Using plain Lua you can write powerful network analytics scripts on the Trisul platform. We have packaged some of our frequently used scripts into production ready Trisul Apps. Take a look at our Lua API for more on that.
The FireHOL Cybercrime IP List is a very well maintained blocklist. We use a lot of different lists but what sets FireHOL apart is the very low false postive rate and the amount of work the maintainer puts into keeping the list from turning stale. We found that if a FireHOL IP alerts you better take a closer look at it.
We are excited to announce a FireHOL Scanner App that checks your network traffic for hits and provides further analysis paths.
How the app works
The FireHOL Trisul APP can be really used to process any list in the form of a list of IP Subnets. The way this app works is
- Plugs into the Counter Group Monitor / External Hosts stream [ see Counter Group Monitor ]
- When each new host is seen we check against the blacklist
- Alert on each hit with a MINOR (Level 3) alert
- Elevate the priority to MAJOR (Level 1) when sufficient data exchanged with a blacklisted IP
We also released a reusable LuaJIT script called rangemap.lua this can be used to check individual IPs against entire IP ranges. Feel free to use it.
Github source code
The app source code and instructions are available on the Trisul Apps repository on Github
Trisul Apps are available even to those using the Free License. Do try them out.