2.3. Install Trisul
Trisul is a distributed network analytics system that can be installed on off the shelf hardware. Beginners and users of the Free License will want to install all the packages on a single server. Advanced users can split the Hub and Probe nodes and roll out a distributed deployment.
Trisul Network Analytics uses the normal APT (Ubuntu) and YUM (Redhat) tools for releasing packages. There are two custom repositories
- CentOS/RHEL : https://trisul.org/download/trisulfull.repo
- Ubuntu : https://trisul.org/repos/apt/debian
The Trisul Network Analytics system consists of 3 Core and 3 Optional Plugin packages.
These three packages are required.
- trisul-probe | the probe node
- trisul-hub | the hub node
- webtrisul | the webserver
Optional packages to provide extra functionality.
- trisul-badfellas | Badfellas plugin – compares traffic with public intel sources
- trisul-geo | Geo plugin – adds country and ASN metering
- trisul-urlfilter | Urlfilter – classifies web traffic
You can also install our new TrisulNSM Docker image which contains a fully functional NSM (Network Security Monitoring) system including an integrated IDS. This is an alternative to the package installation.
2.3.3 Ubuntu Installation
You can use apt-get or download and install the individual DEB packages manually.
Adding the APT repository
If you plan on using apt-get you need to add the Trisul.org repository to your sources.
sudo add-apt-repository http://trisul.org/repos/apt/debian sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A6CC1B18 sudo apt-get update
Next you can install the packages. The following command installs the three core packages
sudo apt-get install trisul-hub trisul-probe webtrisul
to install the plugins
sudo apt-get install trisul-badfellas trisul-urlfilter trisul-geo
Installing the DEB packages manually
The DEB packages can be found on the Downloads page.
- Download each DEB package and install them manually using
dpkg -i trisul-probe-6.0_xxx.debetc.
2.3.4 CentOS/RHEL Installation
You can use rpm or yum to install the packages.
Adding the YUM repository
You only have to do this once to add the Trisul repository to yum.repos.d
cd /etc/yum.repos.d wget http://trisul.org/download/trisulfull.repo # check if Trisul Full is available now yum group list
then install the packages normally. The following example installs the Trisul core packages
yum install trisul-hub trisul-probe webtrisul
the following installs the three plugin packages
yum install trisul-badfellas trisul-urlfilter trisul-geo
Installing the RPM packages manually
- Download each RPM file and use
rpm -Uvhto install them :
rpm -Uvh trisul-probe-6.0xyz.rpmetc.
2.3.5 Customize initial configuration
By default, all Trisul Probes will listen on
PCAP mode on interface
eth0 using the
online_rxring mode. If this is good for you, then you can just start the probe and skip this section for now. You rarely need to tweak the hub configuration , here are some changes you may want to make to the probe.
Customizing the probe
The trisul configuration file is created in /usr/local/etc/trisul-probe/domain0/probe0/context0/trisulProbeConfig.xml
Some of the things you may want to change are :
|TrisulMode||Default is TAP, if you are feeding Netflow change this to NETFLOW_TAP|
|Ring||Default is enabled, disable if you do not want to store packets|
|User||Default is trisul.trisul. Change if you want trisul to run as an existing user|
Tweaking application parameters from the web interface
Login to the web interface as admin/admin and you may want to change the following two parameters.
|Interface||Listens for traffic on eth0||Go to Context Default → Profile0 → Capture Adapter to change|
|Home Networks||Only private IP space treated as home network||Goto Context Default → Profile0 → Home Networks to change|
2.3.6 Distributed install
The default installation and the free license allows you to put all componments on a single server. Once you wish to scale up, you can deploy a number of trisul-probe’s reporting to one of more trisul-hub nodes. The rules are :
- trisul-hub and webtrisul should be installed on one machine
- multiple trisul-probes can be installed
- the optional plugins packages must be installed along with trisul-probe
2.3.7 Next. Starting and stopping Trisul
The next section you want to read is Starting and Stopping Trisul