Author: Vivek Rajagopalan

Vivek Rajagopalan is the a lead developer for Trisul Network Analytics. Prior products were Unsniff Network Analyzer and Unbrowse SNMP. Loves working with packets , very high speed networks, and helping track down the bad guys on the internet.

Quick introduction to Trisul Network Metering & Forensics

We are excited to announce the availability of  a spanking new product for network & security monitoring.  The name of the product is Trisul Network Metering and Forensics platform (or just Trisul ).  Trisul is the Sanskrit name for a Trident- the three pronged weapon used to destroy evil.

This is the first of a series of blog posts and screencasts where we will try to  explain the features of the product in depth.

What does it do differently

Trisul monitors traffic statistics at a very fine grained level. It then adds in flow data, raw packets, and optionally security alerts to give your analyst everything he/she needs while researching an incident. Trisul can also be used as a continuous monitoring platform providing network situational awareness to network teams.

So lets quickly look at each of these

Fine grained network monitoring

Network traffic monitoring lies at the core of Trisul. We like to call it traffic metering because Trisul continuously tracks key traffic meters at different layers.  Out of the box, Trisul tracks over 120+ meters and you can add your own custom rules.

Lets see a few examples

Simple meters :

  • Want to know  total bandwidth used by host X ? You got it
  • Want to find out total L2 broadcast traffic ? You got it
  • Want to know top Hosts by connections ? Yes

Complex meters :

  • Want to find out traffic by HTTP-Content-Type ? You got it
  • Want to find out traffic by HTTP Host ? You got it
  • Traffic by country, ASN ? Yes
  • How many new flows are being created / expired per second ? You got it

Combine meters :

  • Top internal hosts talking to China or Ukraine ? Yes

Now here is what is really cool and innovative about Trisul :  It  does not summarize of roll up any these meters. It stores them at the basic resolution for months. A customized map/reduce database technique allows instant long term reporting  at this resolution.

Flow data

Network monitoring can give you a picture of utilization but not about activity. It can tell you there was a surge of outbound traffic on Port-18000 around 4AM last night, but it cant tell you which hosts were responsible.

Enter flow data.

Trisul tracks bi-directional flows and stores them in a ready to report format. You can get sub 10-second responses for 100M flows /day.  Just like traffic meters, this flow data is stored unsummarized.  Trisul also has a special feature called a Flow Tracker which picks out the flows that might be most intriguing to you. An example of a flow tracker :  From millions of flows – Trisul can track separately the  flows that transferred most data out of your network.

We shall see in future blog posts, how this flow data can be leveraged with raw packets, alerts, and resources.

Raw packets

Infosec professionals have long known the value of raw packets in retrospective analysis.  Many security pros have built then own ways to delve into packets by stitching together various open source tools.  Trisul will make interacting with packets secure, flexible, and fast.

Some of the features :

  1. Policies for cutting down on storage requirements
  2. All caps encrypted by AES-256 CTR – disk subsystem never sees clear text packets
  3. Tiered architecture allows you to use a combination of disk technologies
  4. Sophisticated flow capping policies are available

Raw packets are not used by Trisul merely to pull up packets for  flows or  alerts. They are used in a breaking innovation of Unleash Networks called “Cross Drill”Cross drill allows you to answer questions that you cannot get from flow data.

Examples of Trisul Cross Drill

  • Which hosts consumed maximum amount of HTTP Content-Type “x/flv” ?
  • Which hosts in my network are talking to India ?

In future blog posts, we will expand on the cool things you can do with this raw packet storage.

Alerts

Trisul supports 4 types of alerts.

  1. Built in support for Threshold Crossing Alerts
  2. Built in support for Flow Tracker Alerts (suspicious flow activity)
  3. Built in support for Malware / Spam blacklist alerts (via the Badfellas plugin)
  4. Third party feed of alerts – current supports Snort and Suricata (via Barnyard2)

Lets look at the 4th type of alerts a bit closer (IDS alerts).

First, in many cases just the statistics/ flows/ pcaps features of Trisul are sufficient.  However, you can easily get  Trisul to meter and cross index IDS alerts as well.

Trisul can accept IDS alerts from a local instance of Snort/Suricata using the Unix Sockets feature of Snort or Barnyard2.

The benefits of correlating alerts to traffic are significant and in some cases even eye opening.  Trisul has many ways of looking at alert data with various grouping criteria. You can move from alerts to flows to pcaps. The great thing is all this is scriptable using the Trisul Remote Protocol.

Please read our documentation for more details and how to set things up.

Exciting times ahead for Network Security Monitoring teams.

Trisul getting ready

We have been working hard for the past few months in getting Trisul Network Metering and Forensics ready.

I would like to explain the reason why Trisul exists and how to use it in the next few posts.

So what is Trisul ?

Trisul is a powerful network traffic metering application.

  • Counts over 16 categories of traffic. From simple ones like hosts and applications to advanced ones like URL filter categories, HTTP content types, Country  etc.
  • Reconstructs flows and extracts resources requested of the network.
  • Indexes and stores the raw packets in a highly configurable layout. This allows optimal usage of disk space.

These features enable retro analysis while investigating traffic anomalies or security incidents. When in doubt you can always drop down to the flow or the raw pcaps.

The ideas in the book “Tao of Network Security Monitoring” provided the initial inspiration for Trisul. It has been reinforced by experiences in the field where security folks today run into too many blind alleys while investigating the past.

Is this the same open-source Trisul ?

We are the original and sole authors of the open-source Trisul Network Metering and Forensics found on Google code. Unfortunately, we are unable to continue that effort.  This version is not open source but can be made available to customers in a source code license form.

Platform

Trisul is available on the following platforms :

  • CentOS 5.3 and above 64-bit (recommended)
  • CentOS 5.3 and above  32-bit

Trisul can accept

  • packets via libpcap (default)
  • packets via Linux RX Ring
  • netflow

How to get it ?

Send an email to info at unleashnetworks requesting for a Trisul copy.

Visit the product page.

Getting alerts from Snort/Suricata into Trisul

Trisul meters network traffic, extracts flows, resources, and contains a powerful raw packet index.  While this is a very powerful feature set for monitoring and  retro analysis purposes, it would be great to correlate all of these with security alerts. You can arrange for Trisul to pick up security alerts generated by Snort or Suricata from a Unix socket .

This guide below explains how to set it up :

How to configure Snort and Suricata to send IDS alerts to Trisul

What it gives you

Here are some screenshots from processing about 40 million packets from the Defcon 17 trace set.

Dashboard view :

  • add alert widgets to any traffic or flow dashboard
  • click on Packets to get relevant packets that caused the alert in tcpdump format
  • click on Flows to get the flow the caused the alert and also “nearby related” flows
Dashboard view of alert activity
Dashboard view of alert activity

Resource view

This features is available even without Snort/Suricata but is worth mentioning in this context.

  • Trisul reassembles TCP flows (even those hopelessly fragmented) and pulls out resources requested. These correspond to services. The only resource type supported now is HTTP URLs
Resource on network
Resource on network

Aggregated alerts

You can view aggregated alerts for any period of time.

Aggregated alerts
Aggregated alerts

Performance Tip

The approach here does have a drawback in that both Suricata/Snort and Trisul look at the packet data. This is not optimal from a performance viewpoint as the same data takes on two lives in the cache. Due to GPL licensing issues, Trisul cannot simply “call out” to these two products while the cache is still hot. On fast networks (above 500Mbps) you may want to add a couple of extra cores and pin Suricata/Snort to those cores.

If you have CentOS 5.3 or above 64-bit you can download Trisul today.  The trial is full featured but only retains a 3-day window of data.