Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » offline » Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 2 How to run TrisulNSM over the PCAP dump
Trace:
offline:wrccdc_pcaps_trisulnsm

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
offline:wrccdc_pcaps_trisulnsm [2018/05/12 16:58] veeraoffline:wrccdc_pcaps_trisulnsm [2018/05/13 00:11] – [Install Docker] veera
Line 9: Line 9:
   * [[offline:wrccdc_pcaps|Part 1: Approach how to avoid getting overwhelmed by large PCAPS]]    * [[offline:wrccdc_pcaps|Part 1: Approach how to avoid getting overwhelmed by large PCAPS]] 
   * Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump   * Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump
-  * Part 3: Screenshots & video of possible analysis paths (using TrisulNSM)+  * [[offline:wrccdc_pcaps_results|Part 3: Screenshots & video of possible analysis paths (using TrisulNSM)]]
  
  
Line 18: Line 18:
  
  
-Firstly install Docker on your host platform. We recommend Ubuntu 16.04 of CentOS 7.4. We have instructions on the [[https://www.trisul.org/devzone/doku.php/articles#docker|"Articles Page"]] +First install Docker on your host platform. We recommend Ubuntu 16.04 of CentOS 7.4. We have instructions on the [[https://www.trisul.org/devzone/doku.php/articles#docker|"Docker section on the articles Page"]] 
  
  
Line 62: Line 62:
  
  
-A quick note on the command line options we're using+A quick note on the command line options we're using. For a complete list of options see [[https://github.com/trisulnsm/docker#options|github/trisulnsm]]
  
-|--name | We give the instance a name of trisul1n. So it makes it easier to manipulate the system| +|''--name'' | We give the instance a name of trisul1n. So it makes it easier to manipulate the system| 
-|--privileged | This is needed for the ''--enable-file-extraction'' flagOur file extraction feature  +|''--privileged''Goes along with the ''--enable-file-extraction'' optionUsed to dump suspected malicious files transferred over the network 
- extracts and dumps malicious files. This needs to create a RAMFS partition. Hence this needs a privileged permission +|''--webserver-port 4000'' | We are using these two ports for web access rather than the default (3000,3003). Skip these flags if you're okay with 3000,3003. Also ensure the firewalls allow these ports| 
-|--webserver-port 4000 --websockets-port 4003 | We are using these two ports for web access rather than the default (3000,3003). Skip these flags if you're okay with 3000,3003. Also ensure the firewalls allow these ports| +|''--fine-resolution''|Use 1-second timeseries data instead of the default 1-minute. We noticed that WRCCDC is very high traffic hence high-resolution timeseries is better for metrics| 
-|--fine-resolution|Use 1-second timeseries data instead of the default 1-minute. We noticed that WRCCDC is very high traffic hence high-resolution timeseries is better for metrics| +|''--pcap''|We use the name of the subdirectory ''wrccdc''. Recall that we put the PCAPs in the shared volume /opt/trisulroot5/wrccrc. This name is relative to the base  path.  Trisul will run over the PCAPs in this directory, then use Suricata to do a 2nd pass over it and re-index the data in Trisul|
-|--pcap|We use the name of the subdirectory ''wrccdc''. Recall that we put the PCAPs in the shared volume /opt/trisulroot5/wrccrc. This name is relative to the base  path.  Trisul will run over the PCAPs in this directory, then use Suricata to do a 2nd pass over it and re-index the data in Trisul|+
  
  
-Upon completion your ''docker logs -f trisul1n'' should show something like below.+=== Wait for completion === 
 + 
 +Now TrisulNSM is crunching the PCAPs. You can monitor the progress by running the following command
  
 +
 +<code>
 +docker logs -f trisul1n
 +</code>
 +
 +The rough time taken in our very modest system was around 40 seconds per file.   When the processing finishes you will see something like this. 
  
 <code> <code>
Line 90: Line 97:
  
  
 +==== Next ====
  
-Using Trisul to analyze the PCAPs  
  
- +Thats it ! Now you are ready to analyze the network data using TrisulThat is [[offline:wrccdc_pcaps_results|Part 3 of this series]]
-File extraction +
- +
-<code> +
-DOCKER:unpl:root savedfiles$ ls /tmp/savedfiles/*.exe -l +
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_f91a_10.128.0.201__PsGetsid.exe +
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_fb80_10.128.0.201__PsGetsid.exe +
--rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 /tmp/savedfiles/00_01_dbcf_10.150.0.70__chocolate_debug.exe +
--rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 /tmp/savedfiles/00_01_df63_10.150.0.70__chocolate_debug.exe +
-DOCKER:unpl:root savedfiles$  +
- +
- +
-</code>+
  
  
offline/wrccdc_pcaps_trisulnsm.txt · Last modified: 2018/05/13 00:12 by veera