Introducing proctrisulids – run security and traffic analytics over PCAP dumps
We just uploaded an exciting new release of Trisul Network Analytics. It contains a whole lot of new features, enhancements, and bug fixes. We are most excited to introduce a new tool called proctrisulids
A very common use case in network security and forensics is the ability to handle extremely large offline PCAP dumps. How do you get a number of disparate tools to crunch this data and offer a coherent view as if the traffic were captured live ? One way is to play back the traffic using a tool like tcpreplay That technique is very cumbersome for the following reasons
- The timestamps shown arent the actual timestamps but the replay time
- The playback must be at the same speed as captured otherwise the traffic statistics get skewed
- You may need a separate playback interface
Would’nt it be great if you could have a tool that just sucks these PCAPS in and be done with it? This is what proctrisulids provides.
How it works?
Trisul 5.5 introduces a new feature in the streaming analytics backend called overlay mode. In overlay mode, you can run Trisul over an already completed analytics run over the same time interval. Instead of overwriting the old data, the second run overlays the new data on top. There are many applications for this technique. You can run two PCAPs captured from different locations over the same time interval and run them one after the other. The final metrics shown are a merged result as if you had a single merged PCAP. This advanced multi-pass analytics capability is what enables proctrisulids
If you download and install Trisul you will automatically get a tool called proctrisulids. The tool first runs a single pass of Trisul Network Analytics over a PCAP dump, then switches to overlay mode and runs a second pass of Trisul along with Snort over the same PCAP dump. The diagram shown below describes how this is setup.
The alerts then generate further metrics that are merged with the traffic statistics from the first run. The end result is a seamless view of alerts, traffic, flow and Packet data.
We’ve documented the extremely simple to use tool here. Please give it a spin.
In addition to the proctrisulids tool, the new builds of Trisul feature :
- Added support back in for Ubuntu 12.04 LTS 64-bits. This will help users running Trisul Network Analytics alongside other tools in the Security Onion distro.
- You can not add your own intel feeds into the Trisul Badfellas database. We’ve defined a dead simple Tab separated file format.
- A new experimental Live Dashboard. Track traffic use in near real time 2 second intervals. We leverage the latest Web Sockets and ZeroMQ backend messaging to build a real time analytics layer.
- Better DEB and RPM install and uninstall experience
- New tools rmcontext and cfgedit to help manage your Trisul sensors
- New metrics for services that use CDNs helps you track Facebook, Google, Twitter, Whatsapp traffic
- Some slow memory leaks fixed