We have a new build of Trisul 3.6 which has a few nifty enhancements.
Topper sketches over time
We added a new tab in Retro → Retro Counters that shows topper snapshots, also called sketches, over the selected time window.
Topper snapshots are automatically enabled for all 120+ metrics
PCAP dump import w/ Trisul and Snort
If you wanted Trisul to integrate IDS alerts with other kinds of data, you had to do a 2-step manual process earlier. Now we have a nifty script called proctrisulids that does it all in one step.
cd /usr/local/share/trisul ./proctrisulids -c mydataset -p /home/demo/pcaps/pcap000
The script is documented here.
New TRP option to save PCAPs on server
With TRP you can run little Ruby scripts to automate the response process. Currently, the FILTERED_DATAGRAMS method lets you download the PCAPs to the machine running the scripts. This does not work very well when you have to download Gigabytes of packet capture. We added a new option called “PcapDisposition”/docs/ref/trpproto.html which lets you save large packet captures on the server and not download it to the machine running the TRP script.
See the trisul-scripts Github repo for a working sample.
If your data slices ever get corrupted, mostly due to a bad hardware clock, you now have two tools to fix it. Go to Admin → Start/Stop Tasks → Database status – Then scroll down and locate the two new tools
- Delete slices older than XX – use this to manually remove very old data
- Fix database – use this to clean up inconsistent dates