So what is Trisul Network Metering and Forensics ?
Here is the Trisul login screen, I especially liked it because it captured the zen of network security monitoring so effectively.
We observe
- a freeway with traffic in both directions (head lights on right , tail lights on left)
- vehicles move very fast
- its twilight – we can see, kindof
Now imagine, we are asked to keep tabs on what types of cars went by, which semi trucks are suspiciously overloaded, which cars make unusual trips ? This is roughly what we are asking of network security monitoring.
Trisul approaches NSM from a traffic monitoring centric position. You can contrast that with Sguil that approaches from an alert centric position.
- Trisul contains powerful long term metering and top-n tracking
- Stores full content in a efficient AES128 CTR encrypted ring
- Tracks Flows
- Alerts from 3rd party (accepts Snort input via Unix sockets, working on Unified2 to accept Suricata)
- Rule based full content engine. (eg, track only first MB, exclude subnet, headers only, etc)
- Pull out and save HTTP transactions (IP/TCP reassembly can handle bad frag)
Lets deep dive into Trisul in the next few posts.
