Month: March 2011

Lose the UI : Trisul Remote Protocol introduction

Suppose you wanted to do something like this :

Get a PCAP file containing full flow data of all Priority 1 alerts in the past 24 hours.

From the Trisul GUI, you can pull up all Priority 1 alerts in past 24 hours. Then click on Alert -> Flows and save each pcap.  Works !  This is however a highly objectionable use of a human mind and body. Even if you did it once, how can you get yourself to do this on 10 Trisul sensor machines. Daily.

This and similar tasks is the raison d’etre for the Trisul Remote Protocol.

What is remote scripting ?

The scripts you write execute on your local machine. It will request  remote data from Trisul as and when it needs it. This allows you to connect to multiple Trisul instances and to use the language of your choice.

Much attention has been paid to the security aspect of TRP.

  • Access Control List
  • Client Certificate based TLS
  • Messages use Google Protocol Buffers transport

You can learn about more about Trisul Remote Protocol from the documentation.

Lets have some fun

I just enabled TRP on our public demo server at trisul.org. Try out the code samples by connecting to trisul.org.

Trisul is a new system for fine grained network metering with powerful retro analysis capabilities.  You may download it by visiting the home page.

Monitoring traffic upstream of a proxy

A natural place to put a packet sensor is around the corporate firewall / IPS device. You may want to tap the inside packets or the outside packets depending on whether or not you want to see the effects of the firewall. With this setup you are your way to become a NSM legend because you now have a record of everything with multiple ways of analyzing the past.

There is however a twist in the tale. The humble web proxy.  The traffic that hits the firewall segment is usually upstream of a proxy server like Squid (or Cisco, F5, Bluecoat) etc.  These proxies generate traffic that contain the IP address of the proxy and not of the end point. A naive NSM solution will have no way of metering or associating the end station with the traffic it generates. Everything belongs to the proxy.

Fortunately it is possible to leverage the X-Forwarding-For HTTP header to deconstruct traffic on a flow-by-flow basis. This is what Trisul Network Metering and Forensics does. Once you enable this feature, Trisul will even replace the original end points IP addresses in its packet store.

The beauty of packet based metering systems like Trisul is that it allows you to do sophisticated stuff like this.  You would not be able to get this information with simple flow based techniques like Netflow.

Here is further documentation on how you can enable this feature called XFFDeProxy.

—-

Download Trisul

Just signup and download Trisul today.  It is completely free if you are monitoring a rolling 3 day window.

New Cisco MIB package available

A new  Cisco MIB package ZIP file for Unbrowse SNMP is now available for download. This contains  ALL of Cisco’s publicly available MIB files.

  • Please download it from  here. (42.1 MB).
  • Instructions to install it are here

MIB Package
The new package adds hundreds of new MIB modules and diffs to hundreds more.

Importing this MIB package into Unbrowse SNMP will make it instantly recognize all of Cisco’s MIBs.

New Unbrowse SNMP Build #1304 available

This build fixes an obscure bug which prevents some of the Cisco Server Load Balancer (SLB) MIBs from compiling. Get your new build from the downloads page.