Monitor information flows using the new Cross Keys feature

We are excited to introduce a powerful new feature called Cross Keys. This feature allow you to meter and visualize arbitrary information flows which is not feasible with any other method without throwing heavy hardware resources at it.

How Cross Keys counter groups work

Trisul is a real time streaming analytics platform. This means all metrics, flow based analytics, detection, are computed in real time within a time budget unlike search, database, or log analytics platforms. By default, 200+ traffic metrics provide the baseline visibility into your network. These are grouped together as Counter groups.

Shown below is the Internal Hosts counter group. This group meters about 18 metrics for all hosts that fall within the Home Networks

Read More

Detecting ICMP Covert Channels through payload analysis

We’re kicking off the New Year 2019 with a couple of Trisul scripts to detect Covert Channels that use PING. This script was inspired by the blog post [How To: C2 over ICMP]

Many firewalls statefully allow outbound ICMP ECHO (aka PING) requests and pass along the corresponding responses. Blocking PING altogether is rare because of its extensive use by IT teams for troubleshooting. Signature based detection such as those found in the default Snort icmp.rules are not be very effective in the absence of a particular pattern in each packet.

Here we introduce the new Ping Tunnel Detector scripts we released on Github which use stateful payload analysis to spot this bad news.

Use track the payload contents to detect C&C or unidiretional Exfil

Read More

Working with network flows gets easier with the new Trisul update

Network flows or conversations are a very important part of network security and traffic analytics. Trisul has always had excellent support for reconstructing, storage, and querying of very large scale flow databases. However, we watched customer workflows and found that we could dramatically make their lives easier by adding a couple of nifty new features. We just pushed out a new release that puts these two new tools in your hands.

Aggregate Flows
Run a query and aggregate all parameters that make up a flow
Export to Excel
On all flow related tools add a “Export to XLSX” button that exports results into a MS Excel document

Aggregate Flows

You used the “Explore Flows” tool in previous versions of Trisul to query flows using any combination of ips, ports, protocols, netflow interfaces, etc. This works great when your primary use case is security where you expected a few thousand hits. The Explore Flows tool used only the first MaxCount (by default 10K) flows to perform the analysis on the browser.

Read More

Trisul packages now available for Ubuntu 18.04 Bionic Beaver

We are pleased to make the following announcements.

New Ubuntu 18.04 repository ready to install packages

We just released packages of Trisul Network Analytics for Ubuntu 18.04 LTS 64-bits (Bionic Beaver). For most new users of Trisul we recommend the Ubuntu 18.04 64-bits Server Install as the first choice installation platform.

Read More