Up to Docs
Contents

How to send IDS alerts to Trisul

This section describes how you can setup an IDS like Snort or Suricata to send alerts to Trisul.

TLDR; You need to hook up Snort or Barnyard to write alerts to a unix socket

The Unix Socket

Trisul can accept alerts in two formats from a named Unix socket

  1. in Unified format ; for use with snort -A unsock option
  2. in Unified2 format ; for use with barnyard2

The default install of Trisul listens on a unix socket called /usr/local/var/lib/trisul/CONTEXT0/run/snort_alert You can change this by editing the IDSAlert/UnixSocket parameter in the config file.

Run modes

Runmodes control how Trisul runs.

Run mode Unified format Unified2 format
Trisul processing live packets via RX Ring fullblown_rx fullblown_rxu2
Trisul processing live packets via Libpcap fullblown fullblown_u2
Trisul batch processing alerts off pcap files idsalert idsalertu2

So essentially this means for most cases.

  1. If you are connecting snort directly to trisul via -A unsock : use the fullblown mode
  2. If you are sending alerts to trisul via barnyard2 : use the fullblown_u2 mode

Connecting Snort to Trisul

Two steps.

Step 1. Start Trisul

  1. Change the runmode to fullblown via Customize → App Settings → Trisul Running Mode
  2. Start Trisul via Admin → Start/Stop Tasks → Start Trisul

or via the command line

trisul -demon /usr/local/etc/trisul/trisulConfig.xml -mode fullblown

Step 2. Start Snort in unsock mode

Run the following command

snort -A unsock -l /usr/local/var/lib/trisul/CONTEXT0/run -c /usr/local/etc/snort.conf -i eth0 -D

Connecting Barnyard2 to Trisul

This section also applies for Suricata users, because you have to use Barnyard2

Start Trisul

  1. Change the runmode to fullblown_u2 via Customize → App Settings → Trisul Running Mode
  2. Start Trisul via Admin → Start/Stop Tasks → Start Trisul

or via the command line

trisul -demon /usr/local/etc/trisul/trisulConfig.xml -mode fullblown_u2

Start barnyard2

All we need to do now is to run barnyard2 to read the unified2 files and send alerts into the Unix socket.

Edit barnyard2.conf and enable the alert_unixsock option.

Note that you can have multiple output types in Barnyard2, so you dont have to disturb your existing outputs, such as syslog or sguil.

#
# output alert_fast: stdout
output alert_unixsock

Run barnyard2 like so

barnyard2 -c barnyard2.conf  -l /tmp -o /tmp/byin/unified2.alert.*

Start barnyard2

  1. Trisul listening for Unified2 alerts on the unix socket /tmp/barnyard2_alert (see trisulConfig.xml)
  2. Suricata writing Unified2 alerts to /tmp/byin

Suricata note

Start Suricata

First edit the suricata.yaml file and check if Unified2 logging is enabled. You can disable all other logging.

 # alert output for use with Barnyard2
- unified2-alert:
    enabled: yes
    filename: unified2.alert

    # Limit in MB.
    limit: 500

Next start suricata and have it log to the /tmp/byin directory((byin – just a convention for barnyard input directory, You can use any name you want)). This will cause suricata to write files of the form unified2..log in the /tmp/byin directory.

suricata -c suricata.yaml -l /tmp/byin -i eth0

Additional referenceTop

A diagram that shows the relationship between the various pieces.

Reading in alerts from pcap dumps

This assumes the pcap dumps have already been processed by Trisul. Therefore traffic statistics, flow data, and raw packets have already been computed and stored. We just want to further enhance contained knowledge by correlating security alerts.

Start Trisul in idsalert mode

trisul -demon /usr/local/etc/trisul/trisulConfig.xml -mode idsalert

Start Snort in unsock mode and read in pcaps *

snort -A unsock -l /tmp -c/usr/local/etc/snort.conf -r /home/vivek/hugedump.pcap