Trisul tidbit – multicore ready uses Intel TBB

I re-architected Trisul after months of intense coding to be able to take advantage of multiple cores. I just want to share the approach I took for this project.

The options I evaluated were :

  • Flow pinning (like in Suricata, the new IDS engine)
    • Packets mapped to hardware thread  based on tuples
  • Work stealing
    • Hardware threads if idle, steal stuff to do (see Cilk)

Flow pinning turned in disappointing results largely due to :

  • While Trisul does flow tracking and reassembly,  the main chunk of code deals with metering (counting hundreds of data points based on payload content)
  • Hard to balance work based only on tuples

Intel’s Threading Building Blocks are the way to go if you want to build on the Cilk style work stealing model. What’s more you get a lot of extra goodies like concurrent containers, atomics, and native threading wrappers.

Armed with TBB, Trisul is completely implemented as a pipeline with a few serial filters and dozens of parallel filters. The advantage of the pipeline pattern is that you get you can run a lot of code on caches that are still “hot“.

The end results are very encouraging.

Here is a screenshot of trisul chewing through the 11GB of packet traces from the LBL-ICSI Enterprise Tracing Project.

340.7% balanced CPU utilization and almost 3.2 times the speed on 1 hardware thread !!

New article on SNMPv3 INFORMs and software updates

Of late  I have been seeing a good number of Unbrowse SNMP customers using SNMPv3 INFORM messages. This is pleasantly surprising because I had written off this baby as being too complex to setup.

Here is an article explaining how to set up Unbrowse SNMP to receive and respond to SNMPv3 INFORM messages. It covers both the cases of provisioned Engine ID (like Cisco) and Engine ID discovery.

The following software updates are also available for download

  • Unbrowse SNMP 1.6.1296
  • Juniper MIB Packages

Trisul NSM platform intro

So what is Trisul Network Metering and Forensics ?

Here is the Trisul login screen,  I especially liked it because it captured the zen of network security monitoring so effectively.

We observe

  • a freeway with traffic in both directions (head lights on right , tail lights on left)
  • vehicles move very fast
  • its twilight – we can see, kindof

Now imagine, we are asked to keep tabs on what types of cars went by, which semi trucks are suspiciously overloaded, which cars make unusual trips ?  This is roughly what we are asking of network security monitoring.

Trisul approaches NSM from a traffic monitoring centric position. You can contrast that with Sguil that approaches from an alert centric position.

  • Trisul contains powerful long term metering and top-n tracking
  • Stores full content in a efficient AES128 CTR encrypted ring
  • Tracks Flows
  • Alerts from 3rd party (accepts Snort input via Unix sockets, working on Unified2 to accept Suricata)
  • Rule based full content engine. (eg, track only first MB, exclude subnet, headers only, etc)
  • Pull out and save HTTP transactions (IP/TCP reassembly can handle bad frag)

Lets deep dive into Trisul in the next few posts.