offline:wrccdc_pcaps
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
offline:wrccdc_pcaps [2018/05/12 15:45] – [Monitoring] veera | offline:wrccdc_pcaps [2018/05/12 17:10] – [Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach] veera | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM ====== | + | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM |
The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) | The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) | ||
+ | This is Part-1 of a 3 Part series | ||
- | In this article, we show you how you can use the TrisulNSM Docker | + | * Part 1: Approach |
+ | * [[offline: | ||
+ | * [[offline: | ||
- | ===== Where to start with giant PCAP dumps ===== | ||
- | The strategy for dealing | + | ===== Where to start with giant PCAP dumps ===== |
+ | The strategy to avoid getting overwhelmed by giant PCAPs is similar to capturing live traffic for the very first time from big networks. You start from knowledge about the organization and then build a baseline analysis. Then you can spread out into different analysis paths depending on what you are looking for. The tooling you have must support this process end to end. | ||
In this particular case, here is What we know for sure : | In this particular case, here is What we know for sure : | ||
- the PCAPs are published by WRCCDC | - the PCAPs are published by WRCCDC | ||
- these are from a cyber defense competition | - these are from a cyber defense competition | ||
- | - they are big. Big enough to make packet level tools like Wireshark , NetworkMiner etc impractical as first line tool | + | - they are big. Big enough to make packet level tools like Wireshark , NetworkMiner etc impractical as first-line tool |
- | So when given a large PCAP dump, we like to divvy up the work into two distinct | + | We like to divvy up the work into two distinct |
- **Monitoring Tasks** : Look around at higher level trying to spot patterns, gain understanding, | - **Monitoring Tasks** : Look around at higher level trying to spot patterns, gain understanding, | ||
- **Drilldown Tasks** : You've already identified something that needs further investigation. You now need tooling to increase resolution on that path alone and complete the investigation. The ideal end point for this in NSM would be to drilldown to the packet level. | - **Drilldown Tasks** : You've already identified something that needs further investigation. You now need tooling to increase resolution on that path alone and complete the investigation. The ideal end point for this in NSM would be to drilldown to the packet level. | ||
Line 24: | Line 28: | ||
===== Monitoring ===== | ===== Monitoring ===== | ||
- | We like to build a baseline understanding of the network from the PCAPs using these four angles. In that order. | + | We like to build a baseline understanding of the network from the PCAPs from the following |
==== 1: Traffic Analytics ==== | ==== 1: Traffic Analytics ==== | ||
Line 30: | Line 34: | ||
First step is to get the "lay of the land". We created TrisulNSM to excel in this area. You can try answering these traffic questions. | First step is to get the "lay of the land". We created TrisulNSM to excel in this area. You can try answering these traffic questions. | ||
- | * How many packets in the PCAP dump? Bytes? How many Flows ? | + | * What is the duration of the PCAPs? |
* What does the overall bandwidth usage chart look like ? | * What does the overall bandwidth usage chart look like ? | ||
* How much of that bandwidth went to external world, how much stayed inside? | * How much of that bandwidth went to external world, how much stayed inside? | ||
Line 65: | Line 69: | ||
Steps 1-3, will give you a rather solid foundation. By this time, you should have atleast a dozen potential starting points to dig deeper. For example : //" | Steps 1-3, will give you a rather solid foundation. By this time, you should have atleast a dozen potential starting points to dig deeper. For example : //" | ||
- | * SSL/ | + | |
- | * SNI : Which are the top-K and bottom-K SNI (Server Name Indication) in TLS traffic you're seeing. | + | |
- | * JA3 Hash : The JA3 is a TLS client hello finger print. It is a very good soft indicator that can spot common client applications like Browsers. There are some good malware prints too. | + | |
- | * Geo counters : Traffic and Hits by country. You can open up the Bottom-K lists and explore deeper. | + | |
- | * HTTP counters : HTTP Error codes by time. | + | |
Trisul gives you 20 more counter groups, but the above five are good medium resolution starting points. | Trisul gives you 20 more counter groups, but the above five are good medium resolution starting points. | ||
Line 75: | Line 79: | ||
+ | ===== Drilling down ===== | ||
+ | The relevant factor in Drilldown is whether the analyst is looking for something specific. A security oriented analyst may only want to follow certain drilldown paths from certain starting points. A more general threat-hunting analyst might want to drilldown on all possible leads. These techniques are useful | ||
+ | - **Top-K/ | ||
+ | - **Graph Analytics** : Expand a particular item to reveal connected items. | ||
+ | - **Resources** : View meta data like TLS Certificates, | ||
+ | - **Full Text Search** : For tools based on Log analysis such as Splunk or ELK you can query for logs and aggregations. TrisulNSM is based on streaming analytics but has limited FTS (Full Text Search) capability for HTTP Headers and TLS Certificates. | ||
+ | - **Files** : Dump executables and potential troublesome downloads. TrisulNSM can extract files of any size and show them. | ||
+ | - **Flows** : The second last level of drill down. From a IP or App or other items you can pull up a list of flows. | ||
+ | - **Packets** : The final level of drill down. After this you should have all the information to decide if any escalation is required for action outside the NSM toolset. | ||
- | |||
- | ===== Instructions to run TrisulNSM over the PCAPs ===== | ||
- | |||
- | |||
- | |||
- | |||
- | Download the first 8 PCAP files. Roughly 4GB into ''/ | ||
- | |||
- | < | ||
- | root@unpl: | ||
- | total 3.8G | ||
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap | ||
- | root@unpl: | ||
- | </ | ||
- | |||
- | |||
- | |||
- | Run the Docker image over the pcaps | ||
- | |||
- | < | ||
- | |||
- | sudo docker run --name=trisul1n \ | ||
- | --privileged=true --net=host -v / | ||
- | -d trisulnsm/ | ||
- | --webserver-port 4000 --websockets-port 4003 \ | ||
- | --fine-resolution | ||
- | --pcap | ||
- | </ | ||
- | |||
- | |||
- | |||
- | Upon completion your '' | ||
- | |||
- | |||
- | < | ||
- | |||
- | Finished elapsed : 328 seconds | ||
- | |||
- | |||
- | ==== SUCCESSFULLY IMPORTED FROM PCAP REPO / | ||
- | ==== TO VIEW DASHBOARDS ===== | ||
- | ==== 1. login to the Web Trisul interface ===== | ||
- | ==== 2. select wrccdc1 on the Login Screen ===== | ||
- | |||
- | Started TrisulNSM docker image. Sleeping. | ||
- | |||
- | </ | ||
- | |||
- | |||
- | |||
- | Using Trisul to analyze the PCAPs | ||
- | |||
- | |||
- | File extraction | ||
- | |||
- | < | ||
- | DOCKER: | ||
- | -rw-r--r-- 1 trisul trisul | ||
- | -rw-r--r-- 1 trisul trisul | ||
- | -rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 / | ||
- | -rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 / | ||
- | DOCKER: | ||
- | |||
- | |||
- | </ | ||
offline/wrccdc_pcaps.txt · Last modified: 2018/05/13 00:10 by veera