User Tools

Site Tools


tips:firehol_checker

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
tips:firehol_checker [2020/03/24 17:49]
navaneeth created
tips:firehol_checker [2020/03/24 19:01] (current)
navaneeth
Line 1: Line 1:
 ====== FireHOL Checker ====== ====== FireHOL Checker ======
  
-This article helps you providing steps to install and run the FireHOL Checker App in Trisul Network Analytics.+This article helps you with providing steps to install and run the FireHOL Checker App in Trisul Network Analytics.
  
 ** **
Line 7: Line 7:
 ** **
  
-{{:​tips:​firehol.png?​200|}}+{{:​tips:​firehol.png?​400|}} 
 + 
 +===== Precondition ===== 
 + 
 +The following should be done prior to installing this app. 
 +  - The Trisul Network Analytics Installed. 
 +  - All the hub and Probe nodes should be up. 
 +  - The FireHOL Checker App must have been installed from //Admin > Manage > Apps >FireHOL Checker//​. 
 + 
 +{{:​tips:​fireholappadmin.png?​400|}} 
 + 
 +After installing the app the following steps should be done to enable the FireHOL Checker App. 
 + 
 +===== Steps for Activation ===== 
 + 
 +==== 1.  Installing the feed ==== 
 + 
 +Run the installfeed.sh script in this folder to install the FireHOL feeds and update the CRON to download every hour. 
 + 
 +<​code>#​ curl -O  https://​raw.githubusercontent.com/​trisulnsm/​apps/​master/​analyzers/​firehol/​installfeed.sh 
 +</​code>​ 
 +<​code>​bash ./​installfeed.sh 
 +</​code>​ 
 + 
 +{{:​tips:​fireholappinstall.png?​600|}} 
 + 
 +<note important>​Please ensure that the commands are being run in root mode.</​note>​ 
 + 
 +==== 2. Configuring Parameters ==== 
 + 
 +You can customize the config settings on a per-Probe basis. 
 + 
 +<note important>​Please ensure you have restarted the probe node.</​note>​ 
 + 
 +To create your own custom settings,Do the following 
 +  - create a new config file named '​trisulnsm_filehol.lua'​ in the probe config directory /​usr/​local/​var/​lib/​trisul-probe/​domain0/​probe0/​context0/​config. 
 +  - configure the '​trisulnsm_filehol.lua'​ file. 
 +  - replace with new values for the parameters if required. 
 + 
 +<​code>​ DEFAULT_CONFIG = {  
 + 
 +  -- filename of FireHOL level1 Feed  - will trigger Sev-1 alert  
 +  Firehol_Filename_Level1 ="​firehol_level1.netset",​ 
 + 
 +  -- optional level3 - will create Sev-3 alert  
 +  Firehol_Filename_Level3 ="​firehol_level3.netset",​ 
 + 
 +  -- How much should blacklisted IP Recv for Priority elevation to MAJOR (1) 
 +  Vol_Sev1_Alert_Recv=10000,​ 
 + 
 +  -- How much should blacklisted IP Transmit for Priority elevation to MAJOR (1) 
 +  Vol_Sev1_Alert_Xmit=20000,​ 
 +
 +</​code>​ 
 + 
 +==== 3. Viewing Alerts ==== 
 + 
 +You can view the FireHOL Alerts in Trisul through User Alerts. 
 + 
 +  - The FireHOL alerts can be viewed in UI by selecting //Alerts > Show All > User Alerts.// 
 + 
 +{{:​tips:​useralerts-fireholapp.png?​600|}}  
 + 
 +The FireHOL(Level 1)alerts can be viewed in detail by exploring them. 
 + 
 +{{:​tips:​fireholalert.png?​600|}} 
 + 
 +  - The Realtime alerts can be viewed by selecting 'View Realtime'​ option from //Alerts > Show All > User Alerts.// 
 + 
 +{{:​tips:​realtimefirehol.png?​600|}} 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
tips/firehol_checker.1585052354.txt.gz · Last modified: 2020/03/24 17:49 by navaneeth