====== Malware PCAP analysis using TrisulNSM docker on Ubuntu 16.04 Host ======

You've all heard of the great Malware PCAPs made public by [[http://malware-traffic-analysis.net/index.html|Malware Traffic Analysis.NET]]  Here is a short recipe that explains how you can use the TrisulNSM Docker Image to setup an analysis platform.


**Host : Ubuntu 16.04 LTS on Amazon**

===== Start : Install Docker CE =====

First install docker and start it 

sudo apt update
sudo apt install docker.io
sudo systemctl start docker


===== Run the TrisulNSM Docker Image =====


Next Run the **trisulnsm/trisul6** image available on [[https://hub.docker.com/r/trisulnsm/trisul6/|DockerHub]] - Notice that we are not starting a live capture, because we intend to read the PCAPs

sudo docker run --name=trisul1a --net=host  \
  -v /opt/trisul6_root:/trisulroot \
    -d trisulnsm/trisul6


===== Login and install a few apps  =====


Point your browser to ''<ip>:3000'' then login as admin/admin and select Manage -> Apps

Install the following Apps:

 - TLS Fingerprinter
 - Save Binaries
 - SNI TLS Metrics


Now you have the platform ready to process the PCAPs.


===== Processing PCAPS  =====