offline:wrccdc_pcaps_results
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
offline:wrccdc_pcaps_results [2018/05/12 23:48] – [Retro Analysis - view advanced counters] veera | offline:wrccdc_pcaps_results [2018/05/13 00:08] (current) – [Conclusion] veera | ||
---|---|---|---|
Line 71: | Line 71: | ||
===== Drilldown techniques ===== | ===== Drilldown techniques ===== | ||
+ | Once you have a fairly solid baseline you can go back and decide which paths you want to follow to drilldown further. You might be interested in first checking out the critical IDS alerts, or tracking down flows. This section introduces you to the tools you will use for the drilldowns. | ||
==== Explore flows ==== | ==== Explore flows ==== | ||
+ | |||
+ | Most of the times you want to first drop down to the flow level. This can be accessed by " | ||
[{{ : | [{{ : | ||
==== Trisul EDGE: Graph analytics discover relationships ==== | ==== Trisul EDGE: Graph analytics discover relationships ==== | ||
+ | |||
+ | We recently added Graph Analytics to Trisul. This solves a common question that analysts ask from any " | ||
[{{ : | [{{ : | ||
==== File Extraction ==== | ==== File Extraction ==== | ||
- | + | ||
+ | Trisul has the ability using the "Save Binaries" | ||
[{{ : | [{{ : | ||
- | + | The extracted files are stored by the app in ''/ | |
- | ==== Drilldown | + | |
- | |||
- | [{{ : | ||
- | |||
- | |||
- | ==== File extraction ==== | ||
< | < | ||
Line 105: | Line 104: | ||
</ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ==== Drilldown to Packets ==== | ||
+ | |||
+ | This is the endzone of most drilldowns and hunts. The absolute truth! TrisulNSM can jump to packets from a number of places. We suggest you use the "Quick Packet Headers" | ||
+ | |||
+ | - Quickly gets the first 100K of the PCAP | ||
+ | - Shows the strings in the PCAP in the 1st pane. This is a very very useful trick, helped us improve speed 10x in many cases. | ||
+ | - In second pane, shows the hexdump in a canonical format | ||
+ | - In the third pane, shows each packet in TSHARK format | ||
+ | - You then decide if you want to download the PCAP into wireshark. | ||
+ | |||
+ | [{{ : | ||
+ | |||
+ | |||
+ | ===== Conclusion ===== | ||
+ | |||
+ | Thank you so much for reading all the way to the end. We hope you find this free TrisulNSM Docker tool useful for monitoring PCAPs as well as for Live networks. The default [[https:// | ||
+ | |||
+ | |||
+ | We also want to thank the great team at WRCCDC for releasing them. We work with PCAP all the time and know what a tremendous effort it is to assemble them. | ||
+ | |||
+ | < | ||
+ | Thanks again to the folks in this tweet from @netresec. | ||
+ | |||
+ | Over 1 TB of #PCAP files from the @wrccdc #CDX have been released online thanks to @spiceywasabi and @disturbedmime. The WRCCDC dataset is now linked from our PCAP repository list. | ||
+ | |||
+ | </ | ||
offline/wrccdc_pcaps_results.txt · Last modified: 2018/05/13 00:08 by veera