You've all heard of the great Malware PCAPs made public by Malware Traffic Analysis.NET Here is a short recipe that explains how you can use the TrisulNSM Docker Image to setup an analysis platform.
Host : Ubuntu 16.04 LTS on Amazon
First install docker and start it
sudo apt update sudo apt install docker.io sudo systemctl start docker
Next Run the trisulnsm/trisul6 image available on DockerHub - Notice that we are not starting a live capture, because we intend to read the PCAPs
sudo docker run –name=trisul1a –net=host \
Point your browser to <ip>:3000 then login as admin/admin and select Manage → Apps
Install the following Apps:
- TLS Fingerprinter - Save Binaries - SNI TLS Metrics
Now you have the platform ready to process the PCAPs.