====== Articles ====== Articles about network security monitoring, traffic analytics, setting up measurement, techniques for scaling, threat hunting tips, etc. ===== Hardware and Data Acquisition ===== [[articles:proxmox_span|Configuring Port Mirror on Proxmox VE 5.1 for Network Security Monitoring applications]] [[hardware:erspan|Configuring ERSPAN for packet capture into Network Security Monitoring tools]] ==== Netflow tunneling ==== Tunneling Netflow to a remote Trisul involves preserving the original IP address of the switch/router. We describe three methods to achieve it, NAT, GRE, and Shim Tunnels. [[hardware:gatewaynetflow|Using NAT on gateway to send Netflow to remote Trisul]] [[hardware:gretunnel|Using GRE Tunnel to send Netflow to a remote Trisul]] [[hardware:shimtunnel|Using a Shim Tunnel to send Netflow to a remote Trisul]] [[hardware:shimtunnelintro|Use a Shim Tunnel when you cant use GRE or NAT ]] ==== High availability and Disaster Recovery ==== Trisul can be setup as High Availability or a D-R Disaster recovery configuration. This section contains articles related to that. [[ha:keepalived|Configure HA using keepalived]] ===== Docker ===== [[docker:intro|Using the new TrisulNSM Docker all-in-one NSM image]] [[docker:rhel74|Installing Docker and TrisulNSM on RHEL7.4 - step by step instructions]] [[docker:ubuntu16|Installing Docker and TrisulNSM on Ubuntu 16.04 - step by step instructions]] [[docker:ubuntumalware|Malware PCAP analysis using TrisulNSM docker on Ubuntu 16.04 Host ]] [[docker:pcap_analysis|How to analyze large pcaps for free using the TrisulNSM Docker image]] ===== NSM and Packet Analytics Concepts ===== [[articles:livevspcap|Difference between Live capture and Reading PCAP dumps in NSM tooling]] [[articles:memcached|Memcached attack on UDP port]] [[articles:segmentsmack|Proof of concept script to detect SegmentSmack]] ===== Scripting ===== [[scripting:introbro|Introduction to Trisul Scripting for Bro IDS users]] ===== TLS Fingerprinting ===== [[app:tlsfingerprint|TLS Fingerprinting to identify encrypted clients]] [[app:auto_fingerprint|Automatically resolve unknown TLS Fingerprints using Graph Analytics]] [[script:x509_ext_c2|Trisul LUA script techniques to detect and dump C2 in X.509 extensions]] ===== Intrusion Detection ===== [[ids:snort|Connecting Trisul to Snort with Emerging Threats Rules ]] [[ids:snort3|Connecting Trisul to Snort3]] ===== Offline analysis with the WRCCDC PCAP dump ===== In this three part series, we explain techniques and show how to analyze the [[https://archive.wrccdc.org/|2018 WRCCDC PCAP]] dump using TrisulNSM. We appreciate the kind folks at WRCCDC for making this publicly accessible. [[offline:wrccdc_pcaps|Part 1: Strategy to analyze large PCAP dumps without getting overwhelmed]] [[offline:wrccdc_pcaps_trisulnsm|Part 2: How to use the free TrisulNSM Docker image to process the PCAPs]] [[offline:wrccdc_pcaps_results|Part 3: Screenshots and vids showing some of the results and techniques]] ===== Netflow analytics ===== [[netflow:silk|Using the SiLK importer Trisul APP to analyze Netflow]] ===== Netflow Configuration ===== [[netflow:junipermx|Sample Netflow Configuration for Juniper MX series routers ]] [[netflow:asr|Sample Netflow Configuration for Cisco ASR]] [[netflow:junipersrx|Sample Netflow Configuration for Juniper SRX]] [[netflow:asr|Sample Netflow Configuration for Cisco Nexus ]] [[Cisco Nexus|]] ===== Syslog Configuration ===== [[netflow:natsyslog|Sample NAT syslog for Mikrotik]] ===== Administration Tips ===== [[admin:debuggingcrash|Debugging crashes and other problems on the probe]] [[monit:monitoring_and_maintain_trisul_process|How to use Monit to keep an eye on Trisul processes and restart them if necessary]] [[admin:ha|Primary and backup configuration]] [[admin:udpserver|Check if UDP packets are received]] [[admin:vlantags|VLAN tags only not visible in RXRING and AF_PACKET mode]] [[admin:Keepalived|Trisul HA using keepalived]] ===== SNMP ===== [[articles:portvlanid|Mapping Port names to VLAN ID]] ===== External links ===== [[Get google api key: Get Google API Key]] [[Other links: external_links]] [[https://docs.tenable.com/nnm/deployment/Content/VM/Hyper-VInternal.htm|How to mirror traffic from external port to a VM in Hyper-V (Tenable)]] ===== Application ===== [[admin:restart_webtrisul_cron|How to restart webtrisuld via cron]] [[admin:add_alert_bash|How to push an alert from Bash shell]] [[admin:change_super_admin|How to change the default superadmin name]] [[admin:domainsandip|Search for URL or domain traffic in Netflow]] ===== Security and Hardening ===== [[admin:disableweaksshkeyexchange|How to disable weak Key Exchange algorithms for ssh]] ===== Mount CIFS and NFS with uid, gid option only ===== A common technique is to mount the archive area onto a NFS or a CIFS share. One gotcha is you need to add the trisul.trisul user id while mounting the CIFS share. Otherwise the archiver will not be able to access the share. # get the user and group ID of trisul.trisul id -u trisul id -g trisul # use the uid= and guid= options //192.168.1.181/windowsShare1TrisulData /home/TrisDataArchive/ cifs username=Bob,password=mypassword,uid=995,gid=997,file_mode=0770,dir_mode=0770,noperm 0 0 ===== LDAP ===== [[admin:ldapserach|LDAP Search]] ===== Tuning Flow Indexes ===== How to tune flow indexes to optimize disk size based on requirements. [[tips:flowindextuning|Tuning Flow Database]] ===== Useful Scripts and Tools ===== [[tools:ipdr_watchdog|IPDR Watchdog]] Script to watch IPDR system for continuous running and send a email , syslog alert if it stops. [[tools:scan_slices|Scan Slices]] Scans a directory of slices and checks the status of the directories against METASLICE ===== Distributed Domain ===== scripts to connect the hub and probes from different machines [[==== hub distributor ==== |hub distributor ]] [[==== add probe ==== |add probe]] ===== Install Trisul Apps in offline ===== install trisul apps using load from cache feature [[install_apps_in_offline|]] ===== Audit Logger ===== [[trisul_audit_logger|]]