Articles

Articles about network security monitoring, traffic analytics, setting up measurement, techniques for scaling, threat hunting tips, etc.

Hardware and Data Acquisition

Configuring Port Mirror on Proxmox VE 5.1 for Network Security Monitoring applications

Configuring ERSPAN for packet capture into Network Security Monitoring tools

Netflow tunneling

Tunneling Netflow to a remote Trisul involves preserving the original IP address of the switch/router. We describe three methods to achieve it, NAT, GRE, and Shim Tunnels.

Using NAT on gateway to send Netflow to remote Trisul

Using GRE Tunnel to send Netflow to a remote Trisul

Using a Shim Tunnel to send Netflow to a remote Trisul

Use a Shim Tunnel when you cant use GRE or NAT

High availability and Disaster Recovery

Trisul can be setup as High Availability or a D-R Disaster recovery configuration. This section contains articles related to that.

Configure HA using keepalived

Docker

Using the new TrisulNSM Docker all-in-one NSM image

Installing Docker and TrisulNSM on RHEL7.4 - step by step instructions

Installing Docker and TrisulNSM on Ubuntu 16.04 - step by step instructions

Malware PCAP analysis using TrisulNSM docker on Ubuntu 16.04 Host

How to analyze large pcaps for free using the TrisulNSM Docker image

NSM and Packet Analytics Concepts

Difference between Live capture and Reading PCAP dumps in NSM tooling

Memcached attack on UDP port

Proof of concept script to detect SegmentSmack

Scripting

Introduction to Trisul Scripting for Bro IDS users

TLS Fingerprinting

TLS Fingerprinting to identify encrypted clients

Automatically resolve unknown TLS Fingerprints using Graph Analytics

Trisul LUA script techniques to detect and dump C2 in X.509 extensions

Intrusion Detection

Connecting Trisul to Snort with Emerging Threats Rules

Connecting Trisul to Snort3

Offline analysis with the WRCCDC PCAP dump

In this three part series, we explain techniques and show how to analyze the 2018 WRCCDC PCAP dump using TrisulNSM. We appreciate the kind folks at WRCCDC for making this publicly accessible.

Part 1: Strategy to analyze large PCAP dumps without getting overwhelmed

Part 2: How to use the free TrisulNSM Docker image to process the PCAPs

Part 3: Screenshots and vids showing some of the results and techniques

Netflow analytics

Using the SiLK importer Trisul APP to analyze Netflow

Netflow Configuration

Sample Netflow Configuration for Juniper MX series routers

Sample Netflow Configuration for Cisco ASR

Sample Netflow Configuration for Juniper SRX

Sample Netflow Configuration for Cisco Nexus

Cisco Nexus

Syslog Configuration

Sample NAT syslog for Mikrotik

Administration Tips

Debugging crashes and other problems on the probe

How to use Monit to keep an eye on Trisul processes and restart them if necessary

Primary and backup configuration

Check if UDP packets are received

VLAN tags only not visible in RXRING and AF_PACKET mode

Trisul HA using keepalived

SNMP

Mapping Port names to VLAN ID

External links

Get Google API Key

external_links

How to mirror traffic from external port to a VM in Hyper-V (Tenable)

Application

How to restart webtrisuld via cron

How to push an alert from Bash shell

How to change the default superadmin name

Search for URL or domain traffic in Netflow

Security and Hardening

How to disable weak Key Exchange algorithms for ssh

Mount CIFS and NFS with uid, gid option only

A common technique is to mount the archive area onto a NFS or a CIFS share.

One gotcha is you need to add the trisul.trisul user id while mounting the CIFS share. Otherwise the archiver will not be able to access the share.

# get the user and group ID of trisul.trisul
id -u trisul
id -g trisul
 
 
# use the uid= and guid= options 
//192.168.1.181/windowsShare1TrisulData  /home/TrisDataArchive/  cifs  username=Bob,password=mypassword,uid=995,gid=997,file_mode=0770,dir_mode=0770,noperm 0 0