Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » tips » FireHOL Checker
Trace: FireHOL Checker Enabling Ingress and Egress Netflow - issues and valid use cases Cisco Flexible Netflow configuration
tips:firehol_checker

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
tips:firehol_checker [2020/03/24 17:49] – created navaneethtips:firehol_checker [2020/03/24 19:01] (current) navaneeth
Line 1: Line 1:
 ====== FireHOL Checker ====== ====== FireHOL Checker ======
  
-This article helps you providing steps to install and run the FireHOL Checker App in Trisul Network Analytics.+This article helps you with providing steps to install and run the FireHOL Checker App in Trisul Network Analytics.
  
 ** **
Line 7: Line 7:
 ** **
  
-{{:tips:firehol.png?200|}}+{{:tips:firehol.png?400|}} 
 + 
 +===== Precondition ===== 
 + 
 +The following should be done prior to installing this app. 
 +  - The Trisul Network Analytics Installed. 
 +  - All the hub and Probe nodes should be up. 
 +  - The FireHOL Checker App must have been installed from //Admin > Manage > Apps >FireHOL Checker//
 + 
 +{{:tips:fireholappadmin.png?400|}} 
 + 
 +After installing the app the following steps should be done to enable the FireHOL Checker App. 
 + 
 +===== Steps for Activation ===== 
 + 
 +==== 1.  Installing the feed ==== 
 + 
 +Run the installfeed.sh script in this folder to install the FireHOL feeds and update the CRON to download every hour. 
 + 
 +<code># curl -O  https://raw.githubusercontent.com/trisulnsm/apps/master/analyzers/firehol/installfeed.sh 
 +</code> 
 +<code>bash ./installfeed.sh 
 +</code> 
 + 
 +{{:tips:fireholappinstall.png?600|}} 
 + 
 +<note important>Please ensure that the commands are being run in root mode.</note> 
 + 
 +==== 2. Configuring Parameters ==== 
 + 
 +You can customize the config settings on a per-Probe basis. 
 + 
 +<note important>Please ensure you have restarted the probe node.</note> 
 + 
 +To create your own custom settings,Do the following 
 +  - create a new config file named 'trisulnsm_filehol.lua' in the probe config directory /usr/local/var/lib/trisul-probe/domain0/probe0/context0/config. 
 +  - configure the 'trisulnsm_filehol.lua' file. 
 +  - replace with new values for the parameters if required. 
 + 
 +<code> DEFAULT_CONFIG = {  
 + 
 +  -- filename of FireHOL level1 Feed  - will trigger Sev-1 alert  
 +  Firehol_Filename_Level1 ="firehol_level1.netset", 
 + 
 +  -- optional level3 - will create Sev-3 alert  
 +  Firehol_Filename_Level3 ="firehol_level3.netset", 
 + 
 +  -- How much should blacklisted IP Recv for Priority elevation to MAJOR (1) 
 +  Vol_Sev1_Alert_Recv=10000, 
 + 
 +  -- How much should blacklisted IP Transmit for Priority elevation to MAJOR (1) 
 +  Vol_Sev1_Alert_Xmit=20000, 
 +
 +</code> 
 + 
 +==== 3. Viewing Alerts ==== 
 + 
 +You can view the FireHOL Alerts in Trisul through User Alerts. 
 + 
 +  - The FireHOL alerts can be viewed in UI by selecting //Alerts > Show All > User Alerts.// 
 + 
 +{{:tips:useralerts-fireholapp.png?600|}}  
 + 
 +The FireHOL(Level 1)alerts can be viewed in detail by exploring them. 
 + 
 +{{:tips:fireholalert.png?600|}} 
 + 
 +  - The Realtime alerts can be viewed by selecting 'View Realtime' option from //Alerts > Show All > User Alerts.// 
 + 
 +{{:tips:realtimefirehol.png?600|}} 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
tips/firehol_checker.1585052354.txt.gz · Last modified: 2020/03/24 17:49 by navaneeth