Month: September 2010

Trisul getting ready

We have been working hard for the past few months in getting Trisul Network Metering and Forensics ready.

I would like to explain the reason why Trisul exists and how to use it in the next few posts.

So what is Trisul ?

Trisul is a powerful network traffic metering application.

  • Counts over 16 categories of traffic. From simple ones like hosts and applications to advanced ones like URL filter categories, HTTP content types, Country  etc.
  • Reconstructs flows and extracts resources requested of the network.
  • Indexes and stores the raw packets in a highly configurable layout. This allows optimal usage of disk space.

These features enable retro analysis while investigating traffic anomalies or security incidents. When in doubt you can always drop down to the flow or the raw pcaps.

The ideas in the book “Tao of Network Security Monitoring” provided the initial inspiration for Trisul. It has been reinforced by experiences in the field where security folks today run into too many blind alleys while investigating the past.

Is this the same open-source Trisul ?

We are the original and sole authors of the open-source Trisul Network Metering and Forensics found on Google code. Unfortunately, we are unable to continue that effort.  This version is not open source but can be made available to customers in a source code license form.

Platform

Trisul is available on the following platforms :

  • CentOS 5.3 and above 64-bit (recommended)
  • CentOS 5.3 and above  32-bit

Trisul can accept

  • packets via libpcap (default)
  • packets via Linux RX Ring
  • netflow

How to get it ?

Send an email to info at unleashnetworks requesting for a Trisul copy.

Visit the product page.

Getting alerts from Snort/Suricata into Trisul

Trisul meters network traffic, extracts flows, resources, and contains a powerful raw packet index.  While this is a very powerful feature set for monitoring and  retro analysis purposes, it would be great to correlate all of these with security alerts. You can arrange for Trisul to pick up security alerts generated by Snort or Suricata from a Unix socket .

This guide below explains how to set it up :

How to configure Snort and Suricata to send IDS alerts to Trisul

What it gives you

Here are some screenshots from processing about 40 million packets from the Defcon 17 trace set.

Dashboard view :

  • add alert widgets to any traffic or flow dashboard
  • click on Packets to get relevant packets that caused the alert in tcpdump format
  • click on Flows to get the flow the caused the alert and also “nearby related” flows
Dashboard view of alert activity
Dashboard view of alert activity

Resource view

This features is available even without Snort/Suricata but is worth mentioning in this context.

  • Trisul reassembles TCP flows (even those hopelessly fragmented) and pulls out resources requested. These correspond to services. The only resource type supported now is HTTP URLs
Resource on network
Resource on network

Aggregated alerts

You can view aggregated alerts for any period of time.

Aggregated alerts
Aggregated alerts

Performance Tip

The approach here does have a drawback in that both Suricata/Snort and Trisul look at the packet data. This is not optimal from a performance viewpoint as the same data takes on two lives in the cache. Due to GPL licensing issues, Trisul cannot simply “call out” to these two products while the cache is still hot. On fast networks (above 500Mbps) you may want to add a couple of extra cores and pin Suricata/Snort to those cores.

If you have CentOS 5.3 or above 64-bit you can download Trisul today.  The trial is full featured but only retains a 3-day window of data.