Screencast of Trisul monthly alert calendar

Screenr rocks !

I just put together a screencast explaining the new monthly alert calendar feature. In case anyone had a doubt if I was a developer-geek or a suit, this ought to clear it up.


A note about screenr :

I had almost convinced myself that the wallet needed to be opened to buy a copy of Camtasia. I found screenr but was intimidated by two gotchas.

  • You had to record at one shot – not easy to edit or splice
  • No callouts or other tools available

Upon checking out lots of screenr videos, I changed my mind (closed the wallet). I actually like the rough and authentic look and feel of a screenr compared to the edited and polished output of a Camtasia.

I had to do a dozen redo’s of the above screencast, but now I have the hang of it. If you make an error correct it and keep going.

Embedding in WordPress :

If your screenr fails to embed in wordpress –

  1. Login as admin
  2. Go to Settings -> Media
  3. Ensure that the maximum width and height in the Embed section are set (mine is 600×500)

Enjoy !

Vivek

New monthly alert calendar in Trisul

We have had a good number of people download Trisul in the past few days.

In the meantime, we pushed out a new feature called the Alert Calendar. Please get the new builds now to update.

Trisul alerts
Groups alert activity by priority by day

Since, Trisul is a metering platform – you can generate this calendar for any counter.

Some applications :

  • Traffic by IN/OUT per host per day
  • Malware alerts per day (using the Trisul Badfellas plugin)

In the screenshot above, Trisul will show you alerts grouped by Priority. You can click on the totals and get a further breakup grouped by type.

Reminder to self : Get some screencasts out now !

Download Trisul today.

Remember Trisul is completely free (with no strings attached) for monitoring a rolling 3-day window.

    Using policies to control packet storage for NSM

    Making raw network packets available during  Incident Detection or Response (IDR) is a key goal of Trisul.   I encourage you to read the Tao Security blog  on the importance of keeping everything around.

    If you look at investigations like GhostNet or Shadows in the Cloud,  it would be immediately apparent how easy and comprehensive it could have been if everything (packets, flows, statistics) were  available to the investigating team.

    Lets take a look at two of the issues with storing raw packets.

    • Volume “Are you crazy ? We cant possibly store everything” Many organizations consider the very proposition of storing packets insane. To a certain extent it is true.  If you monitoring their WAN links, you could probably store everything.  But if you are monitoring their high traffic internal switches – you would quickly run out of disk. 
    • Privacy : Storing raw pcaps in the clear of your entire organizations traffic on a set of disks is a major security hole.  You need to protect the NSM tool with a much higher level of security than you protect your main assets. You also have issues of failed disks, re-purposing disks, sharing NAS storage with other applications, etc.

    Lets look at the approach Trisul has taken to address the above two concerns.

    Volume

    Here is an interesting anecdote. We installed Trisul at a medium size company with 1000+ employees in Bangalore. It was monitoring an internal switch by port mirroring packets into the Trisul box.  They had a 500GB disk dedicated to Trisul, but we found that at best we could hold 2 days worth of data.  This was intriguing because we never found the users to be that busy online or even internally.  After digging through, we found that two things were filling up Trisuls raw packet storage :

    • A daily Anti Virus  push to all machines
    • A daily full offsite backup of their code and data

    These two activities were from trusted end points.  The truly paranoid would not even trust these machines, but the sysadmins vouched for their trustworthiness.  We needed a way to prune this traffic out of the raw packet storage.

    With Trisul, you can specify rules to

    • exclude traffic based on various criteria : exclude subnets, hosts, applications, even MACs
    • cap traffic per flow : say only store 10M of each flow

    Read our product documentation for more on this.

    Privacy

    This is a major concern especially in small or medium companies which may not have very well defined separation of monitoring and production networks.

    Trisul deals with this by,

    • Encrypting all packets stored by the stream cipher AES-256 CTR
    • The disk subsystem never sees clear text packets
    • The encryption key can be protected by the same methods you use to protect Apache or Nginx keys

    While this is not 100% fool proof, it addresses most of the concerns. An intruder cannot just pick up a disk volume and do a ‘dd’ on it.

    Interface

    Being able to script this task of digging through data is critical. Simply because you are human.  Trisul provides a programmatic remote scripting interface called Trisul Remote Protocol.  Your script runs on your local machine but requests data processing on the Trisul server.  Check out our getting started tutorial with Ruby and TRP.

    I encourage everyone who is into security incident response to give Trisul a try.   If you want to monitor a rolling 3-day window, Trisul is completely free.