defenders, the question is not “Did DNS work?” but “Did DNS work in a way that makes sense?”

What HTTP, HTTPS, and TLS Red Flags Matter Most?

HTTP and HTTPS traffic often reveal suspicious behavior even when the payload is hidden or partially encrypted. Unusual user agents, odd request paths, rare POST activity, and repeated hits to a narrow set of URLs can all point to automation or malware. A browser normally looks human. Malware usually does not.

HTTPS adds an extra layer, but it does not make detection impossible. TLS analysis can expose mismatched certificates, uncommon cipher suites, strange session reuse, and suspicious SNI values. If the certificate claims to belong to one service but the destination, hostname, and proxy reputation do not line up, you have a real lead. Encrypted malware traffic often stays hidden in content, but the metadata still leaks pattern and intent.

Web proxy logs are valuable here because they pair URL, user, host, and certificate information in one place. If a host that never normally uses a cloud storage service suddenly starts POSTing large objects to an obscure domain, that is a red flag. If the same host uses a known browser profile, a normal user agent, and a business-approved SaaS endpoint, the evidence may point the other way.

Encryption hides content, not behavior. Analysts who understand timing, destinations, and certificate details can still identify suspicious web traffic.

For protocol behavior, the IETF RFC repository is the authoritative reference for HTTP and TLS standards, while the OWASP guidance helps explain how web abuse and application-layer threats surface in logs. That combination is useful when you need to separate a normal browser session from something much more dangerous.

Which Tools and Platforms Should You Use for Network Traffic Analysis?

The best tool is the one that fits the question you are trying to answer. Wireshark and tcpdump are best for deep inspection and troubleshooting. Zeek, Suricata, and Snort are better for protocol logging, detection logic, and alerting at scale. A SIEM is where the network evidence becomes operationally useful because it can correlate traffic with identity, endpoint, and asset data.

Packet Analyzers

Wireshark is the first stop when you need to inspect sessions visually. tcpdump is lightweight and ideal for acquisition, especially on Linux systems and remote hosts where you want to save a capture file quickly. Use them when you need the raw truth of the conversation.

Detection Engines and Monitoring Sensors

Zeek is excellent for protocol-level metadata and scripting detections based on behavior. Suricata and Snort are stronger when you need signature-based alerting and IDS-style controls. They are especially useful when you want a network detection and response layer that can tell you not only that traffic exists, but whether it matches known malicious patterns.

Enterprise Correlation and Visualization

SIEM and log platforms are where anomalies become investigations. They make it easier to line up a suspicious DNS query, a proxy request, an authentication log, and a suspicious endpoint event in one timeline. Traffic visualization tools and packet broker solutions help in larger networks where visibility gaps are the enemy.

  • Wireshark for interactive packet analysis.
  • tcpdump for fast command-line capture.
  • Zeek for rich protocol logs and scriptable analysis.
  • Suricata and Snort for detection and alerting.
  • SIEM for correlation across the security stack.

Official documentation matters here. Start with the Zeek project, Suricata, and Snort. For network engineering context, Cisco® documentation on monitoring and SPAN-style visibility can help explain how the traffic gets to the tool in the first place. If the sensor cannot see the right segment, the rest of the workflow falls apart.

How Do You Investigate Suspicious Traffic Step by Step?

The best investigations follow the same sequence every time. A repeatable workflow reduces guesswork, shortens triage time, and makes the result easier to defend. The first step is to identify the source host, destination, timestamp, and the rule or anomaly that triggered the alert. Without those four pieces, you do not have an investigation yet. You have a vague worry.

  1. Start with alert triage. Capture the source, destination, time window, and trigger details. If the alert came from a SIEM or IDS, note the exact rule name and the associated event ID. This tells you whether you are looking at signature-based detection, anomaly-based detection, or a human-reported concern.
  2. Collect supporting evidence. Pull DNS logs, proxy logs, flow records, packet captures, endpoint telemetry, and authentication records. A connection to a suspicious host is more actionable if the same host also triggered a login failure, a privilege escalation event, or an unusual file write.
  3. Test whether the traffic makes sense. Ask whether the destination is expected, whether the timing matches normal business activity, and whether the protocol fits the application. A backup server moving data overnight may be fine. A finance laptop sending large encrypted payloads to a rare foreign host probably is not.
  4. Compare against context. Review asset inventory, change-management records, user role, and known service dependencies. Many benign anomalies are explainable only when you know what changed recently. Software deployment, cloud onboarding, and remote access changes can all reshape traffic patterns overnight.
  5. Escalate, document, and contain if needed. If the evidence points to malware, exfiltration, or lateral movement, preserve the findings and initiate the appropriate response. Documentation should include what was observed, what was ruled out, and why the final decision was made.

Warning

Do not let one data source overrule the rest. A single clean endpoint log does not clear suspicious network behavior, and a single bad DNS lookup does not prove compromise.

The CISA incident response guidance is useful for aligning triage with containment and recovery steps. Good traffic analysis produces decisions, not just observations.

How Do You Separate Benign Anomalies From Real Threats?

False positives are normal-looking alerts that are not actually malicious. They are part of every mature monitoring program. Software updates, backup systems, vulnerability scanners, and cloud services often create the same kinds of spikes or odd destinations that attackers do. The difference is context, repetition, and correlation.

Asset criticality matters. A weird connection from a lab workstation is not the same as the same connection from a domain controller or payment server. User role matters too. A developer may routinely hit package repositories and container registries that would be strange for an HR user. Location and working hours matter as well. An endpoint that normally sleeps all night should not suddenly start talking to multiple external systems during the first hour of the morning.

  • Check change-management records before labeling traffic malicious.
  • Review asset inventory to confirm what the host is supposed to do.
  • Look for persistence over time rather than one-off spikes.
  • Correlate across sources such as endpoint, identity, and proxy logs.

Repeated anomalies are more concerning than one-off events. A scheduled scanner may explain a port sweep once, but not every night from the same host to the same segment. An approved cloud backup may explain outbound transfer volume, but not a hidden encrypted tunnel to a new domain. Analysts should trust patterns more than isolated data points.

For formal risk and control context, the ISACA COBIT framework is a strong reference for governance, control objectives, and decision-making around monitoring. It reinforces a simple point: context turns telemetry into evidence.

What Are the Best Practices for Ongoing Detection and Prevention?

Ongoing detection works when it is treated like a process, not a one-time project. Start by tuning baselines continuously. If the network changes and the alert logic does not, analysts will drown in noise. Network monitoring should evolve with cloud services, remote access patterns, mergers, and new application rollouts.

Network segmentation also matters. Limiting unnecessary east-west traffic reduces the blast radius of compromise and makes abnormal movement easier to spot. If systems do not need to talk to each other, do not let them. Tight outbound controls help too, because exfiltration becomes much harder when endpoints can only reach approved destinations.

Logging is the other half of the equation. Enable DNS logging, collect flow data centrally, and capture full packets where feasible and practical. Not every environment can store everything forever, but every environment can do better than blind spots. Pair telemetry with response playbooks so analysts know what to do when they find beaconing, scans, or exfiltration indicators.

  1. Review alerts weekly or monthly and retire rules that create constant false positives.
  2. Run threat hunting exercises focused on unusual DNS, TLS, and east-west movement.
  3. Train analysts on common protocols so they can spot bad patterns quickly.
  4. Test incident response playbooks using realistic traffic-based scenarios.
  5. Document known-good services so baseline comparisons stay useful.

The NIST Cybersecurity Framework is a useful reference for aligning monitoring, detection, and response activities. If you want better outcomes, make traffic analysis part of routine operations, not just post-incident cleanup.

Key Takeaway

  • Suspicious traffic is usually abnormal for the environment, not just obviously malicious.
  • Baselines, DNS logs, flow records, and packet captures work best when they are correlated together.
  • Beaconing, exfiltration, lateral movement, and reconnaissance leave distinct network patterns.
  • Context from asset inventories and change management is essential for separating false positives from real threats.
  • Repeatable workflows make network traffic analysis faster, more accurate, and easier to defend.
Featured Product

CompTIA Security+ Certification Course (SY0-701)

Discover essential cybersecurity skills and prepare confidently for the Security+ exam by mastering key concepts and practical applications.

Get this course on Udemy at the lowest price →

Conclusion

Network traffic analysis is one of the most practical ways to catch malware, exfiltration, reconnaissance, and lateral movement before they become full-blown incidents. The method works because it focuses on behavior, not just signatures. If you know what normal looks like, suspicious activity stands out faster.

The real strength of the process is correlation. DNS, flow data, packet captures, proxy logs, endpoint telemetry, and authentication records each tell part of the story. Used together, they show whether an event is a harmless anomaly or a real compromise. That is the difference between guessing and investigating.

If you are building your skills for the CompTIA Security+ Certification Course (SY0-701), make this workflow routine: triage, collect, compare, correlate, and document. Then keep tuning your baselines and improving your monitoring coverage. The teams that win here are the ones that practice before the incident starts.

CompTIA® and Security+™ are trademarks of CompTIA, Inc.

[ FAQ ]

Frequently Asked Questions.

What is network traffic analysis and why is it important in cybersecurity?

Network traffic analysis involves monitoring and inspecting data packets transmitted across a network to identify unusual or malicious activity. This process helps security teams understand normal communication patterns and detect deviations that could indicate threats.

By analyzing network traffic, organizations can identify signs of intrusion, data exfiltration, or malware communication early. This proactive approach is essential because it allows for swift response before attackers cause significant harm or data loss. Overall, network traffic analysis is a cornerstone of effective cybersecurity defense and threat detection.

What are common signs of suspicious network activity?

Signs of suspicious activity include unusual outbound connections, repeated communication with unknown external hosts, or unexpected data transfers. For example, a workstation calling the same outside host every 60 seconds may indicate command-and-control activity or data exfiltration attempts.

Other indicators include unexpected port scans, traffic to regions not typical for your organization, or increased bandwidth usage without apparent reason. Recognizing these patterns requires continuous monitoring and understanding of normal network behavior, enabling security teams to act quickly when anomalies are detected.

What tools or techniques are used for effective network traffic analysis?

Effective network traffic analysis employs tools like intrusion detection systems (IDS), network analyzers, and flow-based monitoring solutions. These tools capture, inspect, and analyze traffic patterns to identify anomalies and potential threats.

Techniques include deep packet inspection (DPI), which examines the contents of data packets, and flow analysis, which looks at metadata such as source/destination IPs and ports. Combining these methods with threat intelligence feeds enhances the ability to detect sophisticated attacks and suspicious activities in real time.

How can organizations differentiate between normal and malicious network traffic?

Organizations differentiate traffic by establishing baseline behaviors for their network, including typical communication patterns and volume. Continuous monitoring helps identify deviations from these baselines that may indicate malicious activity.

Additionally, correlating network data with other security alerts and employing signature-based detection methods can improve accuracy. Advanced analytics and machine learning models are increasingly used to identify subtle anomalies, reducing false positives and ensuring security teams focus on genuine threats.

What are common misconceptions about network traffic analysis?

One common misconception is that network traffic analysis can only detect known threats using signature-based methods. In reality, it also involves anomaly detection techniques capable of identifying unknown or zero-day attacks.

Another misconception is that network analysis is only useful for large organizations. However, even small to medium-sized businesses benefit from basic traffic monitoring to identify suspicious activity and improve overall security posture. Proper implementation of network traffic analysis tools enhances proactive threat detection across all organizational sizes.

Related Articles

Ready to start learning? Individual Plans →Team Plans →
Discover More, Learn More
Analyzing Network Traffic With Suricata: Tips for Security Analysts Learn how to analyze network traffic effectively with Suricata to enhance security… Deep Dive Into AI-Enhanced Network Traffic Analysis: Detecting Hidden Threats Discover how AI-enhanced network traffic analysis helps identify hidden threats within normal… How To Use Wireshark To Capture And Analyze Network Traffic Effectively Learn how to use Wireshark to capture and analyze network traffic effectively,… Understanding Ingress in Blockchain Network Traffic Learn how ingress impacts blockchain network traffic and why managing inbound data… How To Analyze A Network With Free Packet Sniffing Tools Discover how to analyze network traffic using free packet sniffing tools to… Planning For Network Capacity: Traffic Analysis And Forecasting Learn how to analyze network traffic and forecast capacity needs to optimize…
FREE COURSE OFFERS