Automatic flow tagging in Trisul 2.6
Lets take a look at a new feature in Trisul called “Automatic Flow Tagging”. I am going to explain why you would want this feature in the first place and how to put it to use here.
What is a flow tagger ?
Flow tags are text labels that are assigned to flows. One flow can have an unlimited number of such tags. A flow tagger is a rule you create which determines what labels are applied to which flows.
Why do you want these tags ?
First let me pose a couple of network analysis questions,
Show me a list of flows that went to China or Ukraine ? Show me all flows that generated an IDS alert ?
Do you have the ability to answer these questions? The fact is these kinds of queries are incredibly hard if you try to compute them in a post hoc fashion. With flow taggers these queries become possible because we use the knowledge we have in real time when we see the flow. Why not just mark them so we can pick them out later ?
Once flows are tagged you can :
- Search for flows by Tag Name
- Display all tags alongside each flow
- Long term queries by clicking on a tag
Example
See the following screenshot
In the above screenshot, we see various types of tags based on
| Type | Tag Text | What it means |
|---|---|---|
| Country | $CountryCode | Country code tagged to each flow ( JP,US,DE,IN ) |
| Blacklist alerts | BL | Flow generated a Badfellas (Malware alert) |
| IDS alerts | IDS | Flow generated an IDS alert |
| URL Category | $CategoryName | Based on HTTP Host, or URL ( searchengines.BL ) |
The Country and URL Category tags are examples of automatic flow taggers.
Automatic flow tagging
You can create tags manually based on any counter. For example, you can tag all flows from a particular MAC address with the string “gige-1”. These are called manual flow taggers. You can also automatically assign tags based on arbitrary counters.
So, if you wanted to tag flows with country codes you can use automatic flow taggers instead of creating 180 manual flow taggers, one representing each country. Behind the scenese the keys generated by the Country counter group are automatically assigned as labels to the flow. You can do this for any counter group.
Clear instructions to create these automatic flow taggers can be found in the documentation Flow Taggers
We hope you enjoy this feature ! Feedback welcome.
Download Trisul 2.6 for Ubuntu or CentOS today.