How to search history for indicator of compromise

We released a new Trisul APP called “Search Keys”. This allows you to search your entire history for hits against a list of IOCs.

Maxmind is a leading provider of IP based Geo location intelligence. Trisul has always supported plugging in a Maxmind feed – either the free GeoLite or the more accurate commercial version. On Jan 2 2019, Maxmind discontinued their legacy GeoLite databases we were using earlier. With this release, we are announcing integration with the new Maxmind GeoLite2/GeoIP2 databases. As a bonus we also added new Geo metering you will love.

Performance impact of new format – CSV or MMDB

One of our requirements for streaming network analytics is very low latency lookups, often at a per-packet or per-flow level. We were disappointed by the performance of the new libmaxminddb API compared to the older legacy API. This was a show stopper for us. We believe in extracting maximum value out of hardware resources in order to keep Network Security Monitoring viable.

Read More


Geo location updates to Trisul

This post describes updated Geo location features in Trisul Network Analytics.

Maxmind is a leading provider of IP based Geo location intelligence. Trisul has always supported plugging in a Maxmind feed – either the free GeoLite or the more accurate commercial version. On Jan 2 2019, Maxmind discontinued their legacy GeoLite databases we were using earlier. With this release, we are announcing integration with the new Maxmind GeoLite2/GeoIP2 databases. As a bonus we also added new Geo metering you will love.

Performance impact of new format – CSV or MMDB

One of our requirements for streaming network analytics is very low latency lookups, often at a per-packet or per-flow level. We were disappointed by the performance of the new libmaxminddb API compared to the older legacy API. This was a show stopper for us. We believe in extracting maximum value out of hardware resources in order to keep Network Security Monitoring viable.

Read More


Monitor information flows using the new Cross Keys feature

We are excited to introduce a powerful new feature called Cross Keys. This feature allow you to meter and visualize arbitrary information flows which is not feasible with any other method without throwing heavy hardware resources at it.

How Cross Keys counter groups work

Trisul is a real time streaming analytics platform. This means all metrics, flow based analytics, detection, are computed in real time within a time budget unlike search, database, or log analytics platforms. By default, 200+ traffic metrics provide the baseline visibility into your network. These are grouped together as Counter groups.

Shown below is the Internal Hosts counter group. This group meters about 18 metrics for all hosts that fall within the Home Networks

Read More


Detecting ICMP Covert Channels through payload analysis

We’re kicking off the New Year 2019 with a couple of Trisul scripts to detect Covert Channels that use PING. This script was inspired by the blog post [How To: C2 over ICMP]

Many firewalls statefully allow outbound ICMP ECHO (aka PING) requests and pass along the corresponding responses. Blocking PING altogether is rare because of its extensive use by IT teams for troubleshooting. Signature based detection such as those found in the default Snort icmp.rules are not be very effective in the absence of a particular pattern in each packet.

Here we introduce the new Ping Tunnel Detector scripts we released on Github which use stateful payload analysis to spot this bad news.


Use track the payload contents to detect C&C or unidiretional Exfil

Read More