Up to Docs
Contents

Offline processing of packet captures

You can use the offline run mode of trisul to read in capture dumps. This is very useful for analyzing existing packet traces with all the tools available in Trisul.

Using the ‘offline’ run modeTop

You can process a single capture file

trisul -nodemon /usr/local/etc/trisul/trisulConfig.xml -mode offline -in /mnt/disk1/onehugefile.pcap

Or an entire directory

trisul -nodemon /usr/local/etc/trisul/trisulConfig.xml -mode offline -in /mnt/disk1/allmyfiles

If you specify a directory, trisul will recursively process capture files in all subdirectories.

Processing order of capture files in directory

Trisul will process each file in order of the first packet timestamp. This means that it does not matter how the files are named or directories are laid out. Trisul will process the files earliest to latest.

If you wish to ignore this and process the files and directories in alphabetical order. Set the AutoSortByCapTime configuration parameter to False.

Compressed files

Trisul can read BZIP2 and GZIP files directly.

  1. Ending with .bz2 or .bzip2 – Uses BZIP2 decompression
  2. Ending with .gz – Uses GZIP decompression

You can intersperse uncompressed and compressed files of any type in your directories. Trisul will handle them correctly. Files that are not in TCPDUMP/LIBPCAP format will be ignored.

How to run against a pcap dumpTop

Lets say you have a bunch of capture files containing 500GB of data in /home/demo/capture_files/mycaps

A sample run might look like this.

Cleanup existing data using cleanenv 

 cd /usr/local/share/trisul
 ./cleanenv -init

Make any changes if required

  1. You may wish to login and change parameters like Home Networks

Run Trisul in offline mode

trisul -nodemon /usr/local/etc/trisul/trisulConfig.xml  -mode offline -in ~demo/capture_files/mycaps

How to add in alerts from Snort in pcap dumpsTop

The basic run described above will give you all the information except security alerts. This is because Trisul relies on Snort or Suricata for this.

If you want security alert information, you have to use a two step process.

  1. First run trisul on the packet dumps (described above)
  2. Second have snort/suricata+barnyard2 run over the dumps and send output to Trisul via a unix socket

BARNYARD2 Snort has native Unix Socket support. Suricata needs Barynard2 to feed Trisul.

Change OverlaySlices in trisulConfig.xml

Set the OverlaySlices parameter in trisulConfig.xml to TRUE.

Run trisul in idsalert mode

Run trisul and specify the idsalert mode. In this mode, trisul listens to a unix socket for events in Unified format.

trisul -nodemon /usr/local/etc/trisul/trisulConfig.xml -mode idsalert

Run Snort in unsock mode

At this point we have Trisul listening on the unix socket (/tmp/snort_alert). All we have to do is run snort over each file in the directory.

A single file.

snort -A unsock -c /etc/snort.conf -l /tmp -r /mnt/disk1/onehugefile.pcap

A directory.

snort -A unsock -c /etc/snort.conf -l /tmp --pcap-dir /mnt/disk1/onehugefile.pcap

After snort has processed all the files, you can stop trisul.

How to add in IDS alerts from SuricataTop

Processing alerts from Suricata requires Barnyard2 because Suricata does not (yet) natively support output to unix sockets. The procedure is similar to Snort but requires an additional step.

Change OverlaySlices in trisulConfig.xml

Set the OverlaySlices parameter in trisulConfig.xml to TRUE.

Change SnortUnixSocket in trisulConfig.xml

Change the SnortUnixSocket parameter in trisulConfig.xml to /tmp/barnyard2

Run trisul in idsalertu2 mode

Run trisul and specify the idsalertu2 (alerts in Unified2 format) mode.

trisul -nodemon /usr/local/etc/trisul/trisulConfig.xml -mode idsalertu2

Run Suricata

The purpose is to run suricata over all the capture files and output unified2 alerts in the /tmp/byin directory.

Some things to check in suricata.yaml

  • Is the unified2 output plugin enabled. This is the default.
  • Is the alert limit high enough say 1G
#!/bin/bash
if [ $# -ne 1 ]
then
echo "Usage : $0 <capture-directory>"
exit 1
fi
for f in $1*
do
suricata -c suricata.yaml -l /tmp/byin -r $f
done
Now run the shell script (using nohup so you can logoff)
nohup ./dosur.sh /home/demo/capture_file/dc17

Once Suricata finishes you will have a whole set of file in /tmp/byin like unified2.log.xxxx. The next step is to use Barnyard2 to send these files in Unified2 format to a unix socket on which Trisul is waiting.

Run Barnyard2

Things to check in barnyard2.conf

  • The output alert_unixsock option is enabled
#!/bin/bash
if [ $# -ne 1 ]
then
echo "Usage : $0 <capture-directory>"
exit 1
fi
for f in $1*
do
suricata -c suricata.yaml -l /tmp/byin -r $f
done

Run barnyard2 over each of the unified2 alert log files in /tmp/byin (where suricata put the unified2 alert files)

./dobarn.sh /tmp/byin/unified2.alert

You are done once barnyard2 finishes.