Trisul Updates – Topper sketches and TRP updates

We have a new build of Trisul 3.6 which has a few nifty enhancements.

Topper sketches over time

We added a new tab in Retro → Retro Counters that shows topper snapshots, also called sketches, over the selected time window.

Topper snapshots are automatically enabled for all 120+ metrics

PCAP dump import w/ Trisul and Snort

If you wanted Trisul to integrate IDS alerts with other kinds of data, you had to do a 2-step manual process earlier. Now we have a nifty script called proctrisulids that does it all in one step.

cd /usr/local/share/trisul
./proctrisulids -c mydataset -p /home/demo/pcaps/pcap000

The script is documented here.

New TRP option to save PCAPs on server

With TRP you can run little Ruby scripts to automate the response process. Currently, the FILTERED_DATAGRAMS method lets you download the PCAPs to the machine running the scripts. This does not work very well when you have to download Gigabytes of packet capture. We added a new option called “PcapDisposition”/docs/ref/trpproto.html which lets you save large packet captures on the server and not download it to the machine running the TRP script.

See the trisul-scripts Github repo for a working sample.

Fix database

If your data slices ever get corrupted, mostly due to a bad hardware clock, you now have two tools to fix it. Go to Admin → Start/Stop Tasks → Database status – Then scroll down and locate the two new tools

  1. Delete slices older than XX – use this to manually remove very old data
  2. Fix database – use this to clean up inconsistent dates
Free Download Trisul 3.6 for Ubuntu or CentOS today.