Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » ids » Connecting Snort to Trisul Network Analytics
Trace: Connecting Snort to Trisul Network Analytics
ids:snort

This is an old revision of the document!

Table of Contents

Connecting Snort to Trisul Network Analytics

A step by step guide for Ubuntu 16.04 which explains how to :

  1. Install Snort
  2. Replace with Emerging Threats rules
  3. Configure Oinkmaster for automatic updates
  4. Start snort and view analytics in TrisulNSM

Install snort

Snort has a package for Ubuntu. This installs all components required. 

apt-get update
apt-get install snort

Also install oinkmaster , which also has an Ubuntu package 

apt-get install oinkmaster

Replace with Emerging Threats rules

We like the ET and ET Pro rulesets for a number of reasons. If you wish to remain with the Snort community rules or move to the excellent Talos ruleset, you can skip this step.

Download ET Community rules

cd /etc/snort
mv rules rules_old
wget https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
tar xf emerging.rules.tar.gz -C /etc/snort

Point to the new ET rules

Open snort.conf and copy the lines from rules/emerging.conf into snort.conf and comment out the old snort.conf rules.

Next specify a HOMENET, otherwise many ET rules wont load

Example: 

ipvar HOME_NET 192.168.0.0/16,10.0.0.0/8
ids/snort.1525338028.txt.gz · Last modified: 2018/05/03 14:30 by veera