Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » offline » Analyzing the WRCCDC PCAPs : Part 3 Analysis using TrisulNSM
Trace:
offline:wrccdc_pcaps_results

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
offline:wrccdc_pcaps_results [2018/05/12 23:41] – [Viewing IDS Alerts] veeraoffline:wrccdc_pcaps_results [2018/05/12 23:52] – [Explore flows] veera
Line 58: Line 58:
  
 ==== Retro Analysis - view advanced counters ==== ==== Retro Analysis - view advanced counters ====
 +
 +//To open : Retro > Retro Counters //
 +
 +The retro analysis tools let you select arbitrary timeframe in the past and then drilldown into that. Since TrisulNSM is a streaming analytics tool, it can handle very large timeframes easily compared to search based tools.  Here we want to use **Retro Counters** to view whats in the PCAP dump from a metrics perspective. It only takes seconds per counter and in less than a minute you can get a fantastic baseline from many angles.
  
 [{{ :offline:retro_time.png?direct&400 |Select a timeframe and then view 100s of metrics}}] [{{ :offline:retro_time.png?direct&400 |Select a timeframe and then view 100s of metrics}}]
  
-Here we are seeing the JA3 TLS Fingerprints+You have to select a time frame from the bandwidth chart and then select one of the 40+ "counter groups" we have built into Trisul.  There are groups for TLS counts (Cert authorities, Orgs, ciphers used), SNI, HTTP Hosts, Error codes, Countries, ASN, and several advanced ones like [[https://github.com/salesforce/ja3|JA3 Hashes]]. To get the JA3 Hash metrics we have selected a timeframe and the //JA3 Print// from the drop down list. 
  
 [{{ :offline:w19.png?direct&400 |Here we are seeing the JA3 TLS Fingerprints, building a baseline model}}] [{{ :offline:w19.png?direct&400 |Here we are seeing the JA3 TLS Fingerprints, building a baseline model}}]
 ===== Drilldown techniques ===== ===== Drilldown techniques =====
  
 +Once you have a fairly solid baseline you can go back and decide which paths you want to follow to drilldown further. You might be interested in first checking out the critical IDS alerts, or tracking down flows. This section introduces you to the tools you will use for the drilldowns. 
 ==== Explore flows ==== ==== Explore flows ====
 +
 +Most of the times you want to first drop down to the flow level. This can be accessed by "Explore Flows" or by clicking on the menu items within the context of whatever you are doing. Most of the screens such as alerts, metrics, etc  have a "Explore Flows" option.  TrisulNSM stores all flows and reports with blazing speed, even when there are hundreds of millions of them.  
  
 [{{ :offline:w23-scan.png?400 |Jump to flows , query flows}}] [{{ :offline:w23-scan.png?400 |Jump to flows , query flows}}]
offline/wrccdc_pcaps_results.txt · Last modified: 2018/05/13 00:08 by veera