Trisul - a new free tool for deep network visualization!
The trend these days is to collect as much information as possible from the network
and make it available for retrospective analysis from several angles. This strategy
also known as "Network Security Monitoring" calls for tracking traffic statistics,
flows, resources, alerts, all the way to raw packets. The underlying idea is to make as
much information as possible in a correlated manner to anyone performing incident
response.
A deep awareness of traffic characteristics is critical not only because it makes you
familiar with what and who is on your network but also because it is trustworthy.
You cant hide the fact that station-A sent X bytes to station-B, while it is easy to
evade IDS/IPS. Trisul is a new product that aims to use traffic metering as a basis for
network security monitoring.You can contrast this with the IDS alert centric way that
projects like SGUIL[1] offer.
To be useful for an incident response application, traffic monitoring must
meet these three additional requirements :
1. Unsummarized : All flows and stats must be stored at their original resolution.
While summarization and rollups are great for capacity and bandwidth management,
they are enemies of forensic analysis.
2. Fine grained metering : Basic bandwidth usage per host/app is insufficient.
You need to store more types of stats (IP, App, MAC, IPs, ASNs, HTTP Hosts,
Content Types, etc) and more information per type such as (Totals, In, Out,
Connections, SYN, Alerts, etc).
3. Linked to other types of data : Users should able to jump from traffic data
to flows and even to raw packets. Other classification sources such as
blacklists, URL categories, IDS alerts, must tie into the traffic accounting.
Great and simple views!
A Retro view and lots to see!
What about IDS/IPS alerts ?
Intrusion Detection Systems are still very much relevant but they are having a
tough time coping with todays threat scenario. Malware these days are carried in
mutant documents, application level code injections, and even javascript. Command
and control channels have already moved to HTTP, most even encypted.
Already stressed IDS systems are now finding themselves having to decompress, reassemble,
and inspect documents too. Nevertheless IDS are very competent in catching the
unsophisticated threats, so they add valuable context to traffic monitoring.
Trisul Network Metering and Forensics is a Linux based system which enables you to
put the above ideas into practice quickly. Fine grained traffic metering allows you to
gain deep visibility into your current and past network traffic. Trisul stores all flows,
statistics, and raw packets ready for long term retrospective analysis. Flexible policies
allow you to optimize your disk resources for raw packets. A rich web interface as well
as a scripting API is available.
Good News - Trisul is free for monitoring a rolling 3-day window. Which means Trisul will not
expire but data older than 3 days will automatically drop off and not be available
for analysis. This is a great way to get started.
Please visit http://www.unleashnetworks.com/products/trisul.html then sign up and
download the software.
Author Bio :Vivek Rajagopalan is founder and CTO of Unleash Networks. He has been working on packet analysis for 8 years and before that on network monitoring for 8 years. He is the primary developer of Unsniff Network Analyzer a multi layer protocol analyzer as well as Unbrowse SNMP a diagnostic tool used by hundreds of corporations worldwide.
Article References :
[1] SGUIL - sguil.sourceforge.net
Recent Comments