Geo location updates to Trisul

This post describes updated Geo location features in Trisul Network Analytics.

Maxmind is a leading provider of IP based Geo location intelligence. Trisul has always supported plugging in a Maxmind feed – either the free GeoLite or the more accurate commercial version. On Jan 2 2019, Maxmind discontinued their legacy GeoLite databases we were using earlier. With this release, we are announcing integration with the new Maxmind GeoLite2/GeoIP2 databases. As a bonus we also added new Geo metering you will love.

Performance impact of new format – CSV or MMDB

One of our requirements for streaming network analytics is very low latency lookups, often at a per-packet or per-flow level. We were disappointed by the performance of the new libmaxminddb API compared to the older legacy API. This was a show stopper for us. We believe in extracting maximum value out of hardware resources in order to keep Network Security Monitoring viable.

Read More

Monitor information flows using the new Cross Keys feature

We are excited to introduce a powerful new feature called Cross Keys. This feature allow you to meter and visualize arbitrary information flows which is not feasible with any other method without throwing heavy hardware resources at it.

How Cross Keys counter groups work

Trisul is a real time streaming analytics platform. This means all metrics, flow based analytics, detection, are computed in real time within a time budget unlike search, database, or log analytics platforms. By default, 200+ traffic metrics provide the baseline visibility into your network. These are grouped together as Counter groups.

Shown below is the Internal Hosts counter group. This group meters about 18 metrics for all hosts that fall within the Home Networks

Read More

Detecting ICMP Covert Channels through payload analysis

We’re kicking off the New Year 2019 with a couple of Trisul scripts to detect Covert Channels that use PING. This script was inspired by the blog post [How To: C2 over ICMP]

Many firewalls statefully allow outbound ICMP ECHO (aka PING) requests and pass along the corresponding responses. Blocking PING altogether is rare because of its extensive use by IT teams for troubleshooting. Signature based detection such as those found in the default Snort icmp.rules are not be very effective in the absence of a particular pattern in each packet.

Here we introduce the new Ping Tunnel Detector scripts we released on Github which use stateful payload analysis to spot this bad news.

Use track the payload contents to detect C&C or unidiretional Exfil

Read More

Working with network flows gets easier with the new Trisul update

Network flows or conversations are a very important part of network security and traffic analytics. Trisul has always had excellent support for reconstructing, storage, and querying of very large scale flow databases. However, we watched customer workflows and found that we could dramatically make their lives easier by adding a couple of nifty new features. We just pushed out a new release that puts these two new tools in your hands.

Aggregate Flows
Run a query and aggregate all parameters that make up a flow
Export to Excel
On all flow related tools add a “Export to XLSX” button that exports results into a MS Excel document

Aggregate Flows

You used the “Explore Flows” tool in previous versions of Trisul to query flows using any combination of ips, ports, protocols, netflow interfaces, etc. This works great when your primary use case is security where you expected a few thousand hits. The Explore Flows tool used only the first MaxCount (by default 10K) flows to perform the analysis on the browser.

Read More