Trisul on Security Onion

Trisul on Security Onion

If you are running Trisul on Security Onion , have you heard the good news ? Doug Burks has released a new version of Security Onion based on Ubuntu 12.04 LTS including a ready to run 64-bit ISO. In this blog, I am going to describe why you might want to run Trisul on it and how to do so.

Why ? Traffic and flows.

Security Onion brilliantly assembles a number of different tools into a coherent NSM (Network Security Monitoring) platform. There are several applications like Bro, ELSA, Snorby, Squil, Squert, etc, each addressing a piece of NSM.

Toss in Trisul into the mix and immediately gain the following :

  1. Traffic monitoring — How is bandwidth being used ?
  2. Flow analysis — Who’s doing what ?
Toppers and traffic across 100+ traffic meters

Having a deep knowledge of traffic patterns in your network will boost your abilities to detect and respond to various kinds of attacks. You can also achieve the same end to a limited extent with tools like ntop or darkstat. Free By default, Trisul will install in free mode which gives you full functionality over the most recent 3-days.

Installing

  • First, install a working Security Onion system by following the instructions here I recommend simply installing the ISO.
  • Next, follow the steps in the Howto : Install Trisul to complete the installation.
  • Work with Trisul for a while until you get a sense of what it collects.

Packets and alerts

After playing with Trisul for a while, you may notice there is considerable overlap between Trisul and some other tools. You may wish to disable the following if you are running short of disk space or are quite happy to let other apps handle it.

Data typeWhat Trisul does?How to disable
PacketsRule based encrypted packet storageSet the <Ring> parameter to FALSE in the config file
IDS AlertsProcesses IDS from Barnyard2Set the Trisul Run Mode to onlinerxring from Customize → App Settings

Ciao for now. Have fun !

Leave a Reply

Your email address will not be published. Required fields are marked *