Suppose you wanted to do something like this :
Get a PCAP file containing full flow data of all Priority 1 alerts in the past 24 hours.
From the Trisul GUI, you can pull up all Priority 1 alerts in past 24 hours. Then click on Alert -> Flows and save each pcap. Works ! This is however a highly objectionable use of a human mind and body. Even if you did it once, how can you get yourself to do this on 10 Trisul sensor machines. Daily.
This and similar tasks is the raison d’etre for the Trisul Remote Protocol.
What is remote scripting ?
The scripts you write execute on your local machine. It will request remote data from Trisul as and when it needs it. This allows you to connect to multiple Trisul instances and to use the language of your choice.
Much attention has been paid to the security aspect of TRP.
- Access Control List
- Client Certificate based TLS
- Messages use Google Protocol Buffers transport
You can learn about more about Trisul Remote Protocol from the documentation.
Lets have some fun
I just enabled TRP on our public demo server at trisul.org. Try out the code samples by connecting to trisul.org.
—
Trisul is a new system for fine grained network metering with powerful retro analysis capabilities. You may download it by visiting the home page.