New Trisul Network Analytics 6.5 Release, Jan 23 2018

admin

Hey Trisul users,

We are pleased to announce Trisul Network Analytics Release 6.5

Upgrade Note

Trisul users running 6.0 can simply uninstall the old release and then install this new one and they will be automatically upgraded.

For a high level summary of this release, check out our blog post Trisul 6.5 is now available

Here are details of what is new and what has improved,

New Package : Docker Image

Introduction of TrisulNSM a Docker Image containing everything you need to deploy a NSM and Traffic Analytics system in your enterprise. It is perfectly suited and scalable for point solutions upto 2Gbps. All parts included. Try it see for yourself.

Trisul-Probe : Version 6.5.2866

FEATURE: Bottom-K real time stacking option for any meter in any counter group
FEATURE: Real Time Flow Monitor now sketches Top-K by b/w per flow, or total volume, previsouly it was recent-K
FEATURE: Major updates to DNS-Resources extraction. DNS now captures NS,MX,CNAME for every flow
FEATURE: Major updates to URL-Resources extraction. request response with HTTP STatus and COntent Type captured in a single resource
FEATURE: Bulk PING tool latency measurement and up/down tracking and alerting
FEATURE: Key Attributes - attach any number of attribute to any key. Eg, User-Agents to hosts, SNMP settings to routers, etc.
FEATURE: Switch to NETFLOW mode and update License from the UI itself rather than having to login to the Trisul server.
FEATURE: Many real time stabber features added to Netflow. Click on interface to see top apps, hosts, conv in real time.
PERF: PCAP retrieval can show upto 70% improvement in speed due to better indexing of blocks
PERF: Filtered Counter Groups - eg streaming metrics for all "Apps on Host X" is dramatically faster when a large number of such counter groups are ppresent. Previously you can have 128 such counters, Release 6.5 allows 2000 at better performance. Useful for billing and host / host group specific ttracking applications.
BUGFIX: File Extractin - MD5 was being generated for files that were not being extracted by the "Save Binaries" App.
BUGFIX: Large number of HOME_NETWORKS caused erroneous calculation when prefix not specified correctly for even one.
BUGFIX: Netflow caused incorrect counts when Fragmented IP packets present, fixed template errors when multiple exporters present on one router instance.
MISC: Trisul EDGE Graph analytics you can now filter for specific vertex groups to clear the display if too crowded
MISC: Search flows by multiple Tags, flows to IN HTTPERR sn-1 ; flows to India with HTTP Error and which generated an IDS Priority alert.
MISC: Use CN in TLS Orgs if ORG is absent. Previously missing ORG would show up as WTF !
MISC: LUA API - error fix in add_alert(..) method. Bug fix - if you return false in onload(..) some script types were still loaded.
MISC: In streaming mode file extraction (eg when reconstructing an 100MB+ ISO PKG APK ZIP downloads) some of the filenames were not constructed.
this and many other minor issues and bugs were fixed in this release, representing three months of effort.

Trisul-Hub : Version 6.5.2790

FEATURE: FTS full text search in HTTP Headers, SSL Certs automatically adds source destition IP and ports as attributes of each document
FEATURE: Support FINE resolutions for metrics for some applications. Tested with 1 sec and 100msec.
FEATURE: FTS (Text search) search by flow attribtues as well.
MISC: Multi tag query for flows backend support
MISC: Query resources, use Regex to query across all fields.
MISC: Key Attributes backend support. Allows you ato add_attribute(..) to any key. View and manage from UI.
MISC: PING based latency measurements backend support
.. and many performance and stability enhancements on the backend hub system.

Web Trisul : Version 6.5.2107

FEATURE: NETFLOW interface explore now shows Top conversatios
FEATURE: NETFLOW use SNMPv3 to resolve inteface and router names
FEATURE: PING monitoring and latency dashboard
APP: New Trisul App "Security Overview"
FEATURE: If TSHARK is installed on Server, Packet retrieve shows TSHARK summaries in separate tab for quick analysis
MISC: UI font and theme change to reduce large text and clearer dashboards
MISC: License upload , view, and machineID retrieveal can all be done from UI
MISC: Show all available interfaces along with assigned IP (if any) , allows you to select interfaces for packet capture easily
MISC: Flows table shows RTT and Retransmissions per flow as new columns
MISC: PDF reports now use 300DPI for charts inside the reports
MISC: FTS - show documents in same flow option. allows you to troubleshoot resources like HTTP headers
BUGFIX: Fixed error in Bulk PCAP retrieval query plan. This happens when you want to retrieve multiple flows show in the table as a single PCAP file
FEATURE: New report Key Usage report. Generate and schedule report for any key. Eg customer IP, or any item
FEATURE: Email alerts, if there are meta fields inside the alert mailto: mailcc: mailsubject: those are used as email targets instead of the global settings. This can be used to send alerts to different teams.
MISC: Resource Query redesign, now a single form that can search widely based on Regex.
and dozens of other bug fixes and tweaks. This is overall a much improved version over the previous releases.

Trisul-Badfellas

FEATURE: Removed PALEVO-Tracker intel which has been discontinued
FEATURE: Added 6 other intel sources in the area of tracking FEODO, RANSOMWARE, and Malicious SSL Cert hashes.
FEATURE: Related App FireHOL adds key basic ability to alert on FireHOL list hits (a list with almost no false positives)

We will be talking about several of these features in detail in the coming days.

Enjoy,

Thanks