We are delighted to announce our latest release “Trisul 6.5”. We think this is our best yet. We have rolled into this lessons learnt from watching users of our previous releases and other tools. Our goal is to make Trisul the go-to tool for full blown NSM and deep network traffic analysis. At the same time, we did not want to cut corners in extensibility or performance. Towards that end, this release includes an even better Lua API and across the board improvements in performance.
Best of all, we’ve retained the 3-day sliding window License that lets you get started without any friction in sales calls or canned demos. Just get the bits and go live
What’s in this release
You can access the complete list of features on our Releases page. The key areas of change in this release are in the following broad categories:
- Stream Analytics — We’ve added a new Bottom-K sketch you can attach to any metric on any counter group. This is analogous to the “Stacking” technique used by batch processing or log management tools. With this new sketch, you can go to the Bottom-K for outlier hunting analysis or the Top-K for network monitoring.
Here we’re showing the least frequently seen by metric “hits” in the counter group “TLS Fingerprints”
Resources — Trisul continuously extracts metadata in a canonical format and stores them as Resources. DNS resources now include
A,AAAA,CNAME,TXT,NS,MXvalues. URL Resources now log the request URL and Response-Code and Content-Type as a single resource. FTS (Full Text Search) documents also get better in this release. You can even build on these raw resources by plugging a Lua script into these streams. For instance, you can use the Lua API to build your own Passive DNS database or URL analysis.
Better DNS resources includes CNAME,TXT,MX,AAAA
- Packets — The ability to dip into raw packets has always been a main feature of Trisul. We watched our users closely and created the “Quick PCAP” view for viewing the first 100K bytes as a hexdump and strings. Now, if TShark is installed you get a new tab with a one-line Tshark summary per packet. We have also dramatically improved the way packet blocks are indexed. This results in big speedups, sometimes up to 50% for sparse searches through packets. While we are on the topic of packets, we released a new App called Prune Encrypted PCAP Storage to skip YouTube, NetFlix, and other sites.
PCAP retrieval is now much faster. shows Tshark summaries in “Quick view”
- Intel — Trisul has a native intel plugin called BadFellas. This has now been updated to add new blacklist for Ransomware and SSL Certificates. This release also improves the “Long Tail” metrics which specifically tracks web traffic that are not in the Top-1M as per Alexa and Quantcast. We also released a new Trisul App called FireHOL Tracker which checks your traffic against the low false positive FireHOL Cybercrime list. You can write your own Intel framework. In fact, the Trisul Apps, we release are open source and use the same Lua API
Updated blacklists and flexible Lua API to roll your own
And last but not least, we have released a Docker TrisulNSM image that has everything you need for NSM and even includes an IDS as well. It is the perfect place to start for a small / medium enterprise or even a home network. Just
docker run it and point it to an interface. It is free.
Existing users , upgrade immediately. Migration is automatic. If you are not yet on Trisul, this is the perfect time to get started. Happy monitoring! Team Trisul.