Trisul EDGE – streaming graph analytics for Network Security Monitoring

Trisul EDGE is the graph analysis feature in the latest version of Trisul Network Analytics. We believe it will take your deep network based security monitoring to the next level. Here is a technical feature brief.

One of the first questions analysts tend to ask when confronted with an event or an unexpected entity is “what else is related to this?”

This type of query is astonishingly hard to answer in near real time if you havent already enriched your data to prepare for this. The data enrichment phase can be seen in typical Logstash configs in ELK Pipelines. They work well for small number of extra attributes of tags. Anything beyond that will need large cluster rollout that isnt practical for our target users – security conscious organisations with limited budgets.

Typical use case

Read More

Announcing Trisul Apps

Hey ! Trisul users. We’re excited to announce Trisul Apps

Its a collection of plugin extensions you can install,upgrade,remove with a single click to enhance the capabilites of Trisul.

We’re launching with 8 apps. You can hope to see dozens more in the coming weeks. All apps are open source and use the Lua or the JavaScript-TRP API. You can write your own apps or customize these.

App types

Trisul Apps fall into three categories

Read More

Traffic analysis of Secure Shell (SSH)

Secure Shell (SSH) is a ubiquitous protocol used everywhere for logins, file transfers, and to execute remote commands. In this article, we are looking to use passive traffic analysis to detect various SSH events like login, keypress, and presence of SSH tunnels. Lets start with a question.

What do you see on the wire when you press a key in a SSH terminal?

You could observe anywhere between 28 and 96 bytes of SSH payload depending on the type of secure channel negotiated. Lets dive a little deeper to see if we can get a accurate answer.

TLDR Use traffic analysis to detect successful login , keystrokes, and Tunnels – reverse and forward. The approach is to use knowledge of the ciphers and MAC used in SSH and calculate the SSH message lengths on the wire. For login detection, we use the Terminal Capabilties Exchange , there are only a handful of terminal types so the message is predictable.

The basics : MACs and Ciphers

The SSH protocol offers both encryption and message integrity. Each packet is encrypted using a Cipher and authenticated using a MAC. If you capture packets using a tool like Wireshark, this is what a SSH record would look like. (without the TCP/IP headers)

Read More

Detecting SSH tunnels

SSH is an incredibly powerful protocol whose footprint needs to be monitored closely in enterprises. The most common use of SSH is for totally legitimate purposes like terminal (ssh) or for file transfer (scp,sftp). Many users also use the less well known port forwarding feature of SSH to create ‘tunnels’. SSH tunnels bore through firewalls, NATs, and are almost totally opaque to Network Security Monitoring tools like Trisul, Bro, Suricata, Snort, and others. SSHv2 even has SOCKS5 support – this allows anyone to setup a full SOCKS5 proxy outside your network and hide all HTTP activity from the prying eyes of NSM tools. With HTTPS/SSL, security tools can get atleast a look at the unencrypted certificates and perform checks, with SSH everything goes dark right after the initial capabilities exchange.

There are two types of SSH tunnels. The forward tunnel allows an insider to get on the outside bypassing the NSM and Firewall/NAT sentries. The reverse tunnel allows an outsider to get on the inside. The reverse tunnel is also called an autossh tunnel after the popular tool used to setup and maintain this connection.

Here is how a Forward SSH tunnel looks like


Forward SSH tunnel hides activity. SSHv2 -D allows a full SOCK5 proxy outside your visibility zone

and a Reverse SSH , or autossh Tunnel


Reverse SSH tunnel allows someone to log on to an outside machine and pop up on the inside!

Read More