Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » Scripting » Introduction to Trisul Scripting for Bro IDS users
Trace:
scripting:introbro

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
scripting:introbro [2018/09/28 19:16] – [Two scripting pipelines in Trisul] veerascripting:introbro [2018/09/28 19:32] – [Two scripting pipelines in Trisul] veera
Line 27: Line 27:
 ^ Feature ^ Bro ^ Trisul ^ ^ Feature ^ Bro ^ Trisul ^
 |language | .bro language | LuaJIT  | |language | .bro language | LuaJIT  |
-|protocol decoding | Bro framework provides fine grained events representing protocol fields to your script.  | Trisul framework provides a lower level access to the raw payload bytes for a protocolYou have to decode it yourself. It is not as hard as it sounds, you can use the BITMAUL library to dissect protocols to the depth you want |+|docs|[[https://www.bro.org/sphinx/scripting/index.html#understanding-bro-scripts|Bro Scripting]]|[[https://www.trisul.org/docs/lua/|Trisul LUA API]] | 
 +|protocol decoding | Bro framework provides fine grained events representing protocol fields to your script.  | Trisul framework provides a lower level access to the payload itself, or for some common protocols the results of Trisul's built in dissectionDecoding a payload isnt as hard as it sounds, we released the open source [[https://github.com/trisulnsm/bitmaul|BITMAUL library]] to dissect protocols to the depth you want|
 |events | fine grained "typed" events. For example ''dns_A6_reply(..)'' event contains parsed fields for the DNS AAAA reply record |loose documents in a canonical text format.  In Trisul, //DNS Resource// is a text dump of a DNS transaction in a canonical DIG format. You can pick the fields you want using Regex. This means you have a dramatically lower number of events to deal with and are free to decode packets to the depth you want.    |events | fine grained "typed" events. For example ''dns_A6_reply(..)'' event contains parsed fields for the DNS AAAA reply record |loose documents in a canonical text format.  In Trisul, //DNS Resource// is a text dump of a DNS transaction in a canonical DIG format. You can pick the fields you want using Regex. This means you have a dramatically lower number of events to deal with and are free to decode packets to the depth you want.   
 |extending | you can write C code and integrate it to your Bro scripting using a *.bif file. This involves a binary compile process |leverages LuaJIT FFI to directly call library functions | |extending | you can write C code and integrate it to your Bro scripting using a *.bif file. This involves a binary compile process |leverages LuaJIT FFI to directly call library functions |
Line 35: Line 36:
 |threading|single with load balanced workers | multithreaded with load balanced threads, this allows for very fast state sharing between multiple threads using message passing. During development and debugging you can turn it into a single threaded system | |threading|single with load balanced workers | multithreaded with load balanced threads, this allows for very fast state sharing between multiple threads using message passing. During development and debugging you can turn it into a single threaded system |
 |async|yes|yes - you can have a deferred execution of a LUA code block| |async|yes|yes - you can have a deferred execution of a LUA code block|
-|intel|intel framework|Essentially we use a LevelDB library via FFI to dump all the Intel items and use that to lookup threat indicators|+|intel|intel framework|you can choose your own framework. We like to dump all threat intel into a LevelDB database using LuaJIT FFI to access LevelDB. You can choose any other system. |
 |packaging|Yes - Bro packages| Yes - Trisul APPs |  |packaging|Yes - Bro packages| Yes - Trisul APPs | 
-|example|JA3 TLS Fingerprint written [[ https://github.com/salesforce/ja3/tree/master/bro|in Bro]]  | JA3 [[https://github.com/trisulnsm/apps/blob/master/analyzers/tls-print/jahash.lua|written in Trisul]] notice how in Trisul we parse the TLS record manually, while in BRO we use the typed 'ssl_client_hello()' event. The Trisul code is longer because we are adding a lot of metrics and graph analytics in the plugin |   +|example|JA3 TLS Fingerprint written [[ https://github.com/salesforce/ja3/tree/master/bro|in Bro]]  | JA3 [[https://github.com/trisulnsm/apps/blob/master/analyzers/tls-print/jahash.lua|written in Trisul]] notice how in Trisul we parse the TLS record manually, while in BRO we use the typed events like  ''ssl_client_hello()'' , ''ssl_extensions()'' etc which are supplied by Bro. With Trisul, you have slightly more work to do with the parsing the protocol, but you are independent of what the framework supplies. The Trisul code is longer because we are adding a lot of metrics and graph analytics in the script |   
-|docs|[[https://www.bro.org/sphinx/scripting/index.html#understanding-bro-scripts|Bro Scripting]]|[[https://www.trisul.org/docs/lua/|Trisul LUA API]] |+|disadvantage| - | LuaJIT has a 2GB limit on total memory use, therefore your scripts cant allocate too much memoryUse Trisul aggregations instead of building large lookup tables or use LevelDB to store data. 
  
  
Line 56: Line 57:
  
  
 +To conclude, this was a quick introduction to Trisul scripting. We will be diving deeper into each of the areas in the coming days. 
scripting/introbro.txt · Last modified: 2024/06/04 17:08 by thiyagu