Table of Contents

FireHOL Checker

This article helps you with providing steps to install and run the FireHOL Checker App in Trisul Network Analytics.

Create a high priority alert for block listed IPs(Level 1) and Low Level Priority alert for Malicious Ips(level 3),Shift to level 1 if significant data transfer occurs.

Precondition

The following should be done prior to installing this app.

  1. The Trisul Network Analytics Installed.
  2. All the hub and Probe nodes should be up.
  3. The FireHOL Checker App must have been installed from Admin > Manage > Apps >FireHOL Checker.

After installing the app the following steps should be done to enable the FireHOL Checker App.

Steps for Activation

1. Installing the feed

Run the installfeed.sh script in this folder to install the FireHOL feeds and update the CRON to download every hour. 

# curl -O  https://raw.githubusercontent.com/trisulnsm/apps/master/analyzers/firehol/installfeed.sh
bash ./installfeed.sh

Please ensure that the commands are being run in root mode.

2. Configuring Parameters

You can customize the config settings on a per-Probe basis.

Please ensure you have restarted the probe node.

To create your own custom settings,Do the following

  1. create a new config file named 'trisulnsm_filehol.lua' in the probe config directory /usr/local/var/lib/trisul-probe/domain0/probe0/context0/config.
  2. configure the 'trisulnsm_filehol.lua' file.
  3. replace with new values for the parameters if required.
 DEFAULT_CONFIG = { 

  -- filename of FireHOL level1 Feed  - will trigger Sev-1 alert 
  Firehol_Filename_Level1 ="firehol_level1.netset",

  -- optional level3 - will create Sev-3 alert 
  Firehol_Filename_Level3 ="firehol_level3.netset",

  -- How much should blacklisted IP Recv for Priority elevation to MAJOR (1)
  Vol_Sev1_Alert_Recv=10000,

  -- How much should blacklisted IP Transmit for Priority elevation to MAJOR (1)
  Vol_Sev1_Alert_Xmit=20000,
}

3. Viewing Alerts

You can view the FireHOL Alerts in Trisul through User Alerts.

  1. The FireHOL alerts can be viewed in UI by selecting Alerts > Show All > User Alerts.

The FireHOL(Level 1)alerts can be viewed in detail by exploring them.

  1. The Realtime alerts can be viewed by selecting 'View Realtime' option from Alerts > Show All > User Alerts.