Author: info

I am happy to announce that a new release of Trisul Network Metering and Forensics is available for download.  The key features in this new release are:

1. Support for Netflow v9
2. Support for SFlow v2 and v5
3. New hwthreads runtime option to control threading
4. Enhanced support for viewing traffic by router interface
5. New Routers and Interfaces tool allows easy drilldown into interface level views
6. Many tweaks and bug fixes

Much of the effort into this release has gone into the Netflow v9 support.  We tried to push Netflow v9 as far out as possible but a customer engagement forced us to do it now. The reason :  If you want to see both ingress and egress traffic for a router interface, but are unwilling to turn on Netflow v5 on all interfaces, then Netflow v9 is the only option. Why ? Because Netflow v5 in ingress only so in order to capture both directions, you need to turn on Netflow on all interfaces.  However, Netflow v9 can do both ingress and egress. Win.

Download Trisul for free and start sending Netflow to it now

There are no gimmicks. You can simply start using Trisul in your network for monitoring a rolling 3-day window. Just sign up and download. There are no nags or call homes.

Suppose you wanted to do something like this :

Get a PCAP file containing full flow data of all Priority 1 alerts in the past 24 hours.

From the Trisul GUI, you can pull up all Priority 1 alerts in past 24 hours. Then click on Alert -> Flows and save each pcap.  Works !  This is however a highly objectionable use of a human mind and body. Even if you did it once, how can you get yourself to do this on 10 Trisul sensor machines. Daily.

This and similar tasks is the raison d’etre for the Trisul Remote Protocol.

What is remote scripting ?

The scripts you write execute on your local machine. It will request  remote data from Trisul as and when it needs it. This allows you to connect to multiple Trisul instances and to use the language of your choice.

Much attention has been paid to the security aspect of TRP.

• Access Control List
• Client Certificate based TLS
• Messages use Google Protocol Buffers transport

You can learn about more about Trisul Remote Protocol from the documentation.

Lets have some fun

I just enabled TRP on our public demo server at trisul.org. Try out the code samples by connecting to trisul.org.

—

Trisul is a new system for fine grained network metering with powerful retro analysis capabilities.  You may download it by visiting the home page.

A natural place to put a packet sensor is around the corporate firewall / IPS device. You may want to tap the inside packets or the outside packets depending on whether or not you want to see the effects of the firewall. With this setup you are your way to become a NSM legend because you now have a record of everything with multiple ways of analyzing the past.

There is however a twist in the tale. The humble web proxy.  The traffic that hits the firewall segment is usually upstream of a proxy server like Squid (or Cisco, F5, Bluecoat) etc.  These proxies generate traffic that contain the IP address of the proxy and not of the end point. A naive NSM solution will have no way of metering or associating the end station with the traffic it generates. Everything belongs to the proxy.

Fortunately it is possible to leverage the X-Forwarding-For HTTP header to deconstruct traffic on a flow-by-flow basis. This is what Trisul Network Metering and Forensics does. Once you enable this feature, Trisul will even replace the original end points IP addresses in its packet store.

The beauty of packet based metering systems like Trisul is that it allows you to do sophisticated stuff like this.  You would not be able to get this information with simple flow based techniques like Netflow.

Here is further documentation on how you can enable this feature called XFFDeProxy.

—-

Download Trisul

Just signup and download Trisul today.  It is completely free if you are monitoring a rolling 3 day window.