21-Aug-2018Versions: Hub 6.5.2815, Probe 6.5.2922, Web 6.5.2144

03-Dec-2018 : New minor Release Trisul 6.5

This release introduces new features to help with Flow Analytics.
Read the Blog Post : Aggregate flows and Export to Excel features

Release Highlights

A partial list of the most important features.

Trisul Probe
  • FEATURE: Now supports multiple unix domain sockets to ingest from IDS
  • FEATURE: NXDOMAIN and other DNS failures triggers a minor alert
  • SCRIPTING: Released the BITMAUL protocol dissector library
  • CLI: Added help commands to all CLI trisulctl_probe commands
  • NETFLOW: Added option IgnoreEgress option to skip redundantly configured Egress NF9/IPFIX
  • and others
Trisul Hub
  • FEATURE: Resources now partitioned by time to improve performance even further
  • FEATURE: Max number of probes per Hub increased to 16 in non-Enterprise
Web Interface
  • FEATURE: Brand new Time Selector
  • FEATURE: Email log shows sent emails
  • FEATURE: Dashboard creation made easier with boxes for every position
  • FEATURE: Cardinality counters proper description is now showin Retro Counters
  • Plus dozens of other smaller fixes
Trisul Apps

Trisul APPS are free extensions for real time analytics and visualization

  • NEW APP: IOC-Harvestor pulls out network artifacts from multiple streams
  • NEW APP: IP2LOCATION based Geo Metering. Adds ASN, COUNTRY, CITY, PROXY info
  • NEW APP: AlienVault OTX integration to check your traffic against threat indicators
  • NEW APP: HTTP-Proxy app when deployed in a proxy environment
  • NEW APP: Edge Vertex monitor shows volumes for each vertex
  • UPDATED: JA3 Server signature added to TLS Fingerprint
  • UPDATED: PCAP Totals dashboard shows all metrics in one place

For a more complete list see Trisul Release Announcement

Graph Analytics

Discover hidden networks

Save hours trying to hunt down X:Y relationships using older hunting techniques

Distributed Probes/Hub

Deploy multiple Trisul-Probes

Management CLI tools included

Comprehensive new LUA API

Fully scriptable platform

Use plain Lua language

File extraction, TCP reassembly, and a dozen other hooks

Older releases

25-Apr-2018 Versions: Hub 6.5.2803, Probe 6.5.2883, Web 6.5.2127

New Major Release Trisul 6.5
Trisul 6.5 gets even better with our latest update. Monitor very high traffic loads with more stability and faster queries.

Release details

  • NEW: Bottom-K added to all counters. Added to Retro Counters screen as well
  • NEW: Flows now have microsecond timestamps, can be optionally turned off to save storage
  • NEW: IPv6, MDNS, PTR record resources
  • NEW: ERSPAN support to enable remove packet capture mode for Trisul
  • API: LUA setFlowAttribute added to API
  • API: LUA RE2 regex methods and options added
  • STABILITY: Fixed an issue with message monitor stream, which can cause deadlock in high load
  • STABILITY: Fixed a potential crash, prevent Flow stream events outside of flow context, by resetting the flow object to nullptr
  • STABILITY: Filters prevented from doing flow stream metrics like addflowcoutner outside of flow context.
  • FEAT: Bulkping : New tool to monitoring thousands of endpoints for reachability
  • PERF: Major perf update, stream message sponge algorithm change, advanced only by 1sec to prevent deadlock.
  • PERF: Previous sponge logic can cause deadlock at very high loads. Now solved.
  • FEAT: SFLOW use sampledPacketSize directly
  • FEAT: Streaming analytics RAT monitor, now we have per-queue drop stats
  • FEAT: URL Category now also uses SNI to classifiy sites
  • FEAT: NetBIOS IP Resolver allow hyphens in names
  • FEAT: Flow Database version update to allow microseconds in flow timestamps (start and end), optional to turn off to save space
  • BUGFIX: Flow tracker was not correctly resolving netflow interface names , guid had a lower case char
  • BUGFIX: Memory leak fixed in CounterItemRequest (with dbz/trfz yield)
  • BUGFIX: Due to lack of checking for interval_id , Cattrf infinite loop bug. fixed now.
  • FEAT: QuerySessions Parallel query support added (MRMT)
  • FEAT: TRPD Parallel Query for All : New option in trisulHubConfig.xml “Server>ParallelQueries”
  • BUGFIX: CacheBuild caused ONE datapoint loss per day at midnight, off by one in loop. Fixed.
  • BUGFIX: Migration ConfigDB BottomNCount error due to “no data to read” error
  • NEW: Brand new Time Range selector added to add screens
  • NEW: Progress bar added to all dashboards and long running query forms
  • NEW: Netflow Router Interface resolver screen redesigned,
  • NEW: Netflow interface drilldown Real time transmit and receive
  • NEW: RealTime interface utilization with all in one view(traffic,host,app,flows)
  • FEAT: Key space explorer , you can now enter in CIDR format. Eg instead of
  • NEW: If SNMP available, Live chart added to Netflow Interfaces due to cust demand/usage
  • FEAT: All Flow screens updated to show Microseconds for flow duration
  • FEAT: InitDB done on 1st raw install by webtrisul.
  • FEAT: HTTPS fixes, previously webtrisulssld was not working with the Real Time Websockets features
    + 100s of other small UI tweaks and fixes.

21-Jan-2018 Versions: Hub 6.5.2790, Probe 6.5.2866, Web 6.5.2107

New Major Release Trisul 6.5
We aimed for Release 6.5 to be the easiest way to deploy Network Security Monitoring and Traffic analytics in your network. Tons of new features and across the board improvements in performance, stability, and usability.

Release details

New Features
  • New Docker Image released. All included NSM image ready to go.
  • Bottom-K real time stacking option for any meter in any counter group
  • Support very high resolutions for metrics. Tested with 1 sec and 100msec.
  • Real Time Flow Monitoring much improved
  • DNS resource now captures TXT,NS,MX,CNAME for every request and response.
  • HTTP URL resources now captures request response with other metadata in a single resource
  • Bulk PING tool latency measurement and up/down tracking and alerting
  • Attach any number of new “key attributes” to a key. Eg, User-Agents to hosts
  • FTS (full text search) in HTTP Headers, SSL Certs now lets you see related documents in flow
  • NETFLOW: Click on interface to see apps, hosts, flows in real time.
  • If TShark is installed on the Hub Node, View PCAP Headers adds TShark summary line automatically.
Performance and Miscellaneous fixes
  • PCAP retrieval now shows upto 70% improvement in speed due to better indexing of blocks
  • File Extraction. MD5 was being generated for even those files not being extracted
  • EDGE streaming Graph analytics now allows filter by vertex groups for less clutter
  • LUA API – new set_key_attribute(..) method.
  • PDF Reports now have better graphics at 300 DPI
  • Major performance improvements due to better indexing of packets, up to 50% improvement
  • BadFellas (Intel Plugin) now adds Ransomware and SSL Certificates blacklists.
New Apps
  • NEW APPS : The following new Trisul Apps have been released.
    • TLS Fingerprint (JA3 hash),
    • FireHOL blacklist checker.
    • Security Overview Dashboard.

for full release notes, check out our Forum announcement