Table of Contents
Articles about network security monitoring, traffic analytics, setting up measurement, techniques for scaling, threat hunting tips, etc.
Hardware and Data Acquisition
Configuring Port Mirror on Proxmox VE 5.1 for Network Security Monitoring applications
Configuring ERSPAN for packet capture into Network Security Monitoring tools
Tunneling Netflow to a remote Trisul involves preserving the original IP address of the switch/router. We describe three methods to achieve it, NAT, GRE, and Shim Tunnels.
Using NAT on gateway to send Netflow to remote Trisul
Using GRE Tunnel to send Netflow to a remote Trisul
Using a Shim Tunnel to send Netflow to a remote Trisul
Using the new TrisulNSM Docker all-in-one NSM image
Installing Docker and TrisulNSM on RHEL7.4 - step by step instructions
Installing Docker and TrisulNSM on Ubuntu 16.04 - step by step instructions
Malware PCAP analysis using TrisulNSM docker on Ubuntu 16.04 Host
How to analyze large pcaps for free using the TrisulNSM Docker image
NSM and Packet Analytics Concepts
Difference between Live capture and Reading PCAP dumps in NSM tooling
TLS Fingerprinting to identify encrypted clients
Automatically resolve unknown TLS Fingerprints using Graph Analytics
Trisul LUA script techniques to detect and dump C2 in X.509 extensions
Offline analysis with the WRCCDC PCAP dump
In this three part series, we explain techniques and show how to analyze the 2018 WRCCDC PCAP dump using TrisulNSM. We appreciate the kind folks at WRCCDC for making this publicly accessible.
Part 1: Strategy to analyze large PCAP dumps without getting overwhelmed
Part 2: How to use the free TrisulNSM Docker image to process the PCAPs
Part 3: Screenshots and vids showing some of the results and techniques
Debugging crashes and other problems on the probe
How to use Monit to keep an eye on Trisul processes and restart them if necessary
Primary and backup configuration
Check if UDP packets are received
How to mirror traffic from external port to a VM in Hyper-V (Tenable)
Security and Hardening
Mount CIFS and NFS with uid, gid option only
A common technique is to mount the archive area onto a NFS or a CIFS share.
One gotcha is you need to add the trisul.trisul user id while mounting the CIFS share. Otherwise the archiver will not be able to access the share.
# get the user and group ID of trisul.trisul id -u trisul id -g trisul # use the uid= and guid= options //192.168.1.181/windowsShare1TrisulData /home/TrisDataArchive/ cifs username=Bob,password=mypassword,uid=995,gid=997,file_mode=0770,dir_mode=0770,noperm 0 0