12.12. Trisul Apps
Trisul Apps are plugins to enhance the capabilities of Trisul.
12.12.1 Plugin apps to extend Trisul
You can install, upgrade, install Trisul Apps right from the web interface.
Check Proxy Settings if you are behind a proxy server
To access Trisul Apps, Login as admin user
From here you can install, upgrade, or uninstall Trisul Apps.
Currently the only repository enabled is https://github.com/trisulnsm/apps
12.12.3 Types of apps
There are three types of Trisul Apps
- Packaged Dashboard — Modules and Dashboards shared by other users
- LUA Analytics — Custom streaming analytics
Click on README for instructions. Some of the LUA Analytics Apps need you to enable some features within Trisul.
Deployment on Probes
When you install a Trisul App, it is automatically deployed to all Probe nodes.
12.12.4 Creating your own apps
You can clone the trisulnsm/apps repository to see how an app is assembled.
Each apps lives inside a single directory
- pkg.yaml – information about the app, the files to be included
- README.md – instructions
- thumbnail.png – image shown in Web UI
- file1,file2 – all files to be included with the app
12.12.5 List of Apps
Here is a list of all the available apps. We are constantly adding new Apps, to view the latest list of apps go to trisulnsm/apps
JS Dashboard Apps
|CIDR Explore Flows
|View host,app,protocol topper for cidr tagger subnets
|Country Analytics Drilldown
|View country mappings for routers and interfaces
|Daily Key Report
|Shows daily usage report for a key
|Edge vertex Monitor
|Show usage report for selected guid,meters and keys
|Geo IP Lookup
|Shows the ip look up. Shows ASNumber , ASNumber path,Country etc ..
|ISP Country Analytics
|View country mappings for routers and interfaces
|ISP External Prefixes Analytics
|View external prefixes mappings for routers and interfaces
|ISP OTT App Analytics
|View OTT Apps mappings for routers and interfaces
|Top level dashboard for ISP.Shows ASN, Peers, Prefixes, and BGP KPI for ISP
|ISP Router Geo Map
|View country locations for your router in vector map.
|L2 IXP Traffic Analytics. Traffic Matrix at Internet Exchange Points Matrix, Per Member, traffic history of each RX/TX Flow for planning and billing
|Interface Traffic Matrix
|View interface to interface traffic flows. A complete and long term accurate view of interface to interface transmit and receive traffic flows within a router.
|Key Space Explorer
|Search all active key space and get total usage.
|Multi Probe Charts
|Draw a multi-probe chart. Shows chart data from all probes You can plot any counter group, key, and meter.
|Shows duraion,total bandwidth,packets and flows Shows total No.of Resources(http,dns,ssl) and FTS.Shows total No.of alerts for all alerts group(IDS,Blacklist,Flow Tracking,Threshold crossing).Shows No.of keys in each counter group
|Shows the top used AS PATHS. Route Per Hop Analytics – Receive Usage of busiest route segments
|View ASN traffic maps for routers and interfaces
|Peering Analytics Drilldown
|View ASN mappings for routers and interfaces
|Prefix Analytics Drilldown
|View Prefix mappings for routers and interfaces
|Protocol Tree Viewer
|View metrics in a Protocol Tree
|Show sankey chart for crosskey filter counter group
|Search keys to check any usage activity in your network
|Security Overview – Internal Hosts
|Shows IDS and Badfellas alerts count for internal hosts
|Super search host
|Search all hosts by domain name and print total usage of each.
|Usage Activity Heatmap
|Shows key activity usage in d3 heatmap visualization Day/Hour. Shows key usage activity hour by hour for recent 7 days. You can plot any key with any meter.
|SNMP vs Netflow
|Compare netflow traffic with snmp traffic from interfaces
Shared Dashboard Apps
|DNS Custom Metrics and dashboards
|ISP Dashboard Pack
|Some useful dashboards for ISP Analytics. Dashboards include Prefix analysis, Int, Ext, Toppers
|This dashboard shows CPU usage, Memory usage, Packet drops, Disk Bandwidth for PCAPs, Read IOPs, Write IOPs, Stream flush performance, along with Total Bandwidth.
|Save Binaries Monitoring
|Monitor performance metrics of File Extraction. Files extracted per minute, throughput, skipped. Top file types with extraction rate over time, etc
|This dashboard shows top Inbound source,destinations top outbound source,destinations,Top Apps top sources,destinations
|Dashboard for the TCP Analysis App. Shows Latency,Retransmisson for internal and external hosts Show hosts with high retransmisson rate and timout flows Shows poor quality flows that has more than 5% retransmisson rate
Lua Analytics Apps
|Scan your traffic against AlienVault OTX intel needs the IOC-Harvestor app and Alien OTX Key.
|FireHOL is a well curated set of IP that must be blocked. Shows Alerts if activity seen from FireHOL blacklist
|Flexible CIDR Tagger
|Adds CIDR tags to flows and allows you to search fast for entire subnet flows,
geo based on IP2Location db Country, ASN, City, and Proxy metrics based on the IP2Location databases
|this plugin is to check active/standby roters
|Interprets the HTTP and CONNECT methods to give you total visibility in Proxy environments such as squid.
|Harvests intel items into a single resource stream from different places in Trisul pipeline.
|Passive DNS Extractor
|Builds a real time LevelDB database containing IP to Host Name lookup. A number of apps can be built on top of this mapping. Requires leveldb installed on probes.
|Monitor thousands of endpoints for reachability and measure latency and packetloss. Email when nodes go down
|Protocol Tree Metrics
|Break up of traffic by protocol, not just the final protocol but by IP/IPv6/TCP/UDP
|Prune Encrypted PCAP
|Dramatically reduces disk storage and throughput requirements by automatically pruning raw PCAP storage. You do this by excluding high volume trusted and encrypted traffic from (youtube, netflix, facebook, etc). NOTE: This requires the Passive DNS Creator plugin
|Prune TLS from PCAP storage
|Dramatically reduce disk IOPs and storage by not storing SSL/TLS traffic on port 443. The app only prunes TLS traffic on 443 by inspecting the bytes at the start of the flow to ensure TLS handshake is present. This app also prunes Google QUIC protocol on UDP 443. Used by YouTube.
|SNI TLS Metrics
|The Server Name Indication TLS Extension allows multi homeing of HTTPS servers behind a single IP. This app uses the SNI hostname to measure traffic carried over TLS that would otherwise be opaque
|Basic SNMP Poller to measure traffic on interfaces. Requires snmp package on probes.
|Detect SSH Tunnel activity which can indicate serious deep breach undetectable by firewalls and IDS
|extract files that are potentially malicious into a directory
|Squid Proxy Metrics
|Extracts metrics from explict proxy servers which use CONNECT type tunnels. This is the most common type of proxy.
|Suricata via EVE UnixSocket
|Listen to alerts from Suricata in EVE format on a Unix DGRAM Socket
|Identify hosts and apps experiencing TCP performance issues by tracking retransmissions,connection setup latency, and timeouts. Marks flows experiencing high retransmissions with flow TAG
|TLS Fingerprinting can be used to identify TLS/SSL client applications including Malware
|TLS Metrics Pack
|Generates extra metrics and relationships in TLS traffic
|Uses the Cisco Umbrella Top-1M to mark and measure DNS hits outside of Cisco Umbrella Top-1Million domains