====== Articles ======

Articles about network security monitoring,  traffic analytics, setting up measurement, techniques for scaling, threat hunting tips, etc. 


===== Hardware and Data Acquisition =====

[[articles:proxmox_span|Configuring Port Mirror on Proxmox VE 5.1 for Network Security Monitoring applications]] 

[[hardware:erspan|Configuring ERSPAN for packet capture into Network Security Monitoring tools]]


==== Netflow tunneling ====

Tunneling Netflow to a remote Trisul involves preserving the original IP address of the switch/router. We describe three methods to achieve it, NAT, GRE, and Shim Tunnels. 

[[hardware:gatewaynetflow|Using NAT on gateway to send Netflow to remote Trisul]]

[[hardware:gretunnel|Using GRE Tunnel to send Netflow to a remote Trisul]]

[[hardware:shimtunnel|Using a Shim Tunnel to send Netflow to a remote Trisul]]

[[hardware:shimtunnelintro|Use a Shim Tunnel when you cant use GRE or NAT ]]


==== High availability and Disaster Recovery ====

Trisul can be setup as High Availability or a D-R Disaster recovery configuration. This section contains articles related to that.

[[ha:keepalived|Configure HA using keepalived]]

 

===== Docker =====


[[docker:intro|Using the new TrisulNSM Docker all-in-one NSM image]] 


[[docker:rhel74|Installing Docker and TrisulNSM on RHEL7.4 - step by step instructions]]


[[docker:ubuntu16|Installing Docker and TrisulNSM on Ubuntu 16.04 - step by step instructions]]


[[docker:ubuntumalware|Malware PCAP analysis using TrisulNSM docker on Ubuntu 16.04 Host ]]


[[docker:pcap_analysis|How to analyze large pcaps for free using the TrisulNSM Docker image]]

===== NSM and Packet Analytics Concepts =====


[[articles:livevspcap|Difference between Live capture and Reading PCAP dumps in NSM tooling]] 

[[articles:memcached|Memcached attack on UDP port]] 

[[articles:segmentsmack|Proof of concept script to detect SegmentSmack]] 


===== Scripting =====

[[scripting:introbro|Introduction to Trisul Scripting for Bro IDS users]]


===== TLS Fingerprinting =====


[[app:tlsfingerprint|TLS Fingerprinting to identify encrypted clients]]

[[app:auto_fingerprint|Automatically resolve unknown TLS Fingerprints using Graph Analytics]]

[[script:x509_ext_c2|Trisul LUA script techniques to detect and dump C2 in X.509 extensions]]




===== Intrusion Detection  =====


[[ids:snort|Connecting Trisul to Snort with Emerging Threats Rules ]]


[[ids:snort3|Connecting Trisul to Snort3]]


===== Offline analysis with the WRCCDC PCAP dump =====

In this three part series, we explain techniques and show how to analyze the [[https://archive.wrccdc.org/|2018 WRCCDC PCAP]] dump using TrisulNSM. We appreciate the kind folks at WRCCDC for making this publicly accessible. 

[[offline:wrccdc_pcaps|Part 1: Strategy to analyze large PCAP dumps without getting overwhelmed]]

[[offline:wrccdc_pcaps_trisulnsm|Part 2: How to use the free TrisulNSM Docker image to process the PCAPs]]

[[offline:wrccdc_pcaps_results|Part 3: Screenshots and vids showing some of the results and techniques]]




===== Netflow analytics =====

[[netflow:silk|Using the SiLK importer Trisul APP to analyze Netflow]] 



===== Netflow Configuration =====

[[netflow:junipermx|Sample Netflow Configuration for Juniper MX series routers ]]

[[netflow:asr|Sample Netflow Configuration for Cisco ASR]]

[[netflow:junipersrx|Sample Netflow Configuration for Juniper SRX]]
===== Syslog Configuration =====

[[netflow:natsyslog|Sample NAT syslog for Mikrotik]]
===== Administration Tips  =====

[[admin:debuggingcrash|Debugging crashes and other problems on the probe]]

[[monit:monitoring_and_maintain_trisul_process|How to use Monit to keep an eye on Trisul processes and restart them if necessary]]

[[admin:ha|Primary and backup configuration]]

[[admin:udpserver|Check if UDP packets are received]]

[[admin:vlantags|VLAN tags only not visible in RXRING and AF_PACKET mode]]

[[admin:Keepalived|Trisul HA using keepalived]]


===== SNMP =====

[[articles:portvlanid|Mapping Port names to VLAN ID]] 

===== External links =====
[[Get google api key: Get Google API Key]]

[[Other links: external_links]]


[[https://docs.tenable.com/nnm/deployment/Content/VM/Hyper-VInternal.htm|How to mirror traffic from external port to a VM in Hyper-V (Tenable)]]


===== Application =====
[[admin:restart_webtrisul_cron|How to restart webtrisuld via cron]]

===== Security and Hardening =====

[[admin:disableweaksshkeyexchange|How to disable weak Key Exchange algorithms for ssh]]


===== Mount CIFS and NFS with uid, gid option only =====

A common technique is to mount the archive area onto a NFS or a CIFS share.


One gotcha is you need to add the trisul.trisul user id while mounting the CIFS share. Otherwise the archiver will not be able to access the share.


<code bash>

# get the user and group ID of trisul.trisul
id -u trisul
id -g trisul


# use the uid= and guid= options 
//192.168.1.181/windowsShare1TrisulData  /home/TrisDataArchive/  cifs  username=Bob,password=mypassword,uid=995,gid=997,file_mode=0770,dir_mode=0770,noperm 0 0

</code>

===== LDAP =====

[[admin:ldapserach|LDAP Search]]


===== Tuning Flow Indexes  =====

How to tune flow indexes to optimize disk size based on requirements. 

[[tips:flowindextuning|Tuning Flow Database]]