Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » offline » Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 2 How to run TrisulNSM over the PCAP dump
Trace:
offline:wrccdc_pcaps_trisulnsm

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
offline:wrccdc_pcaps_trisulnsm [2018/05/12 16:58] veeraoffline:wrccdc_pcaps_trisulnsm [2018/05/13 00:12] (current) – [Download the PCAPs] veera
Line 9: Line 9:
   * [[offline:wrccdc_pcaps|Part 1: Approach how to avoid getting overwhelmed by large PCAPS]]    * [[offline:wrccdc_pcaps|Part 1: Approach how to avoid getting overwhelmed by large PCAPS]] 
   * Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump   * Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump
-  * Part 3: Screenshots & video of possible analysis paths (using TrisulNSM)+  * [[offline:wrccdc_pcaps_results|Part 3: Screenshots & video of possible analysis paths (using TrisulNSM)]]
  
  
Line 18: Line 18:
  
  
-Firstly install Docker on your host platform. We recommend Ubuntu 16.04 of CentOS 7.4. We have instructions on the [[https://www.trisul.org/devzone/doku.php/articles#docker|"Articles Page"]] +First install Docker on your host platform. We recommend Ubuntu 16.04 of CentOS 7.4. We have instructions on the [[https://www.trisul.org/devzone/doku.php/articles#docker|"Docker section on the articles Page"]] 
  
  
Line 27: Line 27:
  
  
-Here have downloaded the first 8 files into the directory  ''/opt/trisulroot5/wrccdc''+Here have downloaded the first 8 files into the directory  ''/opt/trisulroot5/wrccdc'' You can download as many as you want. Just make sure you have enough disk space for the results.
  
  
Line 62: Line 62:
  
  
-A quick note on the command line options we're using+A quick note on the command line options we're using. For a complete list of options see [[https://github.com/trisulnsm/docker#options|github/trisulnsm]]
  
-|--name | We give the instance a name of trisul1n. So it makes it easier to manipulate the system| +|''--name'' | We give the instance a name of trisul1n. So it makes it easier to manipulate the system| 
-|--privileged | This is needed for the ''--enable-file-extraction'' flagOur file extraction feature  +|''--privileged''Goes along with the ''--enable-file-extraction'' optionUsed to dump suspected malicious files transferred over the network 
- extracts and dumps malicious files. This needs to create a RAMFS partition. Hence this needs a privileged permission +|''--webserver-port 4000'' | We are using these two ports for web access rather than the default (3000,3003). Skip these flags if you're okay with 3000,3003. Also ensure the firewalls allow these ports| 
-|--webserver-port 4000 --websockets-port 4003 | We are using these two ports for web access rather than the default (3000,3003). Skip these flags if you're okay with 3000,3003. Also ensure the firewalls allow these ports| +|''--fine-resolution''|Use 1-second timeseries data instead of the default 1-minute. We noticed that WRCCDC is very high traffic hence high-resolution timeseries is better for metrics| 
-|--fine-resolution|Use 1-second timeseries data instead of the default 1-minute. We noticed that WRCCDC is very high traffic hence high-resolution timeseries is better for metrics| +|''--pcap''|We use the name of the subdirectory ''wrccdc''. Recall that we put the PCAPs in the shared volume /opt/trisulroot5/wrccrc. This name is relative to the base  path.  Trisul will run over the PCAPs in this directory, then use Suricata to do a 2nd pass over it and re-index the data in Trisul|
-|--pcap|We use the name of the subdirectory ''wrccdc''. Recall that we put the PCAPs in the shared volume /opt/trisulroot5/wrccrc. This name is relative to the base  path.  Trisul will run over the PCAPs in this directory, then use Suricata to do a 2nd pass over it and re-index the data in Trisul|+
  
  
-Upon completion your ''docker logs -f trisul1n'' should show something like below.+=== Wait for completion === 
 + 
 +Now TrisulNSM is crunching the PCAPs. You can monitor the progress by running the following command
  
 +
 +<code>
 +docker logs -f trisul1n
 +</code>
 +
 +The rough time taken in our very modest system was around 40 seconds per file.   When the processing finishes you will see something like this. 
  
 <code> <code>
Line 90: Line 97:
  
  
 +==== Next ====
  
-Using Trisul to analyze the PCAPs  
  
- +Thats it ! Now you are ready to analyze the network data using TrisulThat is [[offline:wrccdc_pcaps_results|Part 3 of this series]]
-File extraction +
- +
-<code> +
-DOCKER:unpl:root savedfiles$ ls /tmp/savedfiles/*.exe -l +
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_f91a_10.128.0.201__PsGetsid.exe +
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_fb80_10.128.0.201__PsGetsid.exe +
--rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 /tmp/savedfiles/00_01_dbcf_10.150.0.70__chocolate_debug.exe +
--rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 /tmp/savedfiles/00_01_df63_10.150.0.70__chocolate_debug.exe +
-DOCKER:unpl:root savedfiles$  +
- +
- +
-</code>+
  
  
offline/wrccdc_pcaps_trisulnsm.1526124504.txt.gz · Last modified: 2018/05/12 16:58 by veera