Good day,

I've come across Trisul, installed it on an appropriate machine and now I am giving it hell, in order to assess whether I am upgrading to the paid version or not.
First and foremost, I'd like to say that I am really impressed with the way Trisul handles and displays the data, making it one of the best traffic analyzers on the market today.
Second, I have to say that the pricing I've seen on the website is extremely attractive for the paid version.
However, from the very beginning, I've come across several issues, for which I'd really appreciate if I could be directed towards a solution, or a documentation.

1) I have tried to add a WiFi interface in monitoring mode (mon0 for example, set via airmon-ng, to the list of the monitored interfaces, with no luck towards producing results, even if I have checked the Promiscuous option in the Trisul configuration and the adapter is running in the background capturing data. Are there any tips to do this or it is not doable.

2) The way I have tried to load a capture file is the following:

a) sudo service trisul start
b) sudo /usr/local/share/webtrisul/build/webtrisuld start
c) sudo trisul -nodemon /usr/local/etc/trisul/trisulConfig.xml -mode offline -in ./user/trisul/test_offline.pcap

So far, I have not managed to load any capture file (created with tcpdump -i <interface> -vvv -w test_offline.pcap) within trisul. Is there anything wrong with this approach?
What happens if (after I managed to load these capture files) I load two capture files from two different interfaces / machines that cover the same amount of time. What are the means to differentiate.
I really think that a simplified capture loading mechanism (even from the web interface) or a more detailed tutorial on this procedure (whether the daemon needs to be loaded, how can I process the data in the web interface IF the daemon is not loaded, a.s.o.) should be in place as soon as possible.

3) I have not found any tutorial for collecting data from multiple probes / sensors. I may have overlooked it, and if that be the case, I apologize. Does anyone have a detailed tutorial on how to collect data from multiple sensors, what are the prerequisites for both the sensors and the master system and, given enough bandwidth, can Trisul receive full data (including the actual captured packets) from remote sensors?
Do the sensors need to have Trisul installed, or can they just be wireless / wired routers.

I hope I haven't caused too much trouble with the questions, and I hope the people who are more experienced with Trisul than me (99.9% of the IT people) to at least direct me towards the right path / user manual.

Best regards

Later edit:
I've noticed a curious behavior with Trisul. Every 15 minutes, it uploads some 13 MB to what initially seems to be malwaredomainlist.com, which is hosted by Georgia Tech. DPI on the traffic yields an undecoded text stream which, when viewed in Xplico is in fact a long list of blacklisted (I think) domains, IPs, apps and so on.
My (legit) question is: why is this traffic OUTBOUND from my machine to malwaredomainlist.com and not the other way around.

Hi,

Thanks for checking out Trisul and the encouraging words.

1. airmon-ng might be inserting something special at the link layer that prevents Trisul from analyzing the higher layers. Can you send me a capture file (with only a few packets) to info @unleashnetworks.com ? We will update the software fairly quickly in a day or two.

2. There is an easy way to import capture dumps via the user interface. Have you tried this trisul.org/docs/ug/caps/pcap_import.html

2. If you do want to run pcaps from the command line - you need to do this.

b) sudo /usr/local/share/webtrisul/build/webtrisuld start
c) sudo trisul -nodemon /usr/local/etc/trisul/trisulConfig.xml -mode offline -in ./user/trisul/test_offline.pcap

There is no need to run the daemon (step a) in your post. Also make sure the pcap has atleast 10 mins of data. The tcpdump command you cite is correct, we test with gigs of pcaps generated this way.


2. You can load many capture dumps, or capture from multiple interfaces, Trisul uses "contexts" to keep them separate. While logging in you need to select which context you are interested in. You can see that in action on our demo site trisul.org:3000 You may read more about contexts here trisul.org/docs/ug/webadmin/contexts.html


3. Trisul is at the moment a point solution. The primary reason for that is the sheer volume of data tracked and stored by Trisul. Unlike other analyzers, Trisul tracks detailed stats at 30s resolution for over 120 data points, toppers for about 80 of those, every TCP/UDP flow, DNS, URL resource, alerts, and even raw packets. This does not lend itself to a centralized approach as the time and bandwidth needed to schlepp this data (even an index) is considerable. The best option for a distributed deployment of Trisul is to use the Netflow/SFlow mode, you can have your routers export Netflow/SFlow to a central Trisul box and monitor everything from there. The only thing you would miss are the packet based features and the real time monitoring. We do have a plan for a distributed solution in 3.0, but that would be more of a peer-peer model than a centralized one.

Hope that helped,and send the airmon-ng pcap across for a fix.


Thanks,

Response to the edit:

It appears you have installed the Badfellas plugin trisul.org/docs/install/badfellas.html

This plugin analyzes your traffic and matches it against millions of blacklisted IPs, malicious domains, phishing sites, botnet C&C and so forth.

In order to do that it downloads (not uploads) these blacklists once a day. I am guessing (apologies if I guess wrong) that you are looking at the flows table while concluding that it is an upload. The table actually lists the IPs as A-End and Z-End instead of source and destination. If you click the icon at the last column, it will tell you how much data went from A->Z and Z->A.

Uninstalling plugins will disable all lists from being downloaded.

Hi there and thank you for taking your time (on a Sunday) to reply to my questions.
First and foremost, it's official! I'm stupid. Trisul can't display data captured from an wireless interface in monitoring mode, because the only data it has access to is the raw (encrypted) wireless frames. I'm going to perform two other tests: one capturing from an open wireless access point and the other one from a protected access point, but with the adapter authenticated. I'll let you know the results as soon as I'll have them.
As to importing pcaps via the web interface, I think the problem was generated by the trisul version (2.0.934), rather than by anything else. On a 32-bit machine with a fresh 2.3.1006 trisul, I have the option of importing the pcap files, both in the Tools sub-menu, as per the link you gave me, as well as in the Admin menu, under Start/stop tasks.
Thus, I'm thinking an upgrade will solve the problem in its entirety.

One last thing I wanted to ask you, with regard to the license.
You wrote that at this time trisul is a point solution. At this time, I am "testing / managing" multiple machines, in different locations, on completely different networks, by installing trisul on each of the target machines, a thing I'm perfectly OK with, and accessing them via the Web server (my focus is on Forensics, so DPI is a must). In view of this approach, which does not include the idea of a "Home Network" with a number of IPs fitting into a license, and considering the multiple instances of trisul, running on each and every machine (managed from a single location via the Web Interface), what would be my licensing options?

P.S. The number of machines in question would be well below 200.

P.P.S. As to the weird traffic, of course you were right. I was considering (obviously being wrong) outbound traffic from the external host to be outbound from my network. Not one of my better days I'm afraid. Apologies for the confusion.

Hope to hear from you soon, and keep up the good work.

Hi,

I think the wireless test may not work, because in monitor mode, the link layer may insert some protocol items that Trisul is not handling. Give it a try, if it works fine, if not get back to us we can provide a fix. It should work with unencrypted APs in the general case however.

If the total number of machines online at any instant is below 255, then we can certainly discuss some other licensing options. Can you shoot an email to info [at] unleashnetworks com with some information about number of sites/machines ?

Did you get the pcap imports to work fine via the GUI ?

Thanks,

Hey, and sorry for the delay. I've been away for a while.

The best way to import an airodump cap file in Trisul is this:

1) Generate cap file (I have a 2 GB capture that I'm playing with right now)
2) remove the wireless (L2) headers with airdecap-ng <file_name> (airdecap_ng is part of the aircrack suite)
3) import the cap file via the Trisul web interface
4) Enjoy the speed of trisul's processing algorithms while browsing through the 2 GB of captured data.

So, as far as I'm concerned, there is actually no need for modifications in Trisul.

As to the licensing, I am composing the email right now.

Have a good day