Docs Home User Guide

Contents

Alerts

Trisul can generate 4 different types of alerts. Once you get a good feel of what normal traffic looks like in your network, you can configure various types of alerting. This will enable you to spend lesser time in front of Trisul and move towards monitoring exceptions.

With alerts, Trisul provides the ability to :

  • Pull out the raw packet that caused the alert and related nearby packets
  • Pull out related nearby flows around the alert
  • Monitor alert activity over time
  • View stats for top attackers, top victims, top alert signatures, etc
  • Correlate with related traffic statistics such as TCP SYN volume, ARP, ICMP floods, etc

  • Threshold Crossing Alerts

    Notifies you when ever any meter crosses pre-configured hi and lo water marks.

  • Flow Tracker Alerts

    Monitor suspicious flow activity. For example, you can be alerted whenever anyone from within your organization uploads 20MB or more.

  • Intrusion Alerts (IDS)

    This is the most important type of alert from a security perspective. Trisul interfaces with popular IDS systems like Snort/Suricata by listening on a Unix Socket. It then correlates the alert information with other traffic metrics. The highlight of Trisul’s support for IDS alerts is the Real Time Alert Visualization – an animated real time view of alerts as they come in. This provides the perfect jumping point for deeper investigations.

  • Blacklist alerts (Badfellas)

    Another very important security alert. If you install the Badfellas plugin, Trisul will continuously monitor your traffic and hold it up against millions of blacklisted entities. Any traffic that trips one of the blacklists, be it spam, phishing attacks, botnet C&C, is flagged.