====== FireHOL Checker ======

This article helps you with providing steps to install and run the FireHOL Checker App in Trisul Network Analytics.

**
Create a high priority alert for block listed IPs(Level 1) and Low Level Priority alert for Malicious Ips(level 3),Shift to level 1 if significant data transfer occurs.
**

{{:tips:firehol.png?400|}}

===== Precondition =====

The following should be done prior to installing this app.
  - The Trisul Network Analytics Installed.
  - All the hub and Probe nodes should be up.
  - The FireHOL Checker App must have been installed from //Admin > Manage > Apps >FireHOL Checker//.

{{:tips:fireholappadmin.png?400|}}

After installing the app the following steps should be done to enable the FireHOL Checker App.

===== Steps for Activation =====

==== 1.  Installing the feed ====

Run the installfeed.sh script in this folder to install the FireHOL feeds and update the CRON to download every hour.

<code># curl -O  https://raw.githubusercontent.com/trisulnsm/apps/master/analyzers/firehol/installfeed.sh
</code>
<code>bash ./installfeed.sh
</code>

{{:tips:fireholappinstall.png?600|}}

<note important>Please ensure that the commands are being run in root mode.</note>

==== 2. Configuring Parameters ====

You can customize the config settings on a per-Probe basis.

<note important>Please ensure you have restarted the probe node.</note>

To create your own custom settings,Do the following
  - create a new config file named 'trisulnsm_filehol.lua' in the probe config directory /usr/local/var/lib/trisul-probe/domain0/probe0/context0/config.
  - configure the 'trisulnsm_filehol.lua' file.
  - replace with new values for the parameters if required.

<code> DEFAULT_CONFIG = { 

  -- filename of FireHOL level1 Feed  - will trigger Sev-1 alert 
  Firehol_Filename_Level1 ="firehol_level1.netset",

  -- optional level3 - will create Sev-3 alert 
  Firehol_Filename_Level3 ="firehol_level3.netset",

  -- How much should blacklisted IP Recv for Priority elevation to MAJOR (1)
  Vol_Sev1_Alert_Recv=10000,

  -- How much should blacklisted IP Transmit for Priority elevation to MAJOR (1)
  Vol_Sev1_Alert_Xmit=20000,
}
</code>

==== 3. Viewing Alerts ====

You can view the FireHOL Alerts in Trisul through User Alerts.

  - The FireHOL alerts can be viewed in UI by selecting //Alerts > Show All > User Alerts.//

{{:tips:useralerts-fireholapp.png?600|}} 

The FireHOL(Level 1)alerts can be viewed in detail by exploring them.

{{:tips:fireholalert.png?600|}}

  - The Realtime alerts can be viewed by selecting 'View Realtime' option from //Alerts > Show All > User Alerts.//

{{:tips:realtimefirehol.png?600|}}