Install trisul
Trisul is a distributed network analytics system that can be installed on off the shelf hardware. Beginners and users of the Free License will want to install all the packages on a single server. Advanced users can split the Hub and Probe nodes and roll out a distributed deployment.
Is this your first install? Follow the steps in the Download page first.
Packagesβ
The Trisul Network Analytics system consists of 3 Core and 3 Optional Plugin packages.
Core packagesβ
These three packages are required.
- π« trisul-probe| the probe node
- trisul-hub| the hub node
- webtrisul| the webserver
Plugin packagesβ
Optional packages to provide extra functionality.
- trisul-badfellas| Badfellas plugin β compares traffic with public intel sources
- trisul-geo| Geo plugin β adds country andASNmetering
Dockerβ
You can also install our new TrisulNSM Docker image which contains a fully functionalNSM(Network Security Monitoring) system including an integratedIDS. This is an alternative to the package installation.
Ubuntu Installationβ
You can useapt-getor download and install the individualDEBpackages manually.
Adding theAPTrepositoryβ
If you plan on usingapt-getyou need to add the Trisul.org repository to your sources.
sudo add-apt-repository http://trisul.org/repos/apt/debian
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A6CC1B18
sudo apt-get update
Next you can install the packages. The following command installs the three core packages
sudo apt-get install trisul-hub trisul-probe webtrisul
to install the plugins
sudo apt-get install trisul-badfellas trisul-urlfilter trisul-geo
Installing theDEBpackages manuallyβ
TheDEBpackages can be found on the Downloads page.
- Download eachDEBpackage and install them manually using
dpkg -i trisul-probe-6.0_xxx.debetc.
CentOS/RHEL Installationβ
You can use rpm or yum to install the packages.
Adding theYUMrepositoryβ
You only have to do this once to add the Trisul repository to yum.repos.d
cd /etc/yum.repos.d
wget http://trisul.org/download/trisulfull.repo
# check if Trisul Full is available now
yum group list
then install the packages normally. The following example installs the Trisul core packages
yum install trisul-hub trisul-probe webtrisul
the following installs the three plugin packages
yum install trisul-badfellas trisul-urlfilter trisul-geo
Installing theRPMpackages manuallyβ
- Download eachRPMfile and use
rpm -Uvhto install them :rpm -Uvh trisul-probe-6.0xyz.rpmetc.
Customize initial configurationβ
By default, all Trisul Probes will listen onPCAPmode on interfaceeth0using theonline_rxringmode. If this is good for you, then you can just start the probe and skip this section for now. You rarely need to tweak the hub configuration , here are some changes you may want to make to the probe.
Customizing the probeβ
The trisul configuration file is created in/usr/local/etc/trisul-probe/domain0/probe0/context0/trisulProbeConfig.xml
Some of the things you may want to change are :
| TrisulMode | Default isTAP, if you are feeding Netflow change this toNETFLOW_TAP |
|---|---|
| Ring | Default is enabled, disable if you do not want to store packets |
| User | Default istrisul.trisul. Change if you want trisul to run as an existing user |
Tweaking application parameters from the web interfaceβ
Login to the web interface as admin/admin and you may want to change the following two parameters.
| Interface | Listens for traffic oneth0 | Go toContext Default β Profile0 β Capture Adapterto change |
|---|---|---|
| Home Networks | Only private IP space treated as home network | GotoContext Default β Profile0 β Home Networksto change |
Distributed installβ
The default installation and the free license allows you to put all componments on a single server. Once you wish to scale up, you can deploy a number of trisul-probeβs reporting to one of more trisul-hub nodes. The rules are :
- trisul-hub and webtrisul should be installed on one machine
- multiple trisul-probes can be installed
- the optional plugins packages must be installed along with trisul-probe
Next. Starting and stopping Trisulβ
The next section you want to read isStarting and Stopping Trisul