User Tools
offline:wrccdc_pcaps
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
offline:wrccdc_pcaps [2018/05/12 10:36] veera [4: More advanced Traffic Analytics] |
offline:wrccdc_pcaps [2018/05/12 18:40] (current) veera [Drilling down] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM ====== | + | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach ====== |
| The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) were kind enough to release [[https://archive.wrccdc.org/|packet captures]] (PCAPS) of the recently concluded event. The entire corpus is roughly 1TB. Now the question is : **What are the tools that can help you unravel the information in the PCAPs?** | The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) were kind enough to release [[https://archive.wrccdc.org/|packet captures]] (PCAPS) of the recently concluded event. The entire corpus is roughly 1TB. Now the question is : **What are the tools that can help you unravel the information in the PCAPs?** | ||
| + | This is Part-1 of a 3 Part series | ||
| + | |||
| + | * Part 1: Approach how to avoid getting overwhelmed by large PCAPS | ||
| + | * [[offline:wrccdc_pcaps_trisulnsm|Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump]] | ||
| + | * [[offline:wrccdc_pcaps_results|Part 3: Screenshots & video of possible analysis paths (using TrisulNSM)]] | ||
| - | In this article, we show you how you can use the TrisulNSM Docker image to perform an end-to-end analysis of the PCAP dump. | ||
| ===== Where to start with giant PCAP dumps ===== | ===== Where to start with giant PCAP dumps ===== | ||
| Line 30: | Line 34: | ||
| First step is to get the "lay of the land". We created TrisulNSM to excel in this area. You can try answering these traffic questions. | First step is to get the "lay of the land". We created TrisulNSM to excel in this area. You can try answering these traffic questions. | ||
| - | * How many packets in the PCAP dump? Bytes? How many Flows ? | + | * What is the duration of the PCAPs? How many packets in the PCAP dump? Bytes? How many Flows ? |
| * What does the overall bandwidth usage chart look like ? | * What does the overall bandwidth usage chart look like ? | ||
| * How much of that bandwidth went to external world, how much stayed inside? | * How much of that bandwidth went to external world, how much stayed inside? | ||
| Line 85: | Line 89: | ||
| - **Files** : Dump executables and potential troublesome downloads. TrisulNSM can extract files of any size and show them. | - **Files** : Dump executables and potential troublesome downloads. TrisulNSM can extract files of any size and show them. | ||
| - **Flows** : The second last level of drill down. From a IP or App or other items you can pull up a list of flows. | - **Flows** : The second last level of drill down. From a IP or App or other items you can pull up a list of flows. | ||
| - | - **Packets** : The final level of drill down. | + | - **Packets** : The final level of drill down. After this you should have all the information to decide if any escalation is required for action outside the NSM toolset. |
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | ===== Instructions to run TrisulNSM over the PCAPs ===== | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | Download the first 8 PCAP files. Roughly 4GB into ''/opt/trisulroot5/wrccdc'' | + | |
| - | + | ||
| - | <code> | + | |
| - | root@unpl:~# ls -lh /opt/trisulroot5/wrccdc/ | + | |
| - | total 3.8G | + | |
| - | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap | + | |
| - | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap | + | |
| - | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap | + | |
| - | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap | + | |
| - | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap | + | |
| - | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap | + | |
| - | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap | + | |
| - | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap | + | |
| - | root@unpl:~# | + | |
| - | </code> | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | Run the Docker image over the pcaps | + | |
| - | + | ||
| - | <code> | + | |
| - | + | ||
| - | sudo docker run --name=trisul1n \ | + | |
| - | --privileged=true --net=host -v /opt/trisulroot5:/trisulroot \ | + | |
| - | -d trisulnsm/trisul6 --enable-file-extraction \ | + | |
| - | --webserver-port 4000 --websockets-port 4003 \ | + | |
| - | --fine-resolution \ | + | |
| - | --pcap wrccdc | + | |
| - | </code> | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | Upon completion your ''docker logs -f trisul1n'' should show something like below. | + | |
| - | + | ||
| - | + | ||
| - | <code> | + | |
| - | + | ||
| - | Finished elapsed : 328 seconds | + | |
| - | + | ||
| - | + | ||
| - | ==== SUCCESSFULLY IMPORTED FROM PCAP REPO /trisulroot/wrccdc ===== | + | |
| - | ==== TO VIEW DASHBOARDS ===== | + | |
| - | ==== 1. login to the Web Trisul interface ===== | + | |
| - | ==== 2. select wrccdc1 on the Login Screen ===== | + | |
| - | + | ||
| - | Started TrisulNSM docker image. Sleeping. | + | |
| - | + | ||
| - | </code> | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | Using Trisul to analyze the PCAPs | + | |
| - | + | ||
| - | + | ||
| - | File extraction | + | |
| - | <code> | ||
| - | DOCKER:unpl:root savedfiles$ ls /tmp/savedfiles/*.exe -l | ||
| - | -rw-r--r-- 1 trisul trisul 287392 May 11 12:52 /tmp/savedfiles/00_00_f91a_10.128.0.201__PsGetsid.exe | ||
| - | -rw-r--r-- 1 trisul trisul 287392 May 11 12:52 /tmp/savedfiles/00_00_fb80_10.128.0.201__PsGetsid.exe | ||
| - | -rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 /tmp/savedfiles/00_01_dbcf_10.150.0.70__chocolate_debug.exe | ||
| - | -rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 /tmp/savedfiles/00_01_df63_10.150.0.70__chocolate_debug.exe | ||
| - | DOCKER:unpl:root savedfiles$ | ||
| - | </code> | + | ==== Next ==== |
| + | Enough of theory. [[offline:wrccdc_pcaps_trisulnsm|Part-2 of this series]] explains how you can get the TrisulNSM Docker image to run over the PCAP dump | ||
offline/wrccdc_pcaps.1526121374.txt.gz · Last modified: 2018/05/12 10:36 by veera
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
