Differences

This shows you the differences between two versions of the page.

--- offline:wrccdc_pcaps_results [2018/05/12 23:39] – [Get an overview of flow activity] veera
+++ offline:wrccdc_pcaps_results [2018/05/13 00:08] (current) – [Conclusion] veera
@@ Line 51: / Line 51: @@
 ==== Viewing IDS Alerts  ====
+Another great baseline place to start. Remember from Part-1 in addition to Trisul , we also run Suricata with ALL rules from ET-Open ruleset. The alerts generated by this give us a fairly good idea of the hygiene of the network. In this case, as you would expect there are a ton of NMAP scans, a few ETERNALBLUE and other alerts. You can use the "Search" form on the top to filter further. But right now, we have a fairly good baseline from this angle.
 {{ :offline:wrccdc1.png?direct&400 |}}
@@ Line 57: / Line 58: @@
 ==== Retro Analysis - view advanced counters ====
+//To open : Retro > Retro Counters //
+The retro analysis tools let you select arbitrary timeframe in the past and then drilldown into that. Since TrisulNSM is a streaming analytics tool, it can handle very large timeframes easily compared to search based tools.  Here we want to use **Retro Counters** to view whats in the PCAP dump from a metrics perspective. It only takes seconds per counter and in less than a minute you can get a fantastic baseline from many angles.
 [{{ :offline:retro_time.png?direct&400 |Select a timeframe and then view 100s of metrics}}]
-Here we are seeing the JA3 TLS Fingerprints
+You have to select a time frame from the bandwidth chart and then select one of the 40+ "counter groups" we have built into Trisul.  There are groups for TLS counts (Cert authorities, Orgs, ciphers used), SNI, HTTP Hosts, Error codes, Countries, ASN, and several advanced ones like [[https://github.com/salesforce/ja3|JA3 Hashes]]. To get the JA3 Hash metrics we have selected a timeframe and the //JA3 Print// from the drop down list.
 [{{ :offline:w19.png?direct&400 |Here we are seeing the JA3 TLS Fingerprints, building a baseline model}}]
 ===== Drilldown techniques =====
+Once you have a fairly solid baseline you can go back and decide which paths you want to follow to drilldown further. You might be interested in first checking out the critical IDS alerts, or tracking down flows. This section introduces you to the tools you will use for the drilldowns.
 ==== Explore flows ====
+Most of the times you want to first drop down to the flow level. This can be accessed by "Explore Flows" or by clicking on the menu items within the context of whatever you are doing. Most of the screens such as alerts, metrics, etc  have a "Explore Flows" option.  TrisulNSM stores all flows and reports with blazing speed, even when there are hundreds of millions of them.
 [{{ :offline:w23-scan.png?400 |Jump to flows , query flows}}]
 ==== Trisul EDGE: Graph analytics discover relationships ====
+We recently added Graph Analytics to Trisul. This solves a common question that analysts ask from any "key" - "what is related to this". For example you can be looking at the country metrics for Kenya and ask "What are the hosts, apps, external hosts, TLS" connected to this country.  In search based solutions, this is typically by enriching the logs (an expensive operation).  ALL metrics in Trisul are enabled with this feature.  This is right now our preferred place to start drilldowns.
 [{{ :offline:w20.png?400 |Click on any key to reveal neighbors, then finally jump to flows }}]
 ==== File Extraction ====
+Trisul has the ability using the "Save Binaries" LUA Plugin to extract potentially malicious binaries of any size. This is also a good place to look and see if it is worth drilling down. Here we found 47 such files. Many of them were *.CAB from windows update, but we found 10 EXE files as well.
 [{{ :offline:w14.png?direct&400 | Check if any EXE/ZIP etc were downloaded}}]
+The extracted files are stored by the app in ''/tmp/savedfiles''.  We use the actual filename as part of the extracted content, so you can track it easily.  If you want to explore further, you can submit it to VirusTotal or YARA.
-==== Drilldown to Packets ====
-[{{ :offline:wrccdc2.png?direct&400 |From any place you can grab the packets, if you think the volume can be handled by Wireshark}}]
-==== File extraction ====
 <code>
@@ Line 99: / Line 104: @@
 </code>
+==== Drilldown to Packets ====
+This is the endzone of most drilldowns and hunts. The absolute truth! TrisulNSM can jump to packets from a number of places. We suggest you use the "Quick Packet Headers" option to eyeball the PCAP before bringing it into Wireshark.  The Packet Headers has
+  - Quickly gets the first 100K of the PCAP
+  - Shows the strings in the PCAP in the 1st pane. This is a very very useful trick, helped us improve speed 10x in many cases.
+  - In second pane, shows the hexdump in a canonical format
+  - In the third pane, shows each packet in TSHARK format
+  - You then decide if you want to download the PCAP into wireshark.
+[{{ :offline:wrccdc2.png?direct&400 |From any place you can grab the packets, if you think the volume can be handled by Wireshark}}]
+===== Conclusion =====
+Thank you so much for reading all the way to the end.  We hope you find this free TrisulNSM Docker tool useful for monitoring PCAPs as well as for Live networks. The default [[https://trisul.org/free|Free Community License]] allows you to do a lot on frugal hardware. Check out our site [[https://trisul.org|Trisul Network Analytics]] for more options
+We also want to thank the great team at WRCCDC for releasing them. We work with PCAP all the time and know what a tremendous effort it is to assemble them.
+<note>
+Thanks again to the folks in this tweet from @netresec.
+Over 1 TB of #PCAP files from the @wrccdc #CDX have been released online thanks to @spiceywasabi and @disturbedmime. The WRCCDC dataset is now linked from our PCAP repository list.
+</note>