Good day,
I've come across Trisul, installed it on an appropriate machine and now I am giving it hell, in order to assess whether I am upgrading to the paid version or not.
First and foremost, I'd like to say that I am really impressed with the way Trisul handles and displays the data, making it one of the best traffic analyzers on the market today.
Second, I have to say that the pricing I've seen on the website is extremely attractive for the paid version.
However, from the very beginning, I've come across several issues, for which I'd really appreciate if I could be directed towards a solution, or a documentation.
1) I have tried to add a WiFi interface in monitoring mode (mon0 for example, set via airmon-ng, to the list of the monitored interfaces, with no luck towards producing results, even if I have checked the Promiscuous option in the Trisul configuration and the adapter is running in the background capturing data. Are there any tips to do this or it is not doable.
2) The way I have tried to load a capture file is the following:
a) sudo service trisul start
b) sudo /usr/local/share/webtrisul/build/webtrisuld start
c) sudo trisul -nodemon /usr/local/etc/trisul/trisulConfig.xml -mode offline -in ./user/trisul/test_offline.pcap
So far, I have not managed to load any capture file (created with tcpdump -i <interface> -vvv -w test_offline.pcap) within trisul. Is there anything wrong with this approach?
What happens if (after I managed to load these capture files) I load two capture files from two different interfaces / machines that cover the same amount of time. What are the means to differentiate.
I really think that a simplified capture loading mechanism (even from the web interface) or a more detailed tutorial on this procedure (whether the daemon needs to be loaded, how can I process the data in the web interface IF the daemon is not loaded, a.s.o.) should be in place as soon as possible.
3) I have not found any tutorial for collecting data from multiple probes / sensors. I may have overlooked it, and if that be the case, I apologize. Does anyone have a detailed tutorial on how to collect data from multiple sensors, what are the prerequisites for both the sensors and the master system and, given enough bandwidth, can Trisul receive full data (including the actual captured packets) from remote sensors?
Do the sensors need to have Trisul installed, or can they just be wireless / wired routers.
I hope I haven't caused too much trouble with the questions, and I hope the people who are more experienced with Trisul than me (99.9% of the IT people) to at least direct me towards the right path / user manual.
Best regards
Later edit:
I've noticed a curious behavior with Trisul. Every 15 minutes, it uploads some 13 MB to what initially seems to be
malwaredomainlist.com, which is hosted by Georgia Tech. DPI on the traffic yields an undecoded text stream which, when viewed in Xplico is in fact a long list of blacklisted (I think) domains, IPs, apps and so on.
My (legit) question is: why is this traffic OUTBOUND from my machine to
malwaredomainlist.com and not the other way around.