In this article, we show you step by step instructions to run the free TrisulNSM Docker image over the PCAP dumps.
This is Part-2 of a 3 Part series
First install Docker on your host platform. We recommend Ubuntu 16.04 of CentOS 7.4. We have instructions on the "Docker section on the articles Page"
First choose a root directory to be used as the shared Docker “root” volume. Let us say we select /opt/trisulroot5 as the base directory. You need to create a subdirectory inside that and put the PCAPs there.
Here have downloaded the first 8 files into the directory /opt/trisulroot5/wrccdc You can download as many as you want. Just make sure you have enough disk space for the results.
root@unpl:~# ls -lh /opt/trisulroot5/wrccdc/ total 3.8G -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap root@unpl:~#
Next step is to run the trisulnsm/trisul6 Docker image over the PCAPs that you have placed in the sub directory. The first time you run this , docker will download the image over the network. So make sure you have internet access from the machine.
sudo docker run --name=trisul1n \
--privileged=true --net=host -v /opt/trisulroot5:/trisulroot \
-d trisulnsm/trisul6 --enable-file-extraction \
--webserver-port 4000 --websockets-port 4003 \
--fine-resolution \
--pcap wrccdc
A quick note on the command line options we're using. For a complete list of options see github/trisulnsm
–name | We give the instance a name of trisul1n. So it makes it easier to manipulate the system |
–privileged | Goes along with the –enable-file-extraction option. Used to dump suspected malicious files transferred over the network |
–webserver-port 4000 | We are using these two ports for web access rather than the default (3000,3003). Skip these flags if you're okay with 3000,3003. Also ensure the firewalls allow these ports |
–fine-resolution | Use 1-second timeseries data instead of the default 1-minute. We noticed that WRCCDC is very high traffic hence high-resolution timeseries is better for metrics |
–pcap | We use the name of the subdirectory wrccdc. Recall that we put the PCAPs in the shared volume /opt/trisulroot5/wrccrc. This name is relative to the base path. Trisul will run over the PCAPs in this directory, then use Suricata to do a 2nd pass over it and re-index the data in Trisul |
Now TrisulNSM is crunching the PCAPs. You can monitor the progress by running the following command.
docker logs -f trisul1n
The rough time taken in our very modest system was around 40 seconds per file. When the processing finishes you will see something like this.
Finished elapsed : 328 seconds ==== SUCCESSFULLY IMPORTED FROM PCAP REPO /trisulroot/wrccdc ===== ==== TO VIEW DASHBOARDS ===== ==== 1. login to the Web Trisul interface ===== ==== 2. select wrccdc1 on the Login Screen ===== Started TrisulNSM docker image. Sleeping.
Thats it ! Now you are ready to analyze the network data using Trisul. That is Part 3 of this series.