Bottom-K, Cardinality Counting, and other new features in the latest TrisulNSM

We just released a new version of Trisul Network Analytics 6.5. This release features a lot of stability and performance improvements that make it even more attractive to deploy Trisul Network Analytics as your frontline NSM platform (Network Security Monitoring and Traffic Analytics).

This short post will share four nifty things you can use to supercharge your network security monitoring and traffic analytics.

Bottom-K lists

A most common operation that security engineers rely on it to take a particular parameter and see for Bottom-K or “rare keys”. Trisul’s streaming analytics make it trivial to run these types of queries over very long timeframes. The new release allows you to track Bottom-K items for any of the 100s of metrics available in Trisul.

Image shows rare TLS fingerprints

Cardinality Metrics – lets look at Unique-Hosts per Host

Imagine you want to track the hosts traffic for the number of Unique-Hosts that each Host communicates with. The idea here is that you want to bring out the hosts that talk to a lot of different hosts even though the actual data volumes may be low. The Cardinality metrics is the solution for you. YOu can create a “Cardinality Counter Group” and select the Parent and the Cardinatiliy to be Hosts. Once again, Trisul’s streaming analytics algorightms allow you to report on these counters for long time frames almost instantly.

Host trend by number of unique-hosts they talk to, the Y-Axis is the number of unique hosts in 1 min window


Better DNS analytics

This new release supercharges the DNS Resources extraction. The requests and responses are correlated and IPv6 and mDNS records are now supported. You can write LUA scripts to plugin to the DNS stream and create your own metrics off that.

DNS records are now much better than earlier

New Apps available – TCP analysis, UA-Parser, updated TLS Fingerprint

We’ve updated the Trisul LUA API with some nifty features. This API allows you to extend Trisul to solve your particular problems using plain LUA. The TCP Analyzer APP is a LUA app that monitors each TCP connection round trip time, retransmissions, and closure states to derive a list of IP that show problematic TCP performance characteristics. All Trisul APPs build upon our powerful LUA API and are open sourced. See our trisul-apps github page.

The UA-Parser app is a LUA Script that uses the UA-Parser library to extract user agent , device, and OS info from user-agent strings.

Existing users , upgrade immediately. Migration is automatic. If you are not yet on Trisul, this is the perfect time to get started. Happy monitoring! Team Trisul.

Free Download Trisul 6.5 ! Get started now.