====== Articles ====== Articles about network security monitoring, traffic analytics, setting up measurement, techniques for scaling, threat hunting tips, etc. ===== Hardware and Data Acquisition ===== [[articles:proxmox_span|Configuring Port Mirror on Proxmox VE 5.1 for Network Security Monitoring applications]] [[hardware:erspan|Configuring ERSPAN for packet capture into Network Security Monitoring tools]] ==== Netflow tunneling ==== Tunneling Netflow to a remote Trisul involves preserving the original IP address of the switch/router. We describe three methods to achieve it, NAT, GRE, and Shim Tunnels. [[hardware:gatewaynetflow|Using NAT on gateway to send Netflow to remote Trisul]] [[hardware:gretunnel|Using GRE Tunnel to send Netflow to a remote Trisul]] [[hardware:shimtunnel|Using a Shim Tunnel to send Netflow to a remote Trisul]] [[hardware:shimtunnelintro|Use a Shim Tunnel when you cant use GRE or NAT ]] ===== Docker ===== [[docker:intro|Using the new TrisulNSM Docker all-in-one NSM image]] [[docker:rhel74|Installing Docker and TrisulNSM on RHEL7.4 - step by step instructions]] [[docker:ubuntu16|Installing Docker and TrisulNSM on Ubuntu 16.04 - step by step instructions]] [[docker:ubuntumalware|Malware PCAP analysis using TrisulNSM docker on Ubuntu 16.04 Host ]] [[docker:pcap_analysis|How to analyze large pcaps for free using the TrisulNSM Docker image]] ===== NSM and Packet Analytics Concepts ===== [[articles:livevspcap|Difference between Live capture and Reading PCAP dumps in NSM tooling]] [[articles:memcached|Memcached attack on UDP port]] [[articles:segmentsmack|Proof of concept script to detect SegmentSmack]] ===== Scripting ===== [[scripting:introbro|Introduction to Trisul Scripting for Bro IDS users]] ===== TLS Fingerprinting ===== [[app:tlsfingerprint|TLS Fingerprinting to identify encrypted clients]] [[app:auto_fingerprint|Automatically resolve unknown TLS Fingerprints using Graph Analytics]] [[script:x509_ext_c2|Trisul LUA script techniques to detect and dump C2 in X.509 extensions]] ===== Intrusion Detection ===== [[ids:snort|Connecting Trisul to Snort with Emerging Threats Rules ]] [[ids:snort3|Connecting Trisul to Snort3]] ===== Offline analysis with the WRCCDC PCAP dump ===== In this three part series, we explain techniques and show how to analyze the [[https://archive.wrccdc.org/|2018 WRCCDC PCAP]] dump using TrisulNSM. We appreciate the kind folks at WRCCDC for making this publicly accessible. [[offline:wrccdc_pcaps|Part 1: Strategy to analyze large PCAP dumps without getting overwhelmed]] [[offline:wrccdc_pcaps_trisulnsm|Part 2: How to use the free TrisulNSM Docker image to process the PCAPs]] [[offline:wrccdc_pcaps_results|Part 3: Screenshots and vids showing some of the results and techniques]] ===== Netflow analytics ===== [[netflow:silk|Using the SiLK importer Trisul APP to analyze Netflow]] ===== Administration Tips ===== [[admin:debuggingcrash|Debugging crashes and other problems on the probe]] [[monit:monitoring_and_maintain_trisul_process|How to use Monit to keep an eye on Trisul processes and restart them if necessary]] [[admin:ha|Primary and backup configuration]] [[admin:udpserver|Check if UDP packets are received]] ===== External links ===== [[Get google api key: Get Google API Key]] [[Other links: external_links]]