Table of Contents
Malware PCAP analysis using TrisulNSM docker on Ubuntu 16.04 Host
You've all heard of the great Malware PCAPs made public by Malware Traffic Analysis.NET Here is a short recipe that explains how you can use the TrisulNSM Docker Image to setup an analysis platform.
Host : Ubuntu 16.04 LTS on Amazon
Start : Install Docker CE
First install docker and start it
sudo apt update sudo apt install docker.io sudo systemctl start docker
Run the TrisulNSM Docker Image
Next Run the trisulnsm/trisul6 image available on DockerHub - Notice that we are not starting a live capture, because we intend to read the PCAPs
sudo docker run –name=trisul1a –net=host \
- v /opt/trisul6_root:/trisulroot \
- d trisulnsm/trisul6
Login and install a few apps
Point your browser to <ip>:3000
then login as admin/admin and select Manage → Apps
Install the following Apps:
- TLS Fingerprinter - Save Binaries - SNI TLS Metrics
Now you have the platform ready to process the PCAPs.