We released a new Trisul APP called “Search Keys”. This allows you to search your entire history for hits against a list of IOCs.
Maxmind is a leading provider of IP based Geo location intelligence. Trisul has always supported plugging in a Maxmind feed – either the free GeoLite or the more accurate commercial version. On Jan 2 2019, Maxmind discontinued their legacy GeoLite databases we were using earlier. With this release, we are announcing integration with the new Maxmind GeoLite2/GeoIP2 databases. As a bonus we also added new Geo metering you will love.
Performance impact of new format – CSV or MMDB
One of our requirements for streaming network analytics is very low latency lookups, often at a per-packet or per-flow level. We were disappointed by the performance of the new
libmaxminddb API compared to the older legacy API. This was a show stopper for us. We believe in extracting maximum value out of hardware resources in order to keep Network Security Monitoring viable.
To sort out the performance issues with the MMDB format, we created a new open source high speed IP Prefix matching library called FTRIE This loads the CSV files directly into a special in memory Trie format. Do check it out.
New Counter Groups for City and Prefix metering
Previously Trisul Network Analytics supported two counter groups
- Country – with metrics Total, Upload to, Download from
- ASN – with metrics Total, Upload to , Download from
With this new release we are adding two more counter group
- City – with metrics Total, To, From
- Prefix – with metric Total, To, From
The new Prefix counter group is based on the GeoLite2 ASN feed. This is useful for our ISP customers who keep track of Routing Prefixes as well.
Tour of new features
A quick tour of new features. These screenshots were taken from our Retro Analysis tools.
Menu Retro→ Retro Counter → Select Counter Group
New CITY based counter group.
Meters traffic from and to Cities. We recommend the commercial version of GeoIP to improve the resolution of this counter group.
New CITY counter group
New PREFIX counter group,
Here you can see the IP Prefixes used by the various Autonomous Systems. This feature can be useful for ISPs with peering relationships.
Cross product of InternalHosts-x-Applications-x-ExternalHosts
Updates to existing Country and ASN
The old counters work as usual after updating to the new database feed.
Country based metrics
ASN based metrics
Graph analytics and Cross keys
You automatically get Graph Analytics and other features like Flow Tagger, Cross Keys that tie these into your monitoring workflow.
The following screenshot shows you drilling down into City NL/Amsterdam hosts
Graph Analytics for all counter items
Just update the trisul-geo package You are all set.