Flow Taggers
Flow Taggers assign one or more text labels to flows in real time. Flow taggers help identify network flows based on predefined criteria i.e. these labels are created by rules you specify (example, IP addresses, ports, protocols). You can then search for flows containing these text tags.
Figure: Tags are shown alongside flows
Some Examples
- Mark flows that generated an alert with the tag
"ALRT" - Mark flows to China or Ukraine as
"CHUKR" - Mark all non-HTTP flows to your subnet 10.18.10.0/24 as
"SUSPECT"
How it Works
Flow taggers allow you to do things that are remarkably hard to do retrospectively. For example, you can create a flow tagger that will mark all flows from your internal network to China/Ukraine. The way this works is, If Trisul sees activity in the Country counter group for keys CN, UA then the corresponding flow is marked with the tag you provide.
- Flows are tagged based on rules you create on counter activity
- A single flow can be marked with multiple tags.
- You can pull up flows by tag name at any time
Configuring
You need to restart Trisul for configuration changes to take effect
To create a flow tagger, Login as admin,
👉 Goto Context: default →Profile0 →Flows→Flow Taggers
Figure: Showing Create a New Flow Tagger Button
You will see a list of existing taggers. You can also find the total number of taggers, number of taggers enabled and number of taggers disabled on the top of the module. Trisul ships with a few taggers, which are disabled by default. Click on Create a new flow tagger on the top right as shown in the example.
Entering the Rule
Once you have clicked Create a new flow tagger you can see a Enter tagging rules form open up as in this example.
Figure: Configure Tagging Rules Form
Fill out the details as shown
| Fields | Description |
|---|---|
| Session Group | Select the session group from the dropdown list |
| Flow Tagger Name | A descriptive label for display , explain what you're tagging with this rule |
| Tagger Tag | Matching flows are tagged with this string. Prefix with AUTO: for automatic tags |
| Tagger Group | For AUTO: tags only. You can specify a short group code to help distinguish keys from other groups. The tags generated will have the format [GROUPNAME]tag. Keep this short < 8 chars. |
| Tagger Rule | A string in Trisul Filter Format |
Directly Enter the Rule
If you are familiar with the Trisul Filter Format you may enter the string
directly here. For example : Flows to China and India can be marked by
the expression {00990011-44BD-4C55-891A-77823D5916B}=CN,IN This means
the keys CN and IN in the counter group Country (identified by the GUID)
The Rule Builder
This is the easier way to construct the Tagger Tag expression. See Rule Builder or you can also simply click Add rule in the Tagger rule to open the Interactive Rule builder and fill up the following fields.
Figure: Interactive Rule Builder
| Fields | Description |
|---|---|
| Combine with Previous Rule | Click on the & or | for the operations of AND and OR according to the condition you want to perform for the tagger |
| Counter GUID | Click on the counter group for GUID |
| Condition | Click on from the binary options = or ! |
| Key | Ex:192.168.1.30,192.168.1.45 OR 192.168.1.30~192.168.1.45 For automatic tagging, enter * for the key. |
Click Update Target Rule to update the specified rules.
Automatic Flow Tagging
Automatic flow tagging allows you to automatically mark flows with keys from a counter group. For example, you can mark all flows with the country codes or web category. This is the same concept as “Log Enrichment” in other systems.
To configure automatic flow tagging.
- Prefix your tag name with
AUTO: - In the rule, select a counter group and enter
*for the key
Example
To automatically tag flows with the URL Category
- Enter
AUTO:myurlcatfor the tag name - The rule is created by selecting HTTP URL Category and then
*as the key - The final rule is
{0F3D2DC3-107C-4348-8561-757734AF4666}=*
Tagger Groups
A flow tag is nothing but a string label added to each flow. Using Tagger groups you can add a namespace to the tags. When you add tags to a namespace they are grouped together when using the Aggregate Flows tool.
The following shows an Automatic flow tagger that attaches the AS number of source and destination IP to each flow. We have added a tag group called “asn”
Tags generated by this tagger automatically get an extra [asn]
attached to the tag.
Figure: Automatic Tagging Showing [asn] Tag
Viewing
You can view the flow tags in a couple of ways.
- Use the Flow taggers tool to see a list of top flows for each tag you have set up.
- Search for flows by tagname using the Explore flows tool.
- Use the Aggregate Flows tool.