offline:defcon26ctf
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
offline:defcon26ctf [2018/11/12 22:32] – [Processing the DEFCON 26 CTF PCAPS using Trisul NSM] veera | offline:defcon26ctf [2018/11/12 22:58] – [Top flows] veera | ||
---|---|---|---|
Line 22: | Line 22: | ||
So,lets get started. We assume you have a fairly decent Linux machine ready with Docker installed. | So,lets get started. We assume you have a fairly decent Linux machine ready with Docker installed. | ||
- | Steps | + | |
- | + | ||
- | | + | |
- Unrar the file and extract the inside PCAP into a filename without spaces such as '' | - Unrar the file and extract the inside PCAP into a filename without spaces such as '' | ||
- Create a directory on your system where the results will be stored. Move the PCAP to that directory so the docker container can see the PCAP file. | - Create a directory on your system where the results will be stored. Move the PCAP to that directory so the docker container can see the PCAP file. | ||
Line 33: | Line 31: | ||
- | Run the trisulnsm/ | + | Run the trisulnsm/ |
<code bash> | <code bash> | ||
Line 45: | Line 43: | ||
</ | </ | ||
- | To check the logs whether | + | You can check the docker |
<code bash> | <code bash> | ||
Line 51: | Line 49: | ||
</ | </ | ||
- | If there are no errors here, it means the process has been kicked off. This can take a while to complete. Expect anywhere from 20 minutes to an hour depending on your computer' | + | If there are no errors here, it means the process has been kicked off. Expect anywhere from 20 minutes to an hour depending on your computer' |
+ | |||
+ | To monitor the progress login to the container and do the following. | ||
<code bash> | <code bash> | ||
Line 72: | Line 72: | ||
===== Screenshots ===== | ===== Screenshots ===== | ||
- | Timeline showing volume of traffic between 10 and 100Mbps over the period of the competition. You can select any timewindow and drill down | + | After the processing is complete. You can view the results from the web interface. Here are some sample leads. |
+ | ==== Retro Counters ==== | ||
- | {{: | + | Click on //Retro > Retro Counters// to view a Timeline showing traffic bandwidth. Here we see between 10 and 100Mbps spanning a 3-day period of the competition. From here you can select any timewindow and drill down into Counters. |
+ | {{: | ||
- | Trend | ||
- | {{: | + | ==== Trend ==== |
+ | Clicking the //Topper Trends// tab in Retro counters gives you a timeseries view of top activity of hosts, apps, VLANs. | ||
- | Top flows | ||
- | {{: | + | {{: |
- | PCAP totals dashboard | + | ==== Top flows ==== |
- | {{: | + | Click on // |
+ | {{: | ||
+ | |||
+ | |||
+ | ==== PCAP totals dashboard ==== | ||
+ | |||
+ | Open // | ||
+ | |||
+ | The PCAP Totals dashboard is an excellent place to start off your analysis. On a single dashboard you can see the traffic details, number of unique host, apps, VLANS, TLS Certificates, | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ==== Edge Graph Analytics ==== | ||
+ | |||
+ | You can click on the small blue button next to any table item and open "Edge Graph" to reveal neighboring items. Here we went from PCAP Totals > Click on HTTP Status > Then on the weird looking " | ||
Exploring HTTP Status 123 | Exploring HTTP Status 123 | ||
- | {{: | + | {{: |
+ | |||
+ | |||
+ | ==== IDS Alerts, attacks on Drupal ==== | ||
+ | |||
+ | Select //Alerts > Show All > IDS// to show the IDS alert categories seen. You can then click on an alert to drill down further or pull up PCAPs. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | ==== Pivot to packets from anywhere ==== | ||
+ | |||
+ | Trisul lets you seamlessly pivot from any analysis point to PCAPs. You can pull down entire PCAP or use the super nifty "PCAP Headers" | ||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | ==== Conversations of a particular hosts ==== | ||
+ | Click on Dashboards > Hosts > Then on any host and " | ||
- | Alerts, attacks on Drupal | ||
- | {{: | + | {{: |
- | Pivot to packets from anywhere | + | ==== Port connections over time ==== |
- | {{: | + | The last one here is quite interesting. Go to Retro Counters > Select the entire Time interval and then select " |
+ | {{: | ||
- | Conversations of a particular hosts | ||
- | {{:offline: | + | Hope network analysis enthusiasts find this useful. |
+ | You can also install TrisulNSM natively on your Ubuntu or CentOS and then import the PCAPs there. The Docker image however makes it really easy. | ||
- | Port connections over time | ||
- | {{: |
offline/defcon26ctf.txt · Last modified: 2018/11/12 23:00 by veera