Object Engine
The Trisul metrics engine.
You call methods on this object to add metrics, objects, flows, or other types of information.
π This is the most important object you will be working with.
Functions and typesβ
A summary of the functions available in this object.
- F β functions that can be called from Frontend scripts
- B β functions that can be called from Backend scripts
If you call functions that are not available you will get the following error
ERR_NOTAVAIL: add_flow_counter() is not available for backend scripts
| Name | Availability | Description |
|---|---|---|
| update_counter | F B | Updates a meter for a key with a particular value |
| update_counter_bytes | F | Updates a meter for a key but with a value of wire_length in the packet |
| update_counter_raw | F B | Update counter raw is a variant of update_counter. |
| update_key_info | F B | Set a user friendly label or a description for a key |
| add_alert | F B | Add an alert |
| add_alert_full | F B | Same as add alert with with a priority and classification. Used for IDS alert types |
| add_alert_tca | F B | For alerts based on metric values and threshold crossing events` |
| add_resource | F B | Add a new resource with metadata and contents to Trisul |
| timestamp | F B | The latest timestamp seen by the engine |
| add_flow_counter | F | Add a flow counter |
| reset_flow_counter | F | Removes all flow counters, then does an add_flow_counter |
| tag_flow | F B | Tag a flow with a label. Y |
| instanceid | F B | Engine Instance identifier |
| probeid | F B | Trisul probe id of the engine |
| update_flow | F | Update a flow based metric |
| new_flow_record | F | Inform framework about a new flow record |
| set_flow_duration | F | Set the duration of the flow in seconds |
| disable_reassembly | F | Stop TCP reassembly of this flow |
| post_message_frontend | F B | Post a message to other LUA plugins attached to the packet (frontend) pipeline |
| post_message_backend | F B | Post a message to other LUA plugins in the metrics (backend) pipeline |
| add_edge | F B | Add a single edge to the Trisul Streaming Graph Analytics pipeline |
| add_flow_edges | F B | Automatically add edges from a network flow to a given vertex. |
| set_key_attribute | F B | Set an arbitrary {attribute-name,value}\ pair for any key |
| add_flow_attribute | F B | Add an {attribute-name,value} pair for any flow for other Lua script to pick up. |
Function update_counterβ
Adds a single metric to the Trisul platform.
Purposeβ
Update a counter with a value. Recall that the heirarchy in Trisul is
- Counter Group example
Applications- Key example
pop3- Meter example meter
id = 5 Active Connections
- Meter example meter
- Key example
Also seeβ
Use update_counter_raw if
- you are updating
GAUGEorAVERAGEmeter data types - you are updating more than 8 metrics for the same key
Parametersβ
| counter guid | guid string | the counter group you want to update |
|---|---|---|
| key | string | the unique key within the counter group |
| meter | number | the metric id within the counter group |
| value | number | the metric value |
Return valueβ
None
Usageβ
..
-- update the Hosts counter group identified by the GUID {4CD..}
-- the Host identified by 182.28.22.123
-- the Meter 1 (received bytes)
-- with the value 288278
--
engine:update_counter( "{4CD742B1-C1CA-4708-BE78-0FCA2EB01A87}", "182.28.22.123", 1, 288378)
Function update_counter_bytesβ
FRONTEND ONLY
Adds a single metric to the Trisul framework. Same as update_counter but where the metric value is the packet wire length.
Purposeβ
When used with simplecounter and other front end scripts β this method adds a metric with the wire length of the packet context in which it is called.
Parametersβ
| counter guid | guid string | the counter group you want to update |
|---|---|---|
| key | string | the unique key within the counter group |
| meter | number | the metric id within the counter group |
Return valueβ
None
Usageβ
This method is only available on frontend scripts.
Function update_counter_rawβ
A variation of update_counter
Purposeβ
This does exactly the same thing as update_counter with the following difference.
- this version has a slightly lower performance
- use this method if you want to update a large number of keys for a single counter group . More than 8 keys
- you are updating
GAUGEorAVERAGEmeter data types
Parametersβ
| counter guid | guid string | the counter group you want to update |
|---|---|---|
| key | string | the unique key within the counter group |
| meter | number | the metric id within the counter group |
| value | number | the value of the meter |
Return valueβ
None
Usageβ
--
-- we are updating 6 keys for a single counter group
-- for this kind of updating use the 'raw' version
--
engine:update_counter_raw("{D2AAD7C6-...}", "user_1", 1, 100)
engine:update_counter_raw("{D2AAD7C6-...}", "user_11", 1, 10)
engine:update_counter_raw("{D2AAD7C6-...}", "user_2", 1, 200)
engine:update_counter_raw("{D2AAD7C6-...}", "user_33", 1, 3200)
engine:update_counter_raw("{D2AAD7C6-...}", "user_34", 1, 300)
engine:update_counter_raw("{D2AAD7C6-...}", "user_44", 1, 23200)
Function update_key_infoβ
Set a user friendly label for a key.
Purposeβ
Set a user friendly label or a description for a particular key. For example : to assign a hostname to an IP address
Parametersβ
| counter group id | guid string | the counter group id of the counter |
|---|---|---|
| key | string | the key |
| label | string | the human friendly label attached to the key |
| description (optional) | string | more information |
Return valueβ
None
Usageβ
..
--
-- to assign a label "Router1_10G_1" to the MAC address "0A:11:21.BA:00:02"
-- the GUID "{4B0.." represents the MAC Counter Group
--
engine:update_key_info( "{4B09BD22-3B99-40FC-8215-94A430EA0A35}", "0A:11:21:BA:00:02", "Router1_10G_1")
..
Function add_alertβ
Add an alert to the Trisul framework.
Purposeβ
Lets you add a simple alert to the Trisul pipeline. This simple version only contains a priority, alert-type, and description. Also see add_alert_full and add_alert_tca for more specific variants.
Parametersβ
| alert guid | guid string | Identifies the type of alert. See GUIDs |
|---|---|---|
| flowkey | string or nil | the flowid string of the flow which caused the alert. nil if alert not related to a particular flow |
| alertkey | string | the type of alert within the group. Think of this as a Signature ID |
| priority | number | the alert priority. typically 1 = high, 2 = medium, 3 = low. But you can use your priorities if you are using your own alert groups |
| message | string | a dispatch message |
Return valueβ
None
Usageβ
The following example adds a Priority 1 alert to the general purpose User Alerts group.
engine:add_alert("{B5F1DECB-51D5-4395-B71B-6FA730B772D9}", -- GUID for 'User Alerts' group
resource:flow():id(), -- flow ID
"RAMNIT-DETECTED", -- alert key , think of this as a SigID
1, -- priority
"A potential EK was detected message =" -- free form text alert
)
Function add_alert_fullβ
Add an alert to the Trisul framework with all bells and whistles.
Purposeβ
Same as add_alert but with classification and priority fields. To make it compatible with alerts from IDS systems like Snort and Suricata
Parametersβ
| alert guid | guid string | Identifies the type of alert. See GUIDs |
|---|---|---|
| flowkey | string or nil | the flowid string of the flow which caused the alert. nil if alert not related to a particular flow |
| alertkey | string | the type of alert within the group. Think of this as a Signature ID |
| classification | string | Optional: a type of alert. This is for compatibility with popular IDS systems like Snort and Suricata |
| priority | number | the alert priority. typically 1 = high, 2 = medium, 3 = low. But you can use your priorities if you are using your own |
| message | string | a dispatch message |
| status | string (optional) | a status or impact field. Example : CLEAR, ALARM, FIRE, BLOCK etc |
Return valueβ
None
Usageβ
Function add_alert_tcaβ
A special type of alert called Threshold Crossing Alert (TCA) based on metrics.
Purposeβ
Same as add_alert family but designed for metrics based alerting.
Parametersβ
| alert guid | guid string | Identifies the type of alert. See GUIDs |
|---|---|---|
| tca_id | number | a number that uniquely identifies a type of threshold youβve defined elsewhere. Example : a TCA , Threshold Band, or Flow Tracker alert in Trisul. |
| status | string | a string FIRED crossed threshold event or CLEAR when condition is clear and metric back in limits |
| message | string | a dispatch message |
Return valueβ
None
Usageβ
Function add_resourceβ
Add a new resource.
Purposeβ
Resources are meta data which you can log and search on. You can create your own resource group or add to existing resource groups like βDNS Recordsβ, βHTTP URLsβ, etc. Think of resources as logs and resource groups as log types
Parametersβ
| resource_id | a GUID | Resource group ID. See GUIDs |
|---|---|---|
| flowkey | a string in FlowID format | The flow containing this resource. You can get the flow ID from a packet. |
| uri | a string | The metadata that identifies the resource. This can be thought of a summary of the full log entry |
| contents (optional) | a string | The actual resource (less than 32K). This of this as the complete log line |
Return valueβ
None
Usageβ
-- add a custom SHA256 hash resource
--
engine:add_resource('{9781db2c-f78a-4f7f-a7e8-2b1a9a7be71a}', -- represents FileHash resource in Trisul
flowkey:id(), -- flow ID
"SHA256:"..hex_sha256, -- resource key (log summary)
full_filename) -- full resource (full log)
Function timestampβ
The latest timestamp in seconds since Epoch format (timeval.tv_sec) seen by the engine.
Purposeβ
If you want to find out the latest timestamps seen by the engine. Remember that you may not be able to simply use os.date) because Trisul also works on PCAP files that may have other timestamps.
Parametersβ
None.
Return valueβ
| Number | Representing number of seconds since 1-1-1970, a unix timestamp value (tv_sec) |
|---|
- For frontend scripts that work with packets, this represents the timestamp of the last packet seen.
- For backend scripts, this returns the last stream interval that was processed to completion.
Usageβ
Function add_flow_counterβ
FRONTEND ONLY
Add an automatic flow based counter.
Purposeβ
A Flow Counter works in the following way :
- you attach a counter to a flow
- all packets in that flow from that point onwards automatically get that counter with the metric equal to the packet length
Parametersβ
| flowkey | string | identifies the flow that you want to attach a counter to |
|---|---|---|
| counter group id | guid string | the counter group id of the counter you want to attach to this flow |
| key | string | the key within the counter group |
| metric | number | the metric for the counter group |
| direction | number | the direction you want to count. 0 = Both 1 = OUT (in Direction of SYN), 2 = IN |
Return valueβ
None
Usageβ
The method is only available for Frontend scripts. If you call this method from a backend script you will get an error.
If you detect a particular flow to be carrying YouTube video you can attach a counter βyou-tube-trafficβ metric. From that point onwards each packet on that flow will automatically update the βyoutube-trafficβ counter with the packet length.
Note on the Direction parameterβ
Use Direction=0 to update a Total traffic counter and Directions 1,2 to update IN/OUT separately. In the snippet below youβve created your own counter group with GUID {55F..} with three meters 0=Total,1=Xmit,2=Recv. You can see how to update the Totals counter Direction=0 and In/Out counters
-- Direction 0 : update both OUT and IN direction packets to the same counter
-- to update a TOTAL BYTES counter
engine:add_flow_counter( flowkey:id(),
"{55F98CC1-646E-4DE6-AD79-6B896211F177}", -- a counter guid
'my-video-traffic',
0, -- Total bytes
0) -- Both directions update the Total bytes counter
-- for XMIT
engine:add_flow_counter( flowkey:id(),
"{55F98CC1-646E-4DE6-AD79-6B896211F177}", -- a counter guid
external_host,
1, -- Transmit meter
1) -- Only OUT direction update the Trasmit meter
-- for RECV
engine:add_flow_counter( flowkey:id(),
"{55F98CC1-646E-4DE6-AD79-6B896211F177}", -- a counter guid
external_host,
2, -- Recv meter
2) -- Only IN direction update the receive meter
Function reset_flow_counterβ
FRONTEND ONLY
Removes a flow based counter.
Purposeβ
Remove a previous flow based counter added by add_flow_counter
Parametersβ
| flowkey | string | identifies the flow that you want to attach a counter to |
|---|---|---|
| counter group id | guid string | the counter group id of the counter you want to attach to this flow |
Return valueβ
None
Usageβ
The method is only available for Frontend scripts. If you call this method from a backend script you will get an error.
Function tag_flowβ
Tag a flow with a string.
Purposeβ
Add a text label to a IP flow. You can then search for flows using this string.
Parametersβ
| flowkey | string | identifies the flow that you want to attach a counter to. Usually you get this from flow:id |
|---|---|---|
| tag | string | a short text label that is attached to the flow. You can attach multiple tags to a flow but the total length of all tags must be less than 64 bytes. If you add tags >= 64 bytes the extra tags are discarded. |
Return valueβ
None
Usageβ
Function instanceidβ
A string representing the instance of the engine
Purposeβ
There may be multiple engine contexts in Trisul. This string identifies each one. You can use this to construct unique filenames etc.
Parameters��β
None.
Return valueβ
| Type | Info |
|---|---|
| String | Representing the instance of the engine object you are working with. This string is random string like β77BAB82β for Frontend scripts. For backend scripts, this string is the instance number such as β0β, β1β, β2β etc. |
Usageβ
A common use of instanceid is to construct filenames for log files. Another use is when you have scheduled scripts and you only want to run them once. In that case, you only run your code when engine:instanceid()=="0" See engine_monitor for more.
Function probeidβ
The probe id.
Purposeβ
Use this to retrieve the probeid β eg probe0 that the engine object belongs to.
Parametersβ
None.
Return valueβ
| Type | Info |
|---|---|
| String | The probe id such as probe0 that identifies the domain probe id of the engine |
Usageβ
Function update_flowβ
FRONTEND ONLY
Add a flow metric.
Purposeβ
Update a flow based metric. The key used in a SessKey format.
Parametersβ
| key | string | a string representing a flow in SessKey format |
|---|---|---|
| meter | number | the metric id |
| value | number | update with this value |
Return valueβ
None
Usageβ
Function new_flow_recordβ
Use this method only when you are writing an Input Filter plugin importing feeds with βNetflow likeβ flow records.
Purposeβ
Tell the Trisul framework we have new flow record with X bytes and Y packets. The reason you need to do this is because some plugins ; such as Badfellas work with flow records for efficiency reasons. This method does not impact metrics in any way, but exists only to inform some plugins of a new flow.
Parametersβ
| key | string | a string representing a flow in SessKey format |
|---|---|---|
| bytes_az | number | bytes in A > Z direction |
| bytes_za | number | bytes in Z > A direction |
| packets_az | number | packets in A > Z direction |
| packets_za | number | packets in Z > A direction |
Return valueβ
None
Usageβ
Function set_flow_durationβ
FRONTEND ONLY
Set length in seconds of a flow.
Purposeβ
Use this along with update_flow to handle Netflow like input data. This method sets the length of each flow. Use this if the duration of the flow is available in your input records.
Parametersβ
| key | string | a string representing a flow in SessKey format |
|---|---|---|
| value | number | duration of the flow in seconds |
Return valueβ
None
Usageβ
Function disable_reassemblyβ
FRONTEND ONLY
Stop reassembly and reconstruction of this flow.
Purposeβ
This method is useful in various contexts like file extraction and reassembly
The main use of this method is when you need to see the beginning bytes of a TCP flow to determine whether you are interested in further reassembly. Turning off reassembly of TCP streams you are not interested in can save significant CPU and memory.
Parametersβ
| Name | Type | Info |
|---|---|---|
| key | string | a string representing a flow in SessKey format |
Return valueβ
None
Usageβ
disable_reassembly is only available for frontend scripts that work with packets and flows.
Function post_message_frontendβ
Post a message to the frontend (packet) pipeline
Purposeβ
Use this method to communicate with other LUA plugins that are plugged into the packet pipeline stages.
You can use trisulctl_probe testbench guid to generate a msg id.
Parametersβ
| message_id (optional) | a GUID | a message ID β message sent only to those LUA plugins subscribed to this message id. |
|---|---|---|
| message | a string | a message. the targets would know how to handle |
Return valueβ
None
Usageβ
-- sent to all plugins which have an onmessage(..) handler
--
engine:post_message_frontend("192.168.2.1 port 299 needs fileextraction")
-- sent to only those plugins who have subscribed to
-- message if {F8D5570E-00A7-41FD-C30E-298C55D8EC4D}
--
engine:post_message_frontend("{F8D5570E-00A7-41FD-C30E-298C55D8EC4D}",
"192.168.2.1 port 299 needs fileextraction")
Function post_message_backendβ
Post a message to the backend (streaming metrics) pipeline
Purposeβ
Use this method to communicate with other LUA plugins that are plugged into the backend pipeline
You can use trisulctl_probe testbench guid to generate a msg id.
Parametersβ
| message_id (optional) | a GUID | a message ID β message sent only to those LUA plugins subscribed to this message id. |
|---|---|---|
| message | a string | a message. the targets would know how to handle |
Return valueβ
None
Usageβ
-- sent to all backend plugins which have an onmessage(..) handler
--
engine:post_message_backend("192.168.2.1 port 299 label all flows as suspicious")
-- sent to only those plugins who have subscribed to
-- message id {F8D5570E-00A7-41FD-C30E-298C55D8EC4D}
--
engine:post_message_backend("{F8D5570E-00A7-41FD-C30E-298C55D8EC4D}",
"192.168.2.1 port 299 label all flows as suspicious")
Function add_edgeβ
Add a new uni-directional edge to the edge stream. This is part of the new Trisul Streaming Graph Analytics feature set.
Purposeβ
In Graph Analytics lingo, an edge is two vertices joined with a connection. The add_edge method allows to you push a simple Edge to the Trisul streaming pipeline.
The above picture explains the following terms
Subject Vertex Type
The type or color of Vertex-A. This is a GUID , typically a counter group or alert type.
Subject Vertex Key
A key identifying the vertex within the group. Example an IP Address within Hosts
Target Vertex Type
The type or color of Vertex-B.
Target Vertex Key
A key identifying the target vertex
Parametersβ
| subject_guid | a GUID | type of Vertex-A |
|---|---|---|
| subject_key | string | key of Vertex-A |
| target_guid | a GUID | type of Vertex-B |
| target_key | string | key of Vertex-B |
Note on edge direction.β
Trisul edges are directional, so if you want to add a bi-directional edge. Call add_edge twice with A and B reversed the second time. See Usage section.
Return valueβ
None
Usageβ
Here is how you add a bi-directional edge. Say between a PING-ALERT and an Internal IP address
--
engine:add_edge("{F8D5570E-00A7-41FD-C30E-298C55D8EC4D}", "ICMP-PING-ALERT"
"{98348488-45A7-45FD-450E-45838053800D}", "10.2.28.18" );
-- the other direction
engine:add_edge("{98348488-45A7-45FD-450E-45838053800D}", "10.2.28.18",
"{F8D5570E-00A7-41FD-C30E-298C55D8EC4D}", "ICMP-PING-ALERT");
Function add_flow_edgesβ
Add edges from a given vertex to all vertices of a flow.
Purposeβ
This function adds the following uni-directional edges from a given vertex
- Vertex β Source IP
- Source IP β Vertex
- Vertex β Dest IP
- Dest IP β Vertex
- Port β Vertex
- Vertex β Port
- Protocol β Vertex
- Vertex β Protocol
Parametersβ
| flow_key | a string | A string representing a flow. This is in FlowID format You typically get this string as inputs to your lua function |
|---|---|---|
| target_guid | a GUID | type of Vertex-B. This can be a counter group id, alert group id, or any other group id |
| target_key | string | key of Vertex-B |
Return valueβ
None
Usageβ
Add an ALERT vertex to all the endpoints of the flow that generated it.
--
-- adds edges from the new ICMP-PING-ALERT vertex
--
engine:add_flow_edges("06A:C0.A8.01.02:p-0B94_D1.D8.F9.3A:p-0016",
"{F8D5570E-00A7-41FD-C30E-298C55D8EC4D}", "ICMP-PING-ALERT");
Function set_key_attributeβ
Add an arbitrary attribute-name, attribute-value pair to any key.
If the key already has an attribute with the attribute-name then overwrite the old value with the new attribute_value
Purposeβ
Allows you to attach a name,value to any key. For example
- A common use is to assign an Interface Speed (ifSpeed) to a netflow interface.
- other uses can be thought of such as βoperating-systemβ to a Host IP, etc
Parametersβ
| counter guid | guid string | the counter group |
|---|---|---|
| key | string | the unique key within the counter group |
| attribute_name | a string | A name for the attribute |
| attribute_value | a string | a value |
Return valueβ
None
Usageβ
--
-- to assign a value of 100000 to interface_speed for interface 1ge/0/0
--
set_key_attribute( "{7CA09636-02D4-45e7-AA00-BE0D49B94E26}", -- netflow interfaces group
"1ge/0/0", -- interface key
"interface_speed", -- attr_name
"1000000" ) -- value
Function add_flow_attributeβ
Adds an attribute-name=attribute-value to a flow.
Purposeβ
Flow attributes can be attached to any flow. You can then write other scripts that can listen to these attributes using reassembly/onattribute and work on them.
Parametersβ
| flow_key | string | A string representing a FlowID |
|---|---|---|
| attribute_name | string | type of attribute. Example HTTP-User-Agent |
| attribute_value | string | attribute value, Example βMozilla β¦β |
Return valueβ
None