How to use TruffleHog: A network analysis tool that works together with snort to visually represent a PROFINET network graph.
The manual is loosely seperated into three sections. Setup describes the initial process of starting the programm. Basics covers basic usage such as navigating on the network graph and understanding the different statistic overlays. Filters more deeply explains how the filter menu works and what kind of filters you can apply to the graph and how.
./bin/TruffleHog
if you downloaded the Release or java Main
if you cloned the source code. Consider that you might need to have Java by Oracle, not OpenJDK installed. It should work out-of-the-box on Linux.Very easy! Just drag and drop nodes and use your mouse wheel to move around the whole graph. Alternatively, use the right mouse button to move the view around.
CTRL+X
algorithmically positions the nodes of the graph according to the current zoom level to look nice. If it does not, try to zoom out a bit, there might not be enough place on your current zoom level to work on.CTRL+A
selects all nodes (see section Filters below).CTRL+Q
closes the program properly just like clicking the X
on the window decoration would.Filters define a set of nodes either by MAC-address, IP-address or Regex (applied to the name of nodes). Selected nodes can then be colored and/or marked as "authorized". Filters are also assigned a priority. The filter with the highest priority gets executed last and therefor mask ones with lower priority.
The list of filters is pretty self-explanatory. +
to create a new one, -
to delete the highlighted filter and then pen to edit it. The button on the very left adds a new filter matching only the currently selected nodes.
The easiest way to create a filter to a visible set of nodes is selecting them in the graph, then opening the filters menu and clicking the button showing little nodes on the very left. A new filter is opened in the filter creation window then and the selected nodes are defined by MAC-address. Assign priority, color and if they should be marked as authorized and you are good to go.
To create more complex filters you can also define nodes by regex (e.g. station-* to match to all clients with a name starting with "station-") or by fixed IP-address or subnet (192.168.1.1/24).
Marking nodes as authorized with filters serves mainly organisational purposes. It helps to also color them green or any other color that symbolizes "ok" for you. Contrary, clients from foreign subnets could be colored red.