2.15. Geo Plugin
The Geo plugin is an add-on package to Trisul. It enhances the base Trisul functionality by adding
- A Country Counter group – for country wise traffic metering
- A ASN Counter Group – for Autonomous System Number wise metering
This allows you to
- Tracks top countries In/Out
- Tracks top ASNs In/Out
- Historical country and ASN wise traffic trends
- Correlate country and ASN to flows/packets/alerts
In a file called
PI-55885818-125E-48D0-8AC9-A7E3AD2F60FD.xml in /usr/local/etc/trisul-probe/domainX/probeX/contextX Use the cfgedit tool.
Here is a screenshot to give you an idea of what functionality is added by this plugin.
Traffic by ASN
Traffic by country
This plugin is distributed as a RPM / DEB package.
rpm -Uvh trisul_geo-1.0.119-0.el5.x86_64.rpm
dpkg -i trisul_geo-1.0.119.amd64.deb
rpm -e trisul_geo
dpkg -r trisul_geo
Once installed, the plugin will become effective the next time you restart Trisul.
In order to work accurately, this plugin needs an upto-date Geo location database. We currently only support geo location databases from Maxmind
The basic install includes two trial databases in
Commercial – Recommended
You need to independently procure latest copies of these databases from http://www.maxmind.com. They are relatively inexpensive and include monthly updates. The databases you want are :
- GeoIP Country
- GeoIP Organization
Maxmind also offers open source versions of these databases. They are slightly less accurate than their commercial cousins but may work for you.
They are called :
- GeoLite Country (get it from http://www.maxmind.com/app/geolitecountry )
- GeoLite ASN (get it from http://www.maxmind.com/app/asnum )
You need to download the binary format
Installing the database
Whether you procure the commercial version or use the open source version from MaxMind, you will end up with two files called
Simply unzip them in the /usr/local/share/trisul_geo/plugins directory and restart Trisul for the changes to take effect.
2.15.5 Periodic updates
Once installed Trisul will automatically keep the databases updated. It will download a new version every day at 0200 Hrs. If you wish to change this behavior edit the /usr/local/share/trisul/plugins/Geo.xml
The main parameters you may be interested to edit are :
|ReloadListSeconds||Trisul checks for new files every so many seconds|
|URL||Where do we download this from|
|RunAt||What time do we want to download new data files|
|Frequency||Number of seconds between runs. 86400 seconds = 1 day|
<TrisulPluginConfiguration> <Policy> <description>Controls how the Trisul geo plugin works, currently very little policy </description> <ReloadListSeconds>3600</ReloadListSeconds> </Policy> <Update> <Sources> <Source> <URL>http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz</URL> <Target>GeoIP.dat.gz</Target> </Source> <Source> <URL>http://geolite.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz</URL> <Target>GeoIPASNum.dat.gz</Target> </Source> </Sources> <Output> <Filename></Filename> </Output> <Post> <Cmd>gunzip</Cmd> </Post> <Run> <RunAt>0200</RunAt> <Frequency>86400</Frequency> </Run> </Update> </TrisulPluginConfiguration>