Differences

This shows you the differences between two versions of the page.

--- ids:snort [2018/05/03 14:30] – veera
+++ ids:snort [2018/05/03 14:42] – [Start snort and view analytics in TrisulNSM] veera
@@ Line 44: / Line 44: @@
 Open snort.conf and copy the lines from rules/emerging.conf into snort.conf and comment out the old snort.conf rules.
-Next specify a HOMENET, otherwise many ET rules wont load
+This is a bit of a chore, but you only do this once.
+==== Specify a HOMENET ====
+If you dont do this, you will find out soon enough. Many ET rules wont load
 Example:
@@ Line 53: / Line 57: @@
+===== Configure Oinkmaster =====
+Oinkmaster will keep the rules updated.
+Open /etc/oinkmaster.conf  and add the ET (or ET-Pro) rule path using the ''url'' directive
+<code>
+# EMERGING THREATS COMMUNITY
+url = https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
+</code>
+Then you can test it out
+<code>
+oinkmaster -C /etc/oinkmaster.conf  -o /etc/snort/rules
+</code>
+==== Make oinkmaster refresh at 2AM every night ====
+The following crontab entry will
+  - Run at 2:00 AM every night
+  - Download latest rules and install them correctly
+  - Send a SIGUSR1 to snort to reload the new rules
+Open ''crontab -e'' and add the following line
+<code cron>
+2 * * *  root ( /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules; sleep 5; kill -USR1 `pidof -s snort` )
+</code>
+That is pretty much it.
+===== Start snort and view analytics in TrisulNSM =====
+First stop the old instance of snort
+''pkill snort''
+Then Login to Trisul as admin/admin ;
+  * then go to Admin Tasks -> Start/Stop Tasks
+  * on the selected network adapters -> More Options -> click on "How to start snort?"
+  * copy paste that into a terminal.
+You're all done.
+To view analytics in Trisul you can start with the  **Real Time Alerts dashboard**.