offline:defcon26ctf
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
offline:defcon26ctf [2018/11/12 22:37] – [Get started] veera | offline:defcon26ctf [2018/11/12 22:58] – [Top flows] veera | ||
---|---|---|---|
Line 72: | Line 72: | ||
===== Screenshots ===== | ===== Screenshots ===== | ||
- | Timeline showing volume of traffic between 10 and 100Mbps over the period of the competition. You can select any timewindow and drill down | + | After the processing is complete. You can view the results from the web interface. Here are some sample leads. |
+ | ==== Retro Counters ==== | ||
- | {{: | + | Click on //Retro > Retro Counters// to view a Timeline showing traffic bandwidth. Here we see between 10 and 100Mbps spanning a 3-day period of the competition. From here you can select any timewindow and drill down into Counters. |
+ | {{: | ||
- | Trend | ||
- | {{: | + | ==== Trend ==== |
+ | Clicking the //Topper Trends// tab in Retro counters gives you a timeseries view of top activity of hosts, apps, VLANs. | ||
- | Top flows | ||
- | {{: | + | {{: |
- | PCAP totals dashboard | + | ==== Top flows ==== |
- | {{: | + | Click on // |
+ | {{: | ||
+ | |||
+ | |||
+ | ==== PCAP totals dashboard ==== | ||
+ | |||
+ | Open // | ||
+ | |||
+ | The PCAP Totals dashboard is an excellent place to start off your analysis. On a single dashboard you can see the traffic details, number of unique host, apps, VLANS, TLS Certificates, | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ==== Edge Graph Analytics ==== | ||
+ | |||
+ | You can click on the small blue button next to any table item and open "Edge Graph" to reveal neighboring items. Here we went from PCAP Totals > Click on HTTP Status > Then on the weird looking " | ||
Exploring HTTP Status 123 | Exploring HTTP Status 123 | ||
- | {{: | + | {{: |
+ | |||
+ | |||
+ | ==== IDS Alerts, attacks on Drupal ==== | ||
+ | |||
+ | Select //Alerts > Show All > IDS// to show the IDS alert categories seen. You can then click on an alert to drill down further or pull up PCAPs. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | ==== Pivot to packets from anywhere ==== | ||
+ | |||
+ | Trisul lets you seamlessly pivot from any analysis point to PCAPs. You can pull down entire PCAP or use the super nifty "PCAP Headers" | ||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | ==== Conversations of a particular hosts ==== | ||
+ | Click on Dashboards > Hosts > Then on any host and " | ||
- | Alerts, attacks on Drupal | ||
- | {{: | + | {{: |
- | Pivot to packets from anywhere | + | ==== Port connections over time ==== |
- | {{: | + | The last one here is quite interesting. Go to Retro Counters > Select the entire Time interval and then select " |
+ | {{: | ||
- | Conversations of a particular hosts | ||
- | {{:offline: | + | Hope network analysis enthusiasts find this useful. |
+ | You can also install TrisulNSM natively on your Ubuntu or CentOS and then import the PCAPs there. The Docker image however makes it really easy. | ||
- | Port connections over time | ||
- | {{: |
offline/defcon26ctf.txt · Last modified: 2018/11/12 23:00 by veera