How to search history for indicator of compromise

We released a new Trisul APP called “Search Keys”. This allows you to search your entire history for hits against a list of IOCs.

Maxmind is a leading provider of IP based Geo location intelligence. Trisul has always supported plugging in a Maxmind feed – either the free GeoLite or the more accurate commercial version. On Jan 2 2019, Maxmind discontinued their legacy GeoLite databases we were using earlier. With this release, we are announcing integration with the new Maxmind GeoLite2/GeoIP2 databases. As a bonus we also added new Geo metering you will love.

Performance impact of new format – CSV or MMDB

One of our requirements for streaming network analytics is very low latency lookups, often at a per-packet or per-flow level. We were disappointed by the performance of the new libmaxminddb API compared to the older legacy API. This was a show stopper for us. We believe in extracting maximum value out of hardware resources in order to keep Network Security Monitoring viable.

To sort out the performance issues with the MMDB format, we created a new open source high speed IP Prefix matching library called FTRIE This loads the CSV files directly into a special in memory Trie format. Do check it out.

New Counter Groups for City and Prefix metering

Previously Trisul Network Analytics supported two counter groups

  • Country – with metrics Total, Upload to, Download from
  • ASN – with metrics Total, Upload to , Download from

With this new release we are adding two more counter group

  • City – with metrics Total, To, From
  • Prefix – with metric Total, To, From

The new Prefix counter group is based on the GeoLite2 ASN feed. This is useful for our ISP customers who keep track of Routing Prefixes as well.

Tour of new features

A quick tour of new features. These screenshots were taken from our Retro Analysis tools.
Menu Retro→ Retro Counter → Select Counter Group

New CITY based counter group.

Meters traffic from and to Cities. We recommend the commercial version of GeoIP to improve the resolution of this counter group.


New CITY counter group

New PREFIX counter group,

Here you can see the IP Prefixes used by the various Autonomous Systems. This feature can be useful for ISPs with peering relationships.


Cross product of InternalHosts-x-Applications-x-ExternalHosts

Updates to existing Country and ASN

The old counters work as usual after updating to the new database feed.


Country based metrics


ASN based metrics

Graph analytics and Cross keys

You automatically get Graph Analytics and other features like Flow Tagger, Cross Keys that tie these into your monitoring workflow.

The following screenshot shows you drilling down into City NL/Amsterdam hosts


Graph Analytics for all counter items

Installing

Just update the trisul-geo package You are all set.

Happy monitoring!
Get started with Trisul NSM 6.5 now The easiest way to high performance network security monitoring and deep traffic analytics.