Bro IDS is a popular open source network analysis platform. A key feature of Bro IDS is the custom BRO language that allows you to write scripts to enhance the functionality of the platform. Trisul Network Analytics is also a platform that can be extended by writing scripts. This page introduces the Trisul Scripting API for those who are already familiar with Bro IDS scripting.

Trisul is built from ground up to be full streaming analytics platform. This includes both the packet analytics and the streaming database. This can be a bit confusing to Bro scripters who focus on generating logs. In Trisul , you work with metrics and other data types like resources, flows, documents, graphs. We will get to them later.

To illustrate with an example.

Say you are calculating TLS Fingerprints from network traffic

• In Bro, you will write scripts to add the fingerprint to the connection/flow log.
• In Trisul, you would create a new counter group for TLS Fingerprints and count each print there. You can also mark the flows like Bro, or create graph edges, but the main focus is on metrics.