Table of Contents

Malware PCAP analysis using TrisulNSM docker on Ubuntu 16.04 Host

You've all heard of the great Malware PCAPs made public by Malware Traffic Analysis.NET Here is a short recipe that explains how you can use the TrisulNSM Docker Image to setup an analysis platform.

Host : Ubuntu 16.04 LTS on Amazon

Start : Install Docker CE

First install docker and start it

sudo apt update sudo apt install docker.io sudo systemctl start docker

Run the TrisulNSM Docker Image

Next Run the trisulnsm/trisul6 image available on DockerHub - Notice that we are not starting a live capture, because we intend to read the PCAPs

sudo docker run –name=trisul1a –net=host \

  1. v /opt/trisul6_root:/trisulroot \
    1. d trisulnsm/trisul6

Login and install a few apps

Point your browser to <ip>:3000 then login as admin/admin and select Manage → Apps

Install the following Apps:

- TLS Fingerprinter - Save Binaries - SNI TLS Metrics

Now you have the platform ready to process the PCAPs.

Processing PCAPS