Trufflehog Manual

How to use TruffleHog: A network analysis tool that works together with snort to visually represent a PROFINET network graph.

View the Project on GitHub TruffleHog/TruffleHog

TruffleHog Manual

The manual is loosely seperated into three sections. Setup describes the initial process of starting the programm. Basics covers basic usage such as navigating on the network graph and understanding the different statistic overlays. Filters more deeply explains how the filter menu works and what kind of filters you can apply to the graph and how.

Setup

  1. Start Snort with the plugin you can obtain here. It contains a PROFINET-preprocessor as well as the necessary classes for IPC with TruffleHog. The README contains information on how to integrate the plugin into Snort.
  2. Start TruffleHog as you would start any other Java-program by either running ./bin/TruffleHog if you downloaded the Release or java Main if you cloned the source code. Consider that you might need to have Java by Oracle, not OpenJDK installed. It should work out-of-the-box on Linux.
  3. Click Connect in the lower left corner of the main TruffleHog window. If no IPC server is found, the program will show artificial demo traffic.
  4. You are good to go. As soon as Snort intercepts packages TruffleHog will start building a graph of the PROFINET-devices and their connections.

Basics

Things you see

Navigation

Very easy! Just drag and drop nodes and use your mouse wheel to move around the whole graph. Alternatively, use the right mouse button to move the view around.

Key combinations

Filters

Filters define a set of nodes either by MAC-address, IP-address or Regex (applied to the name of nodes). Selected nodes can then be colored and/or marked as "authorized". Filters are also assigned a priority. The filter with the highest priority gets executed last and therefor mask ones with lower priority.

The list of filters is pretty self-explanatory. + to create a new one, - to delete the highlighted filter and then pen to edit it. The button on the very left adds a new filter matching only the currently selected nodes.

The easiest way to create a filter to a visible set of nodes is selecting them in the graph, then opening the filters menu and clicking the button showing little nodes on the very left. A new filter is opened in the filter creation window then and the selected nodes are defined by MAC-address. Assign priority, color and if they should be marked as authorized and you are good to go.

To create more complex filters you can also define nodes by regex (e.g. station-* to match to all clients with a name starting with "station-") or by fixed IP-address or subnet (192.168.1.1/24).

Marking nodes as authorized with filters serves mainly organisational purposes. It helps to also color them green or any other color that symbolizes "ok" for you. Contrary, clients from foreign subnets could be colored red.