Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » offline » Analyzing the WRCCDC PCAPs : Part 3 Analysis using TrisulNSM
Trace:
offline:wrccdc_pcaps_results

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
offline:wrccdc_pcaps_results [2018/05/12 23:50] – [Drilldown techniques] veeraoffline:wrccdc_pcaps_results [2018/05/12 23:58] – [File Extraction] veera
Line 73: Line 73:
 Once you have a fairly solid baseline you can go back and decide which paths you want to follow to drilldown further. You might be interested in first checking out the critical IDS alerts, or tracking down flows. This section introduces you to the tools you will use for the drilldowns.  Once you have a fairly solid baseline you can go back and decide which paths you want to follow to drilldown further. You might be interested in first checking out the critical IDS alerts, or tracking down flows. This section introduces you to the tools you will use for the drilldowns. 
 ==== Explore flows ==== ==== Explore flows ====
 +
 +Most of the times you want to first drop down to the flow level. This can be accessed by "Explore Flows" or by clicking on the menu items within the context of whatever you are doing. Most of the screens such as alerts, metrics, etc  have a "Explore Flows" option.  TrisulNSM stores all flows and reports with blazing speed, even when there are hundreds of millions of them.  
  
 [{{ :offline:w23-scan.png?400 |Jump to flows , query flows}}] [{{ :offline:w23-scan.png?400 |Jump to flows , query flows}}]
  
 ==== Trisul EDGE: Graph analytics discover relationships ==== ==== Trisul EDGE: Graph analytics discover relationships ====
 +
 +We recently added Graph Analytics to Trisul. This solves a common question that analysts ask from any "key" - "what is related to this". For example you can be looking at the country metrics for Kenya and ask "What are the hosts, apps, external hosts, TLS" connected to this country.  In search based solutions, this is typically by enriching the logs (an expensive operation).  ALL metrics in Trisul are enabled with this feature.  This is right now our preferred place to start drilldowns. 
  
 [{{ :offline:w20.png?400 |Click on any key to reveal neighbors, then finally jump to flows }}] [{{ :offline:w20.png?400 |Click on any key to reveal neighbors, then finally jump to flows }}]
  
 ==== File Extraction ==== ==== File Extraction ====
-  
  
-[{{ :offline:w14.png?direct&400 | Check if any EXE/ZIP etc were downloaded}}]+Trisul has the ability using the "Save Binaries" LUA Plugin to extract potentially malicious binaries of any sizeThis is also a good place to look and see if it is worth drilling down. Here we found 47 such files. Many of them were *.CAB from windows update, but we found 10 EXE files as well. 
  
 +[{{ :offline:w14.png?direct&400 | Check if any EXE/ZIP etc were downloaded}}]
  
-==== Drilldown to Packets ====+The extracted files are stored by the app in ''/tmp/savedfiles'' We use the actual filename as part of the extracted content, so you can track it easily.  If you want to explore further, you can submit it to VirusTotal or YARA. 
    
- 
-[{{ :offline:wrccdc2.png?direct&400 |From any place you can grab the packets, if you think the volume can be handled by Wireshark}}] 
- 
- 
-==== File extraction ==== 
  
 <code> <code>
Line 105: Line 104:
 </code> </code>
  
 +
 +
 +
 +==== Drilldown to Packets ====
 + 
 +
 +[{{ :offline:wrccdc2.png?direct&400 |From any place you can grab the packets, if you think the volume can be handled by Wireshark}}]
  
  
  
offline/wrccdc_pcaps_results.txt · Last modified: 2018/05/13 00:08 by veera