Differences

This shows you the differences between two versions of the page.

--- docker:pcap_analysis [2018/02/26 17:57] – [Instructions : How to run the Docker image over PCAPs] veera
+++ docker:pcap_analysis [2018/03/02 17:27] (current) – [Instructions : How to run the Docker image over PCAPs] veera
@@ Line 1: / Line 1: @@
-====== How to analyze large PCAP dumps using the free TrisulNSM Docker ======
+====== How to analyze large PCAP files using TrisulNSM Docker ======
-Quite a few of us have large packet capture dumps, but we dont quite know what do to with them. Some of the things we do are
+While live traffic capture is the predominant mode of Network Security Monitoring, it is also crucial to be able to load packet capture (PCAP) dumps.  A couple of key requirements for the **PCAP import process**
-  * Wireshark : Just keep the PCAP dumps around, in case you need to you can carve small pieces of them and load them into Wireshark
+  - The results should be **as if** the analysis was done as a live traffic capture
-  * Argus or SiLK : Try to index them from a flow perspective. Argus or SiLK can do this.
+  - **Timestamps** must reflect the PCAP time and not the import time
-  * Bro : turn the PCAPs into bro logs, which record  flows, dns, files, http request, and a number of other things
+  - **Clock** - The import process should be clocked off the packet timestamps. This means that if a PCAP file contained 10 hours of traffic, the import process should not require 10 hours. This means a tcpreplay based rig , even if the timestamp issues are solved, will not be optimal for large timeframes.
-  * Suricata / Snort : Run an IDS ruleset over the PCAPs.
+  - **Encrichment and intel** feeds such as Geo-IP, Blacklists, Domain Databases, may  reflect current time, rather than PCAP time. This is for practical reasons.
-  * Security Onion : Play the PCAPs using TCP Replay and get all of the above.
+  - **Search vs Streaming** import PCAP is a bit harder for streaming pipelines like Trisul compared to Elastic Search backends. This is due to the possibility of the streaming window closing before all the events come in.
-  * Moloch : Index the packets for fast recall
-  * TrisulNSM : Traffic metrics tool at its core, but does flows, index packets, extracts metadata, and other NSM tasks
+===== Tools =====
-We just released a free [[https://github.com/trisulnsm/docker|Trisul Docker Image]] that lets you do these easily in both online and pcap-file modes. Here is the blog post [[https://www.trisul.org/blog/docker/post.html|"Announcing TrisulNSM Docker"]]
-===== How it works : Two pass analysis =====
-When you specify ''--pcap'' the Docker Image automatically runs  two passes over the PCAP file.
-  - **Pass 1 : Using Trisul**, we collect deep traffic metrics, reconstruct and analyze flows, extract metadata, index and store packets.  This goes to Layer 0 on the Trisul backend database.
-  - **Pass 2 : Using Suricata + Trisul**, we generate IDS alerts and convert those into metrics and graphs. Examples are vertices from a specific SIGID or Host.  Top-k for hosts that are in attacker role, etc. This goes to Layer 1
-The final result is a merger of Layer 0 + Layer 1.  You can pivot from alerts to flows to TLS certificates down to packets.
-The following picture is what it looks like.
-{{ :docker:2passdocker.png?direct |}}
+Here are some of the tools in the NSM ecosystem that generate various types of data that need to be orchestrated.
+  * **Argus or SiLK** : Try to index them from a flow perspective. Argus or SiLK can do this.
+  * **Bro** : turn the PCAPs into bro logs, which record  flows, dns, files, http request, and a number of other things
+  * **Suricata / Snort** : Run an IDS ruleset over the PCAPs.
+  * **Security Onion** : The NSM distro that packages everything you need. The latest version of Security Onion includes a script to automate this process.The backend storage and reporting is now Elastic Search.
+  * **Moloch** : Index raw packets for fast recall. Also stores into Elastic Search.
+  * **NTOP** : Traffic monitoring
+  * **Wireshark/NetworkMiner** : The ultimate destination for bit level protocol analysis.
+  * **TrisulNSM** : Traffic metrics at its core, but also  does flows, packet indexiing, metadata extraction, and other NSM functions. Trisul uses Stream Processing instead of Search as its backend. The free license allows you to import any number of PCAPs as long each PCAP isnt longer than 3 days.
+This article explains how the new [[https://github.com/trisulnsm/docker|Trisul Docker Image]] can help you analyze PCAPs offline.
 ===== Instructions : How to run the Docker image over PCAPs =====
-<note>
+Put the PCAP dump into the shared docker volume so that the container can read the PCAP.
-We are assuming here that you have a Linux system with Docker installed.
-</note>
-First you need to create a //root volume//, say ''/opt/trisul6_root'' that will map into the Docker instance. Then put the PCAP dump into the trisul root volume so that the docker image can read it.
 <code>
-mkdir /opt/trisul6_root
+mkdir /opt/trisulroot
-cp myhugeCapture.pcap /opt/trisul6_root
+cp myhugeCapture.pcap /opt/trisulroot
 </code>
+Run the trisul6 docker image on the PCAP
-Run the free trisul6 docker image on the PCAP like so
 <code bash>
 docker run --privileged=true \
    --name trisul1a \
-     --net=host  \
+    --net=host  \
-       -v /trisulroot:/trisulroot \
+      -v /opt/trisulroot:/trisulroot \
-         -d trisulnsm/trisul6 \
+       -d trisulnsm/trisul6 \
-           --pcap botnet-capture-20110810-neris.pcap \
+        --fine-resolution \
-              --fine-resolution
+         --pcap myhugeCapture.pcap
 </code>
-Now wait for the import to complete. Trisul is a streaming analytics platform, the time taken to complete the import is not proportional to the size of the PCAP, but to the duration of the PCAP. If your PCAP has two days traffic, then expect the import process to take up to 10-20 minutes.  This also depends on the speed of the hard drive.
+Now wait for the import to complete. The time taken to complete the import is not proportional to the size of the PCAP, but to the duration of the PCAP. If your PCAP has two days traffic, then expect the import process to take up to 10-20 minutes.
-To check on progress you can do, when the import completes you will get a message asking you to login !
+To check on progress , tail the log and wait for confirmation message!
 <code>
@@ Line 75: / Line 68: @@
 <code bash>
 docker run  --name trisul1a --net=host \
-   -v /opt/trisul6_root:/trisulroot \
+   -v /opt/trisulroot:/trisulroot \
      -d trisulnsm/trisul6 \
         --pcap BSidesDE2017_PvJCTF.pcap \
           --no-ids
 </code>
+==== Analysis ====
+Once loaded you need to point your browser to ip:3000 and select the newly created context for the run.
+{{:docker:contextselect.png?600|}}
+After you login here are some suggested steps
+  - Go to Retro Counters to get details metrics and toppers across 40+ counter groups
+  - Use the "PCAP Totals"  Trisul APP to get the drilldown dashboard shown below
+  - Tools > Explore to query flows.
+{{:docker:pcaptotals.png?600|}}
@@ Line 108: / Line 116: @@
 The docker image includes a [[https://trisul.org/free|Free License of Trisul]] that allows PCAPs of a maximum of 3 days. This should suffice for most people.
+===== How it works : Two pass analysis =====
+When you specify ''--pcap'' the Docker Image automatically runs  two passes over the PCAP file.
+  - **Pass 1 : Using Trisul**, we collect deep traffic metrics, reconstruct and analyze flows, extract metadata, index and store packets.  This goes to Layer 0 on the Trisul backend database.
+  - **Pass 2 : Using Suricata + Trisul**, we generate IDS alerts and convert those into metrics and graphs. Examples are vertices from a specific SIGID or Host.  Top-k for hosts that are in attacker role, etc. This goes to Layer 1
+The final result is a merger of Layer 0 + Layer 1.  You can pivot from alerts to flows to TLS certificates down to packets.
+The following picture is what it looks like.
+{{ :docker:2passdocker.png?direct |}}