FAQ

Common questions about Trisul

FAQ

If you have a question and couldn’t find it here, just send us an email

BASICS

How does Trisul work

Trisul captures network traffic from one or more network interfaces. Each packet is then passed through a set of algorithms to compute various statistics. Flow records, resources (such as URLs), security alerts, are also generated. Finally the packets are tucked away for later investigation.

I am only interested in network usage monitoring. Can I use Trisul

Absolutely. You can turn off saving raw packets or flows. This bare bones version of Trisul is still a very powerful usage monitor.

Can I use Trisul with Netflow

Yes. If your security needs are limited, Netflow is an attractive option. Trisul can process Netflow feeds from routers instead of raw packets from a local interface.

How do I access Trisul

Web Trisul is the Ruby on Rails application that allows you to access Trisul. Also available is a protocol called TRP (Trisul Remote Protocol) which presents a way for clients to connect securely via TLS to interact with Trisul

How does Trisul do security alerts

Trisul accepts security alerts from Snort (to be installed separately by you). Snort writes alerts in binary format to a Unix socket, Trisul reads the alerts from the Unix socket and correlates them with statistics, flows, and raw packets.

CAPTURE

Is it feasible to save raw packets from a storage perspective

Trisul is most useful at the perimeters where the link speeds are still less than 100Mbps. However, Trisul comes with a very powerful mechanism to cut down on volume intelligently. You can specify various rules such as

* Save only headers for subnet X
* Save only the first 10MB for all sessions
* Save 100MB for sessions involving ports 3000-4000
* Dont save anything for subnet Y

This helps substantially with many enterprise tasks like site backups, antivirus pushes, software updates, etc.

What about the security of the raw packets

Trisul encrypts raw packets using the fast AES-128 cipher in CTR mode before storing them. So even if your server is stolen or compromised no one can get at the raw data.

How long can Trisul store data

Trisul’s data retention is solely determined by the disk space availability. You can dynamically add storage to boost data retention.

How can I scale Trisul ?

Trisul loves fast disks and more CPU cores.