Skip to main content

Installing Trisul on Security Onion

LEGACY

This documentation refers to an older version of a third party software. The instructions may not work for the current version of those software.

Security Onion is a Linux Distro which makes it dead easy to deploy a full fledged Network Security Monitoring system. This document describes how you can install Trisul on this distro.

Trisul adds network traffic charts and flow analytics to your Security Onion based NSM.

Install Trisul

  1. Follow the instructions for Ubuntu 16.04 on the Download page and install Trisul packages on your Security Onion box.

  2. Update the shared library cache

    sudo ldconfig

  3. Open up Port 3000 and 3003 required for the Trisul web interface

    sudo ufw allow 3000 
    sudo ufw allow 3003

  4. At this point you have a fully functional Trisul installation. You can test this by logging on to<ip>:3000as admin/admin. Step 2 through 5 integrate Trisul with the alerts generated by Snort/Suricata.

  5. Automatically start trisul-probe on startup

    sudo ufw allow 3003

Change user to sguil from trisul

By default all Trisul processes and data are owner by the user trisul You need to change the user to sguil so it integrates better with the rest of the Security Onion processes. In particular, Trisul needs to read the Barnyard2 Unix Socket that is owned by sguil.

Change the hub and probe permissions to sguil

Run sudo trisulctl_hub then on the CLI enter the following. Type

sudo trisulctl_hub
changeuser domain domain0 sguil.sguil

again for the included Trisul-Probe

sudo trisulctl_probe
changeuser domain domain0 sguil.sguil

Restart web server

Restart the webserver under new ownership of sguil

sudo service webtrisuld restart

Adjust the config file

Almost there. You need to make a couple of changes to the config file to connect to IDS alerts from barnyard2.

  • Open the config file in /usr/local/etc/trisulprobe/domain0/probe0/context0/trisulProbeConfig.xml

  • Change the <IDSAlerts><UnixSocket> parameter to /nsm/sensor_data/xx-yy-eth0/barnyard2_alert Replace the directory name xx-yy-eth0 with what you see on your machine. Type ls /nsm/sensor_data to find out what that is.

  • NEW: If you want to listen to multiple sockets, now you can. Just add as many <UnixSocket> sections as you want. See example below for two sockets.

    <code>
    <UnixSocket>
        /nsm/sensor_data/unpl-seco-16-prod-enp1s0/barnyard2_alert
    </UnixSocket>
    <UnixSocket>
        /nsm/sensor_data/unpl-seco-16-prod-enp2s0/barnyard2_alert
    </UnixSocket>
    </code>

Configure and restart Barnyard

  • Open the barnyard2 configuration file in /etc/nsm/xx-yy-eth0/barnyard2-1.conf and add the following line at the end of configuration file.

    output alert_unixsock

If you are listening on more than one unix socket, change all the barnyard2-1.conf files to enable the output alert_unixsock option

  • Restart barnyard.

    sudo nsm_sensor_ps-restart --only-barnyard2

Start Trisul from the web interface

Go to ip:3000 then login as admin/admin
Then Go to Context : default > Admin Tasks > Start/Stop Tasks and restart the Hub and Probe(s)

Default eth0 By default Trisul listens on eth0, if you wish to change it read Change capture adapter

Congratulations ! You have finished installing Trisul.

Login as user/user and check if you see the various dashboards. Check if you are seeing alerts on the real time alert stabber Dashboard > Real Time Alerts

More things to do

How to move the Trisul database to /nsm ?

Trisul stores its data under /usr/local/var, Security Onion likes to store it in /nsm.

You will need to use the Domain management CLI tools trisulctl_probe and trisulctl_hub commands to move the database to the /nsm volume.

Move probe DB

trisulctl_probe
relocate context domain0 probe0 default

Move hub DB

trisulctl_hub
relocate context domain0 hub0 default

For more see Relocate database or type help relocate in the domain management CLI tool.

How to switch to NETFLOW mode

You can choose to use Trisul on the Security Onion box to monitor Netflow. Follow the instructions in Configure Netflow to start consuming Netflow (and SFLOW/IPFIX/JFLOW etc).

You can even do the following once you are comfortable with one instance of Trisul.

  1. Use the default context for PCAP based monitoring
  2. Spin up a second, new context say nf1 for monitoring Netflow

New context for netflow

trisulctl_hub
create context nf1

Then follow instructions in Configure Netflow on the nf1 context.

How to automatically start the Trisul Probe on reboot

By default, the Web Server and the Trisul Hub components start automatically after a reboot. To automatically start the Probe processes use the normal init.d framework.

update-rc.d trisul-probe0-context0 defaults

How to add a new remote Probe

Trisul can also be deployed in a distributed hub and probe configuration. See instructions for How to add a new Probe

How to change network interfaces amd web server ports

* Listen on an interface other than eth0 Docs * Move Web server ports from 3000 and 3003 Docs
* Enable SSL for the web interface Docs

How to stop and start Trisul processes

If you want to stop all Trisul processes on a Security Onion system

trisulctl_hub stop context default
trisulctl_hub stop domain
trisulctl_probe stop domain
service webtrisuld stop

to start - its the reverse order.

trisulctl_hub start domain
trisulctl_probe start domain
trisulctl_hub start context default
service webtrisuld start

Are there any other useful plugins?

You may want to sign up and install the following two plugins

  1. BadFellas
  2. Geo

Also checkout the NEW Trisul Apps. Login as admin and select “Web Admin Apps”