21-Aug-2018Versions: Hub 6.5.2815, Probe 6.5.2922, Web 6.5.2144
New Release Trisul 6.5
More powerful LUA scripting, UI, CLI and other features to make Network Security Monitoring even easier
A partial list of the most important features.
- FEATURE: Now supports multiple unix domain sockets to ingest from IDS
- FEATURE: NXDOMAIN and other DNS failures triggers a minor alert
- SCRIPTING: Released the BITMAUL protocol dissector library
- CLI: Added help commands to all CLI trisulctl_probe commands
- NETFLOW: Added option IgnoreEgress option to skip redundantly configured Egress NF9/IPFIX
- and others
- FEATURE: Resources now partitioned by time to improve performance even further
- FEATURE: Max number of probes per Hub increased to 16 in non-Enterprise
- FEATURE: Brand new Time Selector
- FEATURE: Email log shows sent emails
- FEATURE: Dashboard creation made easier with boxes for every position
- FEATURE: Cardinality counters proper description is now showin Retro Counters
- Plus dozens of other smaller fixes
Trisul APPS are free extensions for real time analytics and visualization
- NEW APP: IOC-Harvestor pulls out network artifacts from multiple streams
- NEW APP: IP2LOCATION based Geo Metering. Adds ASN, COUNTRY, CITY, PROXY info
- NEW APP: AlienVault OTX integration to check your traffic against threat indicators
- NEW APP: HTTP-Proxy app when deployed in a proxy environment
- NEW APP: Edge Vertex monitor shows volumes for each vertex
- UPDATED: JA3 Server signature added to TLS Fingerprint
- UPDATED: PCAP Totals dashboard shows all metrics in one place
For a more complete list see Trisul Release Announcement
Discover hidden networks
Save hours trying to hunt down X:Y relationships using older hunting techniques
Deploy multiple Trisul-Probes
Management CLI tools included
Comprehensive new LUA API
Fully scriptable platform
Use plain Lua language
File extraction, TCP reassembly, and a dozen other hooks
25-Apr-2018 Versions: Hub 6.5.2803, Probe 6.5.2883, Web 6.5.2127
New Major Release Trisul 6.5
Trisul 6.5 gets even better with our latest update. Monitor very high traffic loads with more stability and faster queries.
- NEW: Bottom-K added to all counters. Added to Retro Counters screen as well
- NEW: Flows now have microsecond timestamps, can be optionally turned off to save storage
- NEW: IPv6, MDNS, PTR record resources
- NEW: ERSPAN support to enable remove packet capture mode for Trisul
- API: LUA setFlowAttribute added to API
- API: LUA RE2 regex methods and options added
- STABILITY: Fixed an issue with message monitor stream, which can cause deadlock in high load
- STABILITY: Fixed a potential crash, prevent Flow stream events outside of flow context, by resetting the flow object to nullptr
- STABILITY: Filters prevented from doing flow stream metrics like addflowcoutner outside of flow context.
- FEAT: Bulkping : New tool to monitoring thousands of endpoints for reachability
- PERF: Major perf update, stream message sponge algorithm change, advanced only by 1sec to prevent deadlock.
- PERF: Previous sponge logic can cause deadlock at very high loads. Now solved.
- FEAT: SFLOW use sampledPacketSize directly
- FEAT: SFLOW VLAN Stats
- FEAT: Streaming analytics RAT monitor, now we have per-queue drop stats
- FEAT: URL Category now also uses SNI to classifiy sites
- FEAT: NetBIOS IP Resolver allow hyphens in names
- FEAT: Flow Database version update to allow microseconds in flow timestamps (start and end), optional to turn off to save space
- BUGFIX: Flow tracker was not correctly resolving netflow interface names , guid had a lower case char
- BUGFIX: Memory leak fixed in CounterItemRequest (with dbz/trfz yield)
- BUGFIX: Due to lack of checking for interval_id , Cattrf infinite loop bug. fixed now.
- FEAT: QuerySessions Parallel query support added (MRMT)
- FEAT: TRPD Parallel Query for All : New option in trisulHubConfig.xml “Server>ParallelQueries”
- BUGFIX: CacheBuild caused ONE datapoint loss per day at midnight, off by one in loop. Fixed.
- BUGFIX: Migration ConfigDB BottomNCount error due to “no data to read” error
- NEW: Brand new Time Range selector added to add screens
- NEW: Progress bar added to all dashboards and long running query forms
- NEW: Netflow Router Interface resolver screen redesigned,
- NEW: Netflow interface drilldown Real time transmit and receive
- NEW: RealTime interface utilization with all in one view(traffic,host,app,flows)
- FEAT: Key space explorer , you can now enter in CIDR format. Eg 192.168.0.0/16 instead of 192.168.0.0~192.168.255.255
- NEW: If SNMP available, Live chart added to Netflow Interfaces due to cust demand/usage
- FEAT: All Flow screens updated to show Microseconds for flow duration
- FEAT: InitDB done on 1st raw install by webtrisul.
FEAT: HTTPS fixes, previously webtrisulssld was not working with the Real Time Websockets features
+ 100s of other small UI tweaks and fixes.
21-Jan-2018 Versions: Hub 6.5.2790, Probe 6.5.2866, Web 6.5.2107
New Major Release Trisul 6.5
We aimed for Release 6.5 to be the easiest way to deploy Network Security Monitoring and Traffic analytics in your network. Tons of new features and across the board improvements in performance, stability, and usability.
- New Docker Image released. All included NSM image ready to go.
- Bottom-K real time stacking option for any meter in any counter group
- Support very high resolutions for metrics. Tested with 1 sec and 100msec.
- Real Time Flow Monitoring much improved
- DNS resource now captures TXT,NS,MX,CNAME for every request and response.
- HTTP URL resources now captures request response with other metadata in a single resource
- Bulk PING tool latency measurement and up/down tracking and alerting
- Attach any number of new “key attributes” to a key. Eg, User-Agents to hosts
- FTS (full text search) in HTTP Headers, SSL Certs now lets you see related documents in flow
- NETFLOW: Click on interface to see apps, hosts, flows in real time.
- If TShark is installed on the Hub Node, View PCAP Headers adds TShark summary line automatically.
Performance and Miscellaneous fixes
- PCAP retrieval now shows upto 70% improvement in speed due to better indexing of blocks
- File Extraction. MD5 was being generated for even those files not being extracted
- EDGE streaming Graph analytics now allows filter by vertex groups for less clutter
LUA API – new
- PDF Reports now have better graphics at 300 DPI
- Major performance improvements due to better indexing of packets, up to 50% improvement
- BadFellas (Intel Plugin) now adds Ransomware and SSL Certificates blacklists.
NEW APPS : The following new Trisul Apps have been released.
- TLS Fingerprint (JA3 hash),
- FireHOL blacklist checker.
- Security Overview Dashboard.
for full release notes, check out our Forum announcement