Installing Trisul on Security Onion
Security Onion is a Linux Distro which makes it dead easy to deploy a full fledged Network Security Monitoring system. This document describes how you can install Trisul on this distro.
Why Trisul Network Analytics?
Trisul adds network traffic charts and flow analytics to your Security Onion based NSM.-
Install Trisul
- Follow the instructions for Ubuntu 16.04 on the Download page and install Trisul packages on your Security Onion box.
- Update the shared library cache
sudo ldconfig
- Open up Port 3000 and 3003 required for the Trisul web interface
sudo ufw allow 3000
sudo ufw allow 3003 - At this point you have a fully functional Trisul installation. You can test this by logging on to
<ip>:3000
as admin/admin. Step 2 through 5 integrate Trisul with the alerts generated by Snort/Suricata. - Automatically start trisul-probe on startup
update-rc.d trisul-probe0-context0 defaults
-
Change user to sguil from trisul
By default all Trisul processes and data are owner by the user
trisul
You need to change the user tosguil
so it integrates better with the rest of the Security Onion processes. In particular, Trisul needs to read the Barnyard2 Unix Socket that is owned bysguil
.-
Change the hub and probe permissions to sguil
Run
sudo trisulctl_hub
then on the CLI enter the following. Typequit
to exit the domain management tool trisulctl_hub CLIsudo trisulctl_hub changeuser domain domain0 sguil.sguil
again for the included Trisul-Probe
sudo trisulctl_probe changeuser domain domain0 sguil.sguil
-
Restart web server
Restart the webserver under new ownership of
sguil
sudo service webtrisuld restart
-
-
Adjust the config file
Almost there. You need to make a couple of changes to the config file to connect to IDS alerts from barnyard2.
- Open the config file in
/usr/local/etc/trisul-probe/domain0/probe0/context0/trisulProbeConfig.xml
- Change the
<IDSAlerts><UnixSocket>
parameter to/nsm/sensor_data/xx-yy-eth0/barnyard2_alert
Replace the directory name xx-yy-eth0 with what you see on your machine. Typels /nsm/sensor_data
to find out what that is. -
NEW: If you want to listen to multiple sockets, now you can. Just add as many
<UnixSocket>
sections as you want. See example below for two sockets.
<UnixSocket> /nsm/sensor_data/unpl-seco-16-prod-enp1s0/barnyard2_alert </UnixSocket> <UnixSocket> /nsm/sensor_data/unpl-seco-16-prod-enp2s0/barnyard2_alert </UnixSocket>
- Open the config file in
-
Configure and restart Barnyard
-
Open the barnyard2 configuration file in
/etc/nsm/xx-yy-eth0/barnyard2-1.conf
and add the following line at the end of configuration file.output alert_unixsock
If you are listening on more than one unix socket, change all the
barnyard2-1.conf
files to enable theoutput alert_unixsock
option -
Restart barnyard.
sudo nsm_sensor_ps-restart --only-barnyard2
-
-
Start Trisul from the web interface
Go to
ip:3000
then login as admin/admin
Then Go to Context : default > Admin Tasks > Start/Stop Tasks and restart the Hub and Probe(s)Default eth0 By default Trisul listens on eth0, if you wish to change it read Change capture adapter
Congratulations ! You have finished installing Trisul.
Login as user/user and check if you see the various dashboards. Check if you are seeing alerts on the real time alert stabber Dashboard > Real Time Alerts
More things to do
-
How to move the Trisul database to /nsm ?
Trisul stores its data under
/usr/local/var
, Security Onion likes to store it in/nsm
.You will need to use the Domain management CLI tools
trisulctl_probe
andtrisulctl_hub
commands to move the database to the/nsm
volume.Move probe DB
trisulctl_probe relocate context domain0 probe0 default
Move hub DB
trisulctl_hub relocate context domain0 hub0 default
For more see Relocate database or type
help relocate
in the domain management CLI tool. -
How to switch to NETFLOW mode
You can choose to use Trisul on the Security Onion box to monitor Netflow. Follow the instructions in Configure Netflow to start consuming Netflow (and SFLOW/IPFIX/JFLOW etc).
You can even do the following once you are comfortable with one instance of Trisul.
- Use the default context for PCAP based monitoring
- Spin up a second, new context say
nf1
for monitoring Netflow
New context for netflow
trisulctl_hub create context nf1
Then follow instructions in Configure Netflow on the nf1 context.
-
How to automatically start the Trisul Probe on reboot
By default, the Web Server and the Trisul Hub components start automatically after a reboot. To automatically start the Probe processes use the normal init.d framework.
update-rc.d trisul-probe0-context0 defaults
-
How to add a new remote Probe
Trisul can also be deployed in a distributed hub and probe configuration. See instructions for How to add a new Probe
-
How to change network interfaces amd web server ports
-
How to stop and start Trisul processes
If you want to stop all Trisul processes on a Security Onion system
trisulctl_hub stop context default trisulctl_hub stop domain trisulctl_probe stop domain service webtrisuld stop
to start – its the reverse order.
trisulctl_hub start domain trisulctl_probe start domain trisulctl_hub start context default service webtrisuld start
-
Are there any other useful plugins?
You may want to install the following plugins from the Download Page
Also checkout the NEW Trisul Apps. Login as admin and select “Web Admin>Apps”