offline:wrccdc_pcaps_results
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
offline:wrccdc_pcaps_results [2018/05/12 21:55] – [Get an overview of flow activity] veera | offline:wrccdc_pcaps_results [2018/05/13 00:08] – [Drilldown to Packets] veera | ||
---|---|---|---|
Line 10: | Line 10: | ||
* Part 3: Screenshots & video of analysis paths (using TrisulNSM) | * Part 3: Screenshots & video of analysis paths (using TrisulNSM) | ||
- | Now lets see some screenshots that will give you an idea of where to start. | + | Time to show and tell. |
+ | ===== Video showing UI navigations ===== | ||
+ | |||
+ | Trisul has a ton of features and it can be a bit daunting at first where to start, where to go next and so fortm. A sample video made by one of our engineers showing the various places where you can start and gives you a feel for the capabilities. // | ||
+ | |||
+ | {{youtube> | ||
===== Monitoring Techniques ===== | ===== Monitoring Techniques ===== | ||
Line 18: | Line 24: | ||
==== Start from PCAP Summary Dashboard==== | ==== Start from PCAP Summary Dashboard==== | ||
+ | |||
+ | //Open with Dashboards > Show All > scroll down to the bottom and locate PCAP Summary// | ||
+ | |||
+ | The best place to start is the PCAP summary. Wireshark users can think of it as a supercharged '' | ||
+ | |||
[{{ : | [{{ : | ||
==== Hosts Dashboard ==== | ==== Hosts Dashboard ==== | ||
+ | |||
+ | //Open with Dashboards > Hosts// | ||
+ | |||
+ | The Hosts dashboard is a good top level dashboard to give you a baseline view of host activity. See which internal and external are most active. By volume, by connections, | ||
{{ : | {{ : | ||
Line 29: | Line 44: | ||
==== Get an overview of flow activity ==== | ==== Get an overview of flow activity ==== | ||
+ | //Open with Dashboards > Sessions// | ||
+ | |||
+ | This is a favorite starting point. You can see the PCAP dump from a flow perspective, | ||
[{{ : | [{{ : | ||
==== Viewing IDS Alerts | ==== Viewing IDS Alerts | ||
+ | Another great baseline place to start. Remember from Part-1 in addition to Trisul , we also run Suricata with ALL rules from ET-Open ruleset. The alerts generated by this give us a fairly good idea of the hygiene of the network. In this case, as you would expect there are a ton of NMAP scans, a few ETERNALBLUE and other alerts. You can use the " | ||
{{ : | {{ : | ||
Line 38: | Line 57: | ||
+ | ==== Retro Analysis - view advanced counters ==== | ||
+ | |||
+ | //To open : Retro > Retro Counters // | ||
+ | |||
+ | The retro analysis tools let you select arbitrary timeframe in the past and then drilldown into that. Since TrisulNSM is a streaming analytics tool, it can handle very large timeframes easily compared to search based tools. | ||
+ | |||
+ | [{{ : | ||
+ | |||
+ | You have to select a time frame from the bandwidth chart and then select one of the 40+ " | ||
+ | |||
+ | |||
+ | [{{ : | ||
===== Drilldown techniques ===== | ===== Drilldown techniques ===== | ||
+ | Once you have a fairly solid baseline you can go back and decide which paths you want to follow to drilldown further. You might be interested in first checking out the critical IDS alerts, or tracking down flows. This section introduces you to the tools you will use for the drilldowns. | ||
+ | ==== Explore flows ==== | ||
- | Explore flows | + | Most of the times you want to first drop down to the flow level. This can be accessed by "Explore |
- | {{ : | + | [{{ : |
- | Trisul EDGE: Graph analytics discover relationships | + | ==== Trisul EDGE: Graph analytics discover relationships |
- | [{{ : | + | We recently added Graph Analytics to Trisul. This solves a common question that analysts ask from any " |
+ | |||
+ | [{{ : | ||
==== File Extraction ==== | ==== File Extraction ==== | ||
- | |||
- | {{ : | + | Trisul has the ability using the "Save Binaries" |
- | ==== File extraction ==== | + | |
+ | [{{ : | ||
+ | |||
+ | The extracted files are stored by the app in ''/ | ||
+ | |||
< | < | ||
Line 68: | Line 106: | ||
- | ===== Video showing UI navigations ===== | ||
- | A sample video made by one of our engineers showing | + | ==== Drilldown to Packets ==== |
+ | |||
+ | This is the endzone | ||
+ | |||
+ | - Quickly gets the first 100K of the PCAP | ||
+ | - Shows the strings in the PCAP in the 1st pane. This is a very very useful trick, helped us improve speed 10x in many cases. | ||
+ | - In second pane, shows the hexdump in a canonical format | ||
+ | - In the third pane, shows each packet in TSHARK format | ||
+ | - You then decide if you want to download the PCAP into wireshark. | ||
+ | |||
+ | [{{ : | ||
+ | |||
+ | |||
+ | ===== Conclusion ===== | ||
+ | |||
+ | Thank you so much for reading all the way to the end. We hope you find this free TrisulNSM Docker tool useful for monitoring PCAPs as well as for Live networks. The default [[https:// | ||
+ | |||
+ | |||
+ | We also want to thank the great team at WRCCDC for releasing them. We work with PCAP all the time and know what a tremendous effort it is to assemble them. | ||
+ | |||
+ | < | ||
+ | Thanks again to the folks in this tweet. | ||
+ | |||
+ | Over 1 TB of #PCAP files from the @wrccdc #CDX have been released online thanks to @spiceywasabi and @disturbedmime. The WRCCDC dataset is now linked from our PCAP repository list. | ||
+ | |||
+ | </ | ||
- | Follow this link : https:// | ||
offline/wrccdc_pcaps_results.txt · Last modified: 2018/05/13 00:08 by veera