2.15. Geo Plugin

The Geo plugin is an add-on package to Trisul. It enhances the base Trisul functionality by adding

  1. A Country Counter group – for country wise traffic metering
  2. A ASN Counter Group – for Autonomous System Number wise metering

This allows you to

  1. Tracks top countries In/Out
  2. Tracks top ASNs In/Out
  3. Historical country and ASN wise traffic trends
  4. Correlate country and ASN to flows/packets/alerts

2.15.1 Location

In a file called PI-55885818-125E-48D0-8AC9-A7E3AD2F60FD.xml in /usr/local/etc/trisul-probe/domainX/probeX/contextX Use the cfgedit tool.

2.15.2 Samples

Here is a screenshot to give you an idea of what functionality is added by this plugin.

Traffic by ASN
Traffic by country
Traffic by country

2.15.3 Setup


This plugin is distributed as a RPM / DEB package.

To install

rpm -Uvh trisul_geo-1.0.119-0.el5.x86_64.rpm
dpkg -i  trisul_geo-1.0.119.amd64.deb

To uninstall

rpm -e trisul_geo
dpkg -r trisul_geo


Once installed, the plugin will become effective the next time you restart Trisul.

2.15.4 Database

In order to work accurately, this plugin needs an upto-date Geo location database. We currently only support geo location databases from Maxmind

The basic install includes two trial databases in


Commercial – Recommended

You need to independently procure latest copies of these databases from http://www.maxmind.com. They are relatively inexpensive and include monthly updates. The databases you want are :

  1. GeoIP Country
  2. GeoIP Organization
Please contact the list vendor directly for a subscription.

Open Source

Maxmind also offers open source versions of these databases. They are slightly less accurate than their commercial cousins but may work for you.
They are called :

  1. GeoLite Country (get it from http://www.maxmind.com/app/geolitecountry )
  2. GeoLite ASN (get it from http://www.maxmind.com/app/asnum )

You need to download the binary format

Installing the database

Whether you procure the commercial version or use the open source version from MaxMind, you will end up with two files called


Simply unzip them in the /usr/local/share/trisul_geo/plugins directory and restart Trisul for the changes to take effect.

2.15.5 Periodic updates

Once installed Trisul will automatically keep the databases updated. It will download a new version every day at 0200 Hrs. If you wish to change this behavior edit the /usr/local/share/trisul/plugins/Geo.xml

The main parameters you may be interested to edit are :

ReloadListSeconds Trisul checks for new files every so many seconds
URL Where do we download this from
RunAt What time do we want to download new data files
Frequency Number of seconds between runs. 86400 seconds = 1 day

    <description>Controls how the Trisul geo plugin works, currently very little policy  </description>