Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » offline » Analyzing the WRCCDC PCAPs : Part 3 Analysis using TrisulNSM
Trace:
offline:wrccdc_pcaps_results

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
offline:wrccdc_pcaps_results [2018/05/12 23:55] – [Trisul EDGE: Graph analytics discover relationships] veeraoffline:wrccdc_pcaps_results [2018/05/12 23:58] – [File Extraction] veera
Line 85: Line 85:
  
 ==== File Extraction ==== ==== File Extraction ====
- + 
 +Trisul has the ability using the "Save Binaries" LUA Plugin to extract potentially malicious binaries of any size. This is also a good place to look and see if it is worth drilling down. Here we found 47 such files. Many of them were *.CAB from windows update, but we found 10 EXE files as well. 
  
 [{{ :offline:w14.png?direct&400 | Check if any EXE/ZIP etc were downloaded}}] [{{ :offline:w14.png?direct&400 | Check if any EXE/ZIP etc were downloaded}}]
  
- +The extracted files are stored by the app in ''/tmp/savedfiles'' We use the actual filename as part of the extracted content, so you can track it easily.  If you want to explore further, you can submit it to VirusTotal or YARA. 
-==== Drilldown to Packets ====+
    
- 
-[{{ :offline:wrccdc2.png?direct&400 |From any place you can grab the packets, if you think the volume can be handled by Wireshark}}] 
- 
- 
-==== File extraction ==== 
  
 <code> <code>
Line 109: Line 104:
 </code> </code>
  
 +
 +
 +
 +==== Drilldown to Packets ====
 + 
 +
 +[{{ :offline:wrccdc2.png?direct&400 |From any place you can grab the packets, if you think the volume can be handled by Wireshark}}]
  
  
  
offline/wrccdc_pcaps_results.txt · Last modified: 2018/05/13 00:08 by veera