2.15. Geo Plugin

The Geo plugin is an add-on package to Trisul. It enhances the base Trisul functionality by adding

  1. A Country Counter group – for country wise traffic metering
  2. A ASN Counter Group – for Autonomous System Number wise metering

This allows you to

  1. Tracks top countries In/Out
  2. Tracks top ASNs In/Out
  3. Historical country and ASN wise traffic trends
  4. Correlate country and ASN to flows/packets/alerts

2.15.1 Samples

Here is a screenshot to give you an idea of what functionality is added by this plugin.

By ASN
Traffic by ASN
Traffic by country
Traffic by country

2.15.2 Setup

Installation

This plugin is distributed as a RPM / DEB package.

To install

CentOS
rpm -Uvh trisul_geo-1.0.119-0.el5.x86_64.rpm
Ubuntu
dpkg -i  trisul_geo-1.0.119.amd64.deb

To uninstall

rpm -e trisul_geo
Ubuntu
dpkg -r trisul_geo

Starting

Once installed, the plugin will become effective the next time you restart Trisul.

2.15.3 Database

In order to work accurately, this plugin needs an upto-date Geo location database. We currently only support geo location databases from Maxmind

The basic install includes two trial databases in


/usr/local/share/trisul_geo/plugins/GeoIP.dat
/usr/local/share/trisul_geo/plugins/GeoIPASNum.dat

Commercial – Recommended

You need to independently procure latest copies of these databases from http://www.maxmind.com. They are relatively inexpensive and include monthly updates. The databases you want are :

  1. GeoIP Country
  2. GeoIP Organization
Please contact the list vendor directly for a subscription.

Open Source

Maxmind also offers open source versions of these databases. They are slightly less accurate than their commercial cousins but may work for you.
They are called :

  1. GeoLite Country (get it from http://www.maxmind.com/app/geolitecountry )
  2. GeoLite ASN (get it from http://www.maxmind.com/app/asnum )

You need to download the binary format

Installing the database

Whether you procure the commercial version or use the open source version from MaxMind, you will end up with two files called


GeoIPASNum.dat.gz
GeoIP.dat.gz

Simply unzip them in the /usr/local/share/trisul_geo/plugins directory and restart Trisul for the changes to take effect.

2.15.4 Periodic updates

Once installed Trisul will automatically keep the databases updated. It will download a new version every day at 0200 Hrs. If you wish to change this behavior edit the /usr/local/share/trisul/plugins/Geo.xml

The main parameters you may be interested to edit are :

ReloadListSeconds Trisul checks for new files every so many seconds
URL Where do we download this from
RunAt What time do we want to download new data files
Frequency Number of seconds between runs. 86400 seconds = 1 day


<TrisulPluginConfiguration>
  <Policy>
    <description>Controls how the Trisul geo plugin works, currently very little policy  </description>
    <ReloadListSeconds>3600</ReloadListSeconds>
  </Policy>

  <Update>
    <Sources>
      <Source>
        <URL>http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz</URL>
        <Target>GeoIP.dat.gz</Target>
      </Source>
      
      <Source>
        <URL>http://geolite.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz</URL>
        <Target>GeoIPASNum.dat.gz</Target>
      </Source>
    </Sources>

    <Output>
      <Filename></Filename>
    </Output>

    <Post>
      <Cmd>gunzip</Cmd>
    </Post>

    <Run>
      <RunAt>0200</RunAt>
      <Frequency>86400</Frequency>
    </Run>
  </Update>

</TrisulPluginConfiguration>