offline:wrccdc_pcaps
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
offline:wrccdc_pcaps [2018/05/12 15:25] – [2: Flow Analytics] veera | offline:wrccdc_pcaps [2018/05/12 17:10] – [Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach] veera | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM ====== | + | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM |
The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) | The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) | ||
+ | This is Part-1 of a 3 Part series | ||
- | In this article, we show you how you can use the TrisulNSM Docker | + | * Part 1: Approach |
+ | * [[offline: | ||
+ | * [[offline: | ||
- | ===== Where to start with giant PCAP dumps ===== | ||
- | The strategy for dealing | + | ===== Where to start with giant PCAP dumps ===== |
+ | The strategy to avoid getting overwhelmed by giant PCAPs is similar to capturing live traffic for the very first time from big networks. You start from knowledge about the organization and then build a baseline analysis. Then you can spread out into different analysis paths depending on what you are looking for. The tooling you have must support this process end to end. | ||
In this particular case, here is What we know for sure : | In this particular case, here is What we know for sure : | ||
- the PCAPs are published by WRCCDC | - the PCAPs are published by WRCCDC | ||
- these are from a cyber defense competition | - these are from a cyber defense competition | ||
- | - they are big. Big enough to make packet level tools like Wireshark , NetworkMiner etc impractical as first line tool | + | - they are big. Big enough to make packet level tools like Wireshark , NetworkMiner etc impractical as first-line tool |
- | We like to explore | + | We like to divvy up the work into two distinct tasksets |
+ | |||
+ | - **Monitoring Tasks** : Look around at higher level trying to spot patterns, gain understanding, | ||
+ | - **Drilldown Tasks** : You've already identified something that needs further investigation. You now need tooling to increase resolution on that path alone and complete the investigation. The ideal end point for this in NSM would be to drilldown to the packet level. | ||
+ | |||
+ | |||
+ | ===== Monitoring ===== | ||
+ | |||
+ | We like to build a baseline understanding of the network from the PCAPs from the following | ||
==== 1: Traffic Analytics ==== | ==== 1: Traffic Analytics ==== | ||
Line 23: | Line 34: | ||
First step is to get the "lay of the land". We created TrisulNSM to excel in this area. You can try answering these traffic questions. | First step is to get the "lay of the land". We created TrisulNSM to excel in this area. You can try answering these traffic questions. | ||
- | * How many packets in the PCAP dump? Bytes? How many Flows ? | + | * What is the duration of the PCAPs? |
* What does the overall bandwidth usage chart look like ? | * What does the overall bandwidth usage chart look like ? | ||
* How much of that bandwidth went to external world, how much stayed inside? | * How much of that bandwidth went to external world, how much stayed inside? | ||
Line 54: | Line 65: | ||
We generally enable all rules while looking at PCAPs because we have luxury of time and CPU. A large rule load can result in packet drops on live networks but doable in offline mode. | We generally enable all rules while looking at PCAPs because we have luxury of time and CPU. A large rule load can result in packet drops on live networks but doable in offline mode. | ||
+ | ==== 4: More advanced Traffic Analytics ==== | ||
+ | Steps 1-3, will give you a rather solid foundation. By this time, you should have atleast a dozen potential starting points to dig deeper. For example : //" | ||
+ | * **SSL/ | ||
+ | * **SNI** : Which are the top-K and bottom-K SNI (Server Name Indication) in TLS traffic you're seeing. | ||
+ | * **JA3 Hash** : The JA3 is a TLS client hello finger print. It is a very good soft indicator that can spot common client applications like Browsers. There are some good malware prints too. | ||
+ | * **Geo counters** : Traffic and Hits by country. You can open up the Bottom-K lists and explore deeper. | ||
+ | * **HTTP | ||
+ | Trisul gives you 20 more counter groups, but the above five are good medium resolution starting points. | ||
+ | ===== Drilling down ===== | ||
- | ===== Instructions to run TrisulNSM over the PCAPs ===== | + | The relevant factor in Drilldown is whether |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | Download the first 8 PCAP files. Roughly 4GB into ''/ | + | |
- | + | ||
- | < | + | |
- | root@unpl: | + | |
- | total 3.8G | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap | + | |
- | root@unpl: | + | |
- | </ | + | |
- | + | ||
- | + | ||
- | + | ||
- | Run the Docker image over the pcaps | + | |
- | + | ||
- | < | + | |
- | + | ||
- | sudo docker run --name=trisul1n \ | + | |
- | --privileged=true --net=host -v / | + | |
- | -d trisulnsm/ | + | |
- | --webserver-port 4000 --websockets-port 4003 \ | + | |
- | --fine-resolution | + | |
- | --pcap | + | |
- | </ | + | |
- | + | ||
- | + | ||
- | + | ||
- | Upon completion your '' | + | |
- | + | ||
- | + | ||
- | < | + | |
- | + | ||
- | Finished elapsed : 328 seconds | + | |
- | + | ||
- | + | ||
- | ==== SUCCESSFULLY IMPORTED FROM PCAP REPO / | + | |
- | ==== TO VIEW DASHBOARDS ===== | + | |
- | ==== 1. login to the Web Trisul interface ===== | + | |
- | ==== 2. select wrccdc1 | + | |
- | + | ||
- | Started TrisulNSM docker image. Sleeping. | + | |
- | + | ||
- | </ | + | |
- | + | ||
- | + | ||
- | + | ||
- | Using Trisul to analyze the PCAPs | + | |
- | File extraction | + | - **Top-K/ |
+ | - **Graph Analytics** : Expand a particular item to reveal connected items. | ||
+ | - **Resources** : View meta data like TLS Certificates, | ||
+ | - **Full Text Search** : For tools based on Log analysis such as Splunk or ELK you can query for logs and aggregations. TrisulNSM is based on streaming analytics but has limited FTS (Full Text Search) capability for HTTP Headers and TLS Certificates. | ||
+ | - **Files** : Dump executables and potential troublesome downloads. TrisulNSM can extract files of any size and show them. | ||
+ | - **Flows** : The second last level of drill down. From a IP or App or other items you can pull up a list of flows. | ||
+ | - **Packets** : The final level of drill down. After this you should have all the information to decide if any escalation is required for action outside the NSM toolset. | ||
- | < | ||
- | DOCKER: | ||
- | -rw-r--r-- 1 trisul trisul | ||
- | -rw-r--r-- 1 trisul trisul | ||
- | -rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 / | ||
- | -rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 / | ||
- | DOCKER: | ||
- | </ | ||
offline/wrccdc_pcaps.txt · Last modified: 2018/05/13 00:10 by veera