Trisul 2.2 officially supports Ubuntu 32-bits (security onion)

Trisul 2.2 now officially supports Ubuntu 32-bit builds. It is a result of user requests to make Trisul run on the Security Onion distro.

Here are instructions to get Trisul running on Security Onion.

The following Trisul plugins which were previously only available on 64-bit platforms are now available for 32-bit Ubuntu as well.

  • Badfellas – Compare your traffic against public blacklist and flag the baduns
  • URLFilter – Your web traffic counted by News/Radio/Pron/Blogs/etc
  • Geo – Traffic by country and ASN

How does Trisul fit in with the other tools in the distro

First of all, Security Onion is a complete and capable NSM distro out of the box. Trisul can run alongside all the other tools without disturbing your running configuration.   Trisul introduces traffic monitoring and overlaps with some tools in terms of function. Trisul introduces no conflicts, just another choice for you to get to the data.

Lets take a quick look at the overlaps :

  • Traffic – No overlap with any tool. Use Trisul to monitor traffic patterns in real time and historical.
  • Flows – Overlaps with Argus.  Trisul tracks and stores all TCP/UDP flows just like argus and includes ability to pull packets from any flow.
  • Real time Alerts – Overlaps with SGUIL. Trisul however has no workflow to escalate events.
  • Historical Alerts – Overlaps with Squert.
  • Packets – Overlaps with Daemonlogger/Snort.  Trisul is a bit more advanced in it lets you specify rules to cut down storage + encrypts on disk caps.
  • HTTP URLs – Overlaps with httpry
  • DNS names – No overlap

Free

Trisul is completely free to monitor a most recent 3-day window. The model we are following is Splunk’s. Give a  highly usable product away for free but leave enough on the plate for us to do this full time. There are no nags or any weird tricks.

Try out Trisul on Ubuntu 32-bits

Trisul 2.2 is ready – real time is the theme !

We just released Trisul 2.2. The real time stabbers from 2.1 have got a complete overhaul. However the star of this release is the Real Time Alert Stabber. I believe this the first web based real time IDS alert console. What’s even better it is written purely using open standards (no flash).

d3.js made the visualization possible

The challenge was to not only present incoming alerts but to create an effective visualization.

  • Animate alert activity so the screen looks alive
  • High level of interaction
  • Handle SVG and tabular representations of the same data
  • Create two interconnected layouts – one on a time scale and one aggregated
  • Cheap updates – keep redraws to a minimum
  • Purely client side

I stumbled upon d3.js created by Mike Bostock and I would like to say that we could not have developed such a complex UI without d3. Once you get over the initial learning curve, d3 feels so right. I have started thinking in terms of enter(),update(),exit(),data()..for all dynamic UIs now. In return, I owe it to spread the word about this great library and help out with explaining how this was constructed.

 

Sneak peek at new Trisul feature

This past 10 days we have been hacking non stop on our latest feature in Trisul. The Real Time Alert Stabber. This will be our fourth real time stabber after statistics, toppers, and flows. This has been the most rewarding dev fortnight in a long time because we discovered the power of the awesome d3.js – which drives our brand new interactive bubble layout.

Trisul 2.2 which will include this feature will be released early next week. Here is a screenshot of the UI. We will also have a demo up !

Real time alert stabber