Detecting ICMP Covert Channels through payload analysis

We’re kicking off the New Year 2019 with a couple of Trisul scripts to detect Covert Channels that use PING. This script was inspired by the blog post [How To: C2 over ICMP]

Many firewalls statefully allow outbound ICMP ECHO (aka PING) requests and pass along the corresponding responses. Blocking PING altogether is rare because of its extensive use by IT teams for troubleshooting. Signature based detection such as those found in the default Snort icmp.rules are not be very effective in the absence of a particular pattern in each packet.

Here we introduce the new Ping Tunnel Detector scripts we released on Github which use stateful payload analysis to spot this bad news.


Use track the payload contents to detect C&C or unidiretional Exfil

Read More


Working with network flows gets easier with the new Trisul update

Network flows or conversations are a very important part of network security and traffic analytics. Trisul has always had excellent support for reconstructing, storage, and querying of very large scale flow databases. However, we watched customer workflows and found that we could dramatically make their lives easier by adding a couple of nifty new features. We just pushed out a new release that puts these two new tools in your hands.

Aggregate Flows
Run a query and aggregate all parameters that make up a flow
Export to Excel
On all flow related tools add a “Export to XLSX” button that exports results into a MS Excel document

Aggregate Flows

You used the “Explore Flows” tool in previous versions of Trisul to query flows using any combination of ips, ports, protocols, netflow interfaces, etc. This works great when your primary use case is security where you expected a few thousand hits. The Explore Flows tool used only the first MaxCount (by default 10K) flows to perform the analysis on the browser.

Read More


Trisul packages now available for Ubuntu 18.04 Bionic Beaver

We are pleased to make the following announcements.

New Ubuntu 18.04 repository ready to install packages

We just released packages of Trisul Network Analytics for Ubuntu 18.04 LTS 64-bits (Bionic Beaver). For most new users of Trisul we recommend the Ubuntu 18.04 64-bits Server Install as the first choice installation platform.

Read More


Announcing Trisul-Probe docker image and new distributed monitor features

We just released new builds of Trisul Network Analytics 6.5 with some exciting updates.

Trisul Network Analytics is a distributed monitoring platform. In the distributed setup, a network of “Probe nodes” can report to one or more “Hub nodes”. We provide Ubuntu/CentOS/RHEL packages for the probe and hub nodes. But we really like Docker for its sheer ease of deployment and upgrades. We already have a popular Docker Image with over 10K pulls for our single-node solution called trisulnsm/trisul6

Today we are excited to release a new Docker image of Trisul-Probe that lets you roll out a new probe in under 3 minutes.

This blog post is a quick tour of the distributed management features you can find in this release.

Read More