Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 2 How to run TrisulNSM over the PCAP dump

In this article, we show you step by step instructions to run the free TrisulNSM Docker image over the PCAP dumps.

This is Part-2 of a 3 Part series

Instructions to run TrisulNSM over the PCAPs

Install Docker

First install Docker on your host platform. We recommend Ubuntu 16.04 of CentOS 7.4. We have instructions on the "Docker section on the articles Page"

Download the PCAPs

First choose a root directory to be used as the shared Docker “root” volume. Let us say we select /opt/trisulroot5 as the base directory. You need to create a subdirectory inside that and put the PCAPs there.

Here have downloaded the first 8 files into the directory /opt/trisulroot5/wrccdc You can download as many as you want. Just make sure you have enough disk space for the results.

root@unpl:~# ls -lh /opt/trisulroot5/wrccdc/
total 3.8G
-rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap
-rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap
-rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap
-rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap
-rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap
-rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap
-rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap
-rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap

Run the Docker image over the pcaps

Next step is to run the trisulnsm/trisul6 Docker image over the PCAPs that you have placed in the sub directory. The first time you run this , docker will download the image over the network. So make sure you have internet access from the machine.

sudo docker run  --name=trisul1n \
  --privileged=true --net=host -v /opt/trisulroot5:/trisulroot  \
      -d trisulnsm/trisul6  --enable-file-extraction   \
          --webserver-port 4000 --websockets-port 4003 \
          --fine-resolution  \
              --pcap  wrccdc

A quick note on the command line options we're using. For a complete list of options see github/trisulnsm

–name We give the instance a name of trisul1n. So it makes it easier to manipulate the system
–privileged Goes along with the –enable-file-extraction option. Used to dump suspected malicious files transferred over the network
–webserver-port 4000 We are using these two ports for web access rather than the default (3000,3003). Skip these flags if you're okay with 3000,3003. Also ensure the firewalls allow these ports
–fine-resolutionUse 1-second timeseries data instead of the default 1-minute. We noticed that WRCCDC is very high traffic hence high-resolution timeseries is better for metrics
–pcapWe use the name of the subdirectory wrccdc. Recall that we put the PCAPs in the shared volume /opt/trisulroot5/wrccrc. This name is relative to the base path. Trisul will run over the PCAPs in this directory, then use Suricata to do a 2nd pass over it and re-index the data in Trisul

Wait for completion

Now TrisulNSM is crunching the PCAPs. You can monitor the progress by running the following command.

docker logs -f trisul1n

The rough time taken in our very modest system was around 40 seconds per file. When the processing finishes you will see something like this.

Finished elapsed : 328 seconds

==== SUCCESSFULLY IMPORTED FROM PCAP REPO /trisulroot/wrccdc =====
==== 1. login to the Web Trisul interface =====
==== 2. select wrccdc1 on the Login Screen =====

Started TrisulNSM docker image. Sleeping.


Thats it ! Now you are ready to analyze the network data using Trisul. That is Part 3 of this series.

offline/wrccdc_pcaps_trisulnsm.txt · Last modified: 2018/05/13 00:12 by veera