offline:wrccdc_pcaps
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
offline:wrccdc_pcaps [2018/05/12 16:04] – [Drilling down techniques] veera | offline:wrccdc_pcaps [2018/05/13 00:10] (current) – [Drilling down] veera | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM ====== | + | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM |
The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) | The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) | ||
+ | This is Part-1 of a 3 Part series | ||
+ | |||
+ | * Part 1: Approach how to avoid getting overwhelmed by large PCAPS | ||
+ | * [[offline: | ||
+ | * [[offline: | ||
- | In this article, we show you how you can use the TrisulNSM Docker image to perform an end-to-end analysis of the PCAP dump. | ||
===== Where to start with giant PCAP dumps ===== | ===== Where to start with giant PCAP dumps ===== | ||
Line 30: | Line 34: | ||
First step is to get the "lay of the land". We created TrisulNSM to excel in this area. You can try answering these traffic questions. | First step is to get the "lay of the land". We created TrisulNSM to excel in this area. You can try answering these traffic questions. | ||
- | * How many packets in the PCAP dump? Bytes? How many Flows ? | + | * What is the duration of the PCAPs? |
* What does the overall bandwidth usage chart look like ? | * What does the overall bandwidth usage chart look like ? | ||
* How much of that bandwidth went to external world, how much stayed inside? | * How much of that bandwidth went to external world, how much stayed inside? | ||
Line 65: | Line 69: | ||
Steps 1-3, will give you a rather solid foundation. By this time, you should have atleast a dozen potential starting points to dig deeper. For example : //" | Steps 1-3, will give you a rather solid foundation. By this time, you should have atleast a dozen potential starting points to dig deeper. For example : //" | ||
- | * SSL/ | + | |
- | * SNI : Which are the top-K and bottom-K SNI (Server Name Indication) in TLS traffic you're seeing. | + | |
- | * JA3 Hash : The JA3 is a TLS client hello finger print. It is a very good soft indicator that can spot common client applications like Browsers. There are some good malware prints too. | + | |
- | * Geo counters : Traffic and Hits by country. You can open up the Bottom-K lists and explore deeper. | + | |
- | * HTTP counters : HTTP Error codes by time. | + | |
Trisul gives you 20 more counter groups, but the above five are good medium resolution starting points. | Trisul gives you 20 more counter groups, but the above five are good medium resolution starting points. | ||
Line 79: | Line 83: | ||
The relevant factor in Drilldown is whether the analyst is looking for something specific. A security oriented analyst may only want to follow certain drilldown paths from certain starting points. A more general threat-hunting analyst might want to drilldown on all possible leads. These techniques are useful | The relevant factor in Drilldown is whether the analyst is looking for something specific. A security oriented analyst may only want to follow certain drilldown paths from certain starting points. A more general threat-hunting analyst might want to drilldown on all possible leads. These techniques are useful | ||
- | - Top-K/ | + | - **Top-K/ |
- | - Graph Analytics : Expand a particular item to reveal connected items. | + | - **Graph Analytics** : Expand a particular item to reveal connected items. |
- | - Resources : View meta data like TLS Certificates, | + | - **Resources** : View meta data like TLS Certificates, |
- | - Full Text Search : For tools based on Log analysis such as Splunk or ELK you can query for logs and aggregations. TrisulNSM is based on streaming analytics but has limited FTS (Full Text Search) capability for HTTP Headers and TLS Certificates. | + | - **Full Text Search** : For tools based on Log analysis such as Splunk or ELK you can query for logs and aggregations. TrisulNSM is based on streaming analytics but has limited FTS (Full Text Search) capability for HTTP Headers and TLS Certificates. |
- | - Files : Dump executables and potential troublesome downloads. TrisulNSM can extract files of any size and show them. | + | - **Files** : Dump executables and potential troublesome downloads. TrisulNSM can extract files of any size and show them. |
- | - Flows : The second last level of drill down. From a IP or App or other items you can pull up a list of flows. | + | - **Flows** : The second last level of drill down. From a IP or App or other items you can pull up a list of flows. |
- | - Packets : The final level of drill down. | + | - **Packets** : The final level of drill down. |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | ===== Instructions | + | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | Download the first 8 PCAP files. Roughly 4GB into ''/ | + | |
- | + | ||
- | < | + | |
- | root@unpl: | + | |
- | total 3.8G | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap | + | |
- | root@unpl: | + | |
- | </ | + | |
- | + | ||
- | + | ||
- | + | ||
- | Run the Docker image over the pcaps | + | |
- | + | ||
- | < | + | |
- | + | ||
- | sudo docker run --name=trisul1n \ | + | |
- | --privileged=true --net=host -v / | + | |
- | -d trisulnsm/ | + | |
- | --webserver-port 4000 --websockets-port 4003 \ | + | |
- | --fine-resolution | + | |
- | --pcap | + | |
- | </ | + | |
- | + | ||
- | + | ||
- | + | ||
- | Upon completion your '' | + | |
- | + | ||
- | + | ||
- | < | + | |
- | + | ||
- | Finished elapsed : 328 seconds | + | |
- | + | ||
- | + | ||
- | ==== SUCCESSFULLY IMPORTED FROM PCAP REPO / | + | |
- | ==== TO VIEW DASHBOARDS ===== | + | |
- | ==== 1. login to the Web Trisul interface ===== | + | |
- | ==== 2. select wrccdc1 on the Login Screen ===== | + | |
- | + | ||
- | Started TrisulNSM docker image. Sleeping. | + | |
- | + | ||
- | </ | + | |
- | + | ||
- | + | ||
- | + | ||
- | Using Trisul to analyze the PCAPs | + | |
- | + | ||
- | + | ||
- | File extraction | + | |
- | < | ||
- | DOCKER: | ||
- | -rw-r--r-- 1 trisul trisul | ||
- | -rw-r--r-- 1 trisul trisul | ||
- | -rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 / | ||
- | -rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 / | ||
- | DOCKER: | ||
- | </ | + | ==== Next ==== |
+ | Enough of theory. [[offline: | ||
offline/wrccdc_pcaps.txt · Last modified: 2018/05/13 00:10 by veera