====== Connecting Snort to Trisul Network Analytics ======
 

A step by step guide for Ubuntu 16.04 which explains how to :

  - Install Snort 
  - Replace with Emerging Threats rules
  - Configure Oinkmaster for automatic updates
  - Start snort and view analytics in TrisulNSM


===== Install snort =====

Snort has a package for Ubuntu.  This installs all components required. 

<code bash>
apt-get update
apt-get install snort
</code>

Also install oinkmaster , which also has an Ubuntu package

<code bash>
apt-get install oinkmaster
</code>


===== Replace with Emerging Threats rules =====

We like the ET and ET Pro rulesets for a number of reasons. If you wish to remain with the Snort community rules or move to the excellent Talos ruleset, you can skip this step.

==== Download ET Community rules ====


<code>
cd /etc/snort
mv rules rules_old
wget https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
tar xf emerging.rules.tar.gz -C /etc/snort 
</code>

==== Point to the new ET rules ====

Open snort.conf and copy the lines from rules/emerging.conf into snort.conf and comment out the old snort.conf rules.

This is a bit of a chore, but you only do this once. 
==== Specify a HOMENET ====


If you dont do this, you will find out soon enough. Many ET rules wont load

Example:

<code>
ipvar HOME_NET 192.168.0.0/16,10.0.0.0/8
</code>


===== Configure Oinkmaster =====

Oinkmaster will keep the rules updated.

Open /etc/oinkmaster.conf  and add the ET (or ET-Pro) rule path using the ''url'' directive

<code>

# EMERGING THREATS COMMUNITY 
url = https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz

</code>

Then you can test it out 

<code>
oinkmaster -C /etc/oinkmaster.conf  -o /etc/snort/rules
</code>


==== Make oinkmaster refresh at 2AM every night ====

The following crontab entry will 
  - Run at 2:00 AM every night
  - Download latest rules and install them correctly
  - Send a SIGUSR1 to snort to reload the new rules 


Open ''crontab -e'' and add the following line

<code cron>

0 2 * * *  root ( /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules; sleep 5; kill -USR1 `pidof -s snort` )

</code>


That is pretty much it.  

===== Start snort and view analytics in TrisulNSM =====

First stop the old instance of snort

<code>
pkill snort
</code>


Then Login to Trisul as admin/admin ; 
  * then go to Admin Tasks -> Start/Stop Tasks
  * on the selected network adapters -> More Options -> click on "How to start snort?" 
  * copy paste that into a terminal.


You're all done.  

To view analytics in Trisul you can start with the  **Real Time Alerts dashboard**.