Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » tips » FireHOL Checker
Trace:
tips:firehol_checker

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revisionBoth sides next revision
tips:firehol_checker [2020/03/24 17:49] – created navaneethtips:firehol_checker [2020/03/24 18:49] navaneeth
Line 8: Line 8:
  
 {{:tips:firehol.png?200|}} {{:tips:firehol.png?200|}}
 +
 +===== Precondition =====
 +
 +The following should be done prior to installing this app.
 +  - The Trisul Network Analytics Installed.
 +  - All the hub and Probe nodes should be up.
 +  - The FireHOL Checker App must have been installed from //Admin > Manage > Apps >FireHOL Checker//.
 +
 +{{:tips:fireholappadmin.png?400|}}
 +
 +After installing the app the following steps should be done to enable the FireHOL Checker App.
 +
 +===== Steps for Activation =====
 +
 +==== 1.  Installing the feed ====
 +
 +Run the installfeed.sh script in this folder to install the FireHOL feeds and update the CRON to download every hour.
 +
 +<code># curl -O  https://raw.githubusercontent.com/trisulnsm/apps/master/analyzers/firehol/installfeed.sh
 +</code>
 +<code>bash ./installfeed.sh
 +</code>
 +
 +{{:tips:fireholappinstall.png?600|}}
 +
 +<note important>Please ensure that the commands are being run in root mode.</note>
 +
 +==== 2. Configuring Parameters ====
 +
 +You can customize the config settings on a per-Probe basis.
 +
 +<note important>Please ensure you have restarted the probe node.</note>
 +
 +To create your own custom settings,Do the following
 +  - create a new config file named 'trisulnsm_filehol.lua' in the probe config directory /usr/local/var/lib/trisul-probe/domain0/probe0/context0/config.
 +  - configure the 'trisulnsm_filehol.lua' file.
 +  - replace with new values for the parameters if required.
 +
 +<code> DEFAULT_CONFIG = { 
 +
 +  -- filename of FireHOL level1 Feed  - will trigger Sev-1 alert 
 +  Firehol_Filename_Level1 ="firehol_level1.netset",
 +
 +  -- optional level3 - will create Sev-3 alert 
 +  Firehol_Filename_Level3 ="firehol_level3.netset",
 +
 +  -- How much should blacklisted IP Recv for Priority elevation to MAJOR (1)
 +  Vol_Sev1_Alert_Recv=10000,
 +
 +  -- How much should blacklisted IP Transmit for Priority elevation to MAJOR (1)
 +  Vol_Sev1_Alert_Xmit=20000,
 +}
 +</code>
 +
 +==== 3. Viewing Alerts ====
 +
 +You can view the FireHOL Alerts in Trisul through User Alerts.
 +
 +  - The FireHOL alerts can be viewed in UI by selecting //Alerts > Show All > User Alerts.//
 +
 +{{:tips:useralerts-fireholapp.png?600|}} 
 +
 +The FireHOL(Level 1)alerts can be viewed in detail by exploring them.
 +
 +{{:tips:fireholalert.png?600|}}
 +
 +  - The Realtime alerts can be viewed by selecting 'View Realtime' option from //Alerts > Show All > User Alerts.//
 +
 +{{:tips:realtimefirehol.png?600|}}
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
tips/firehol_checker.txt · Last modified: 2020/03/24 19:01 by navaneeth