Overview
PCAP Mode OnlyResources are objects linked to intrusion or forensic indicators. They are transferred over the network. Trisul pulls them out, stores, and indexes them separately.
Normal vs Full Text Search (FTS)
In theory, all resources can be reconstructed from PCAPs at the time they are needed - but it can be a slow process. Trisul will pull out resources that are cheap to pull out at run time and are most often needed.
Resources are split into two categories based on how they are indexed.
Normal
As a single string with support for regex and bulk searching. Can search
by IP, ports, or by regexes on the resource string.
Full Text Search
As a document with each token in a reverse index. Advanced faceted
searching allows you to group and drilldown on selected attributes.
Resources - Normal Index
- Domains - pulled out by observing DNS protocol messages
- URLS - GET and POST URLs
- SSL Certificates - Hashes and Subjects
Searching
Search by Endpoints
You can search by
- IP
- Exclude these IPS
- Pair of IPs
- Port
- Timeframe
- Regex Pattern
- Invert Regex Pattren
Search by Regex
You can search by
- A single regex pattern on one line
- A list of substrings each on a separate line 1
The main use of this tool in the context of SSL Certs is to allow you to search for hundreds of matching hashes at once.
Multiple Substring Matches
Use the Search by regex tab to compare your traffic against an intel feed of bad cert SHA-1 hashes.
Enter a list of patterns one per line.
Download
Clicking on the download button on the search criteria form downloads only the contents the search result in text format.