Trisul on Security Onion
If you are running Trisul on Security Onion , have you heard the good news ? Doug Burks has released a new version of Security Onion based on Ubuntu 12.04 LTS including a ready to run 64-bit ISO. In this blog, I am going to describe why you might want to run Trisul on it and how to do so.
Why ? Traffic and flows.
Security Onion brilliantly assembles a number of different tools into a coherent NSM (Network Security Monitoring) platform. There are several applications like Bro, ELSA, Snorby, Squil, Squert, etc, each addressing a piece of NSM.
Toss in Trisul into the mix and immediately gain the following :
- Traffic monitoring — How is bandwidth being used ?
- Flow analysis — Who’s doing what ?
Having a deep knowledge of traffic patterns in your network will boost your abilities to detect and respond to various kinds of attacks. You can also achieve the same end to a limited extent with tools like ntop or darkstat. Free By default, Trisul will install in free mode which gives you full functionality over the most recent 3-days.
Installing
- First, install a working Security Onion system by following the instructions here I recommend simply installing the ISO.
- Next, follow the steps in the Howto : Install Trisul to complete the installation.
- Work with Trisul for a while until you get a sense of what it collects.
Packets and alerts
After playing with Trisul for a while, you may notice there is considerable overlap between Trisul and some other tools. You may wish to disable the following if you are running short of disk space or are quite happy to let other apps handle it.
| Data type | What Trisul does? | How to disable |
|---|---|---|
| Packets | Rule based encrypted packet storage | Set the <Ring> parameter to FALSE in the config file |
| IDS Alerts | Processes IDS from Barnyard2 | Set the Trisul Run Mode to onlinerxring from Customize → App Settings |
Ciao for now. Have fun !