Installing Trisul on Security Onion

Security Onion is a Linux Distro which makes it dead easy to deploy a full fledged Network Security Monitoring system. This document describes how you can install Trisul on this distro.

Why Trisul Network Analytics?
Trisul adds network traffic charts and flow analytics to your Security Onion based NSM.
  • Install Trisul

    • Follow the instructions for Ubuntu 16.04 on the Download page and install Trisul packages on your Security Onion box.
    • Update the shared library cache
      sudo ldconfig
    • Open up Port 3000 and 3003 required for the Trisul web interface
      sudo ufw allow 3000 
      sudo ufw allow 3003
    • At this point you have a fully functional Trisul installation. You can test this by logging on to <ip>:3000 as admin/admin. Step 2 through 5 integrate Trisul with the alerts generated by Snort/Suricata.
    • Automatically start trisul-probe on startup
      update-rc.d trisul-probe0-context0 defaults 
  • Change user to sguil from trisul

    By default all Trisul processes and data are owner by the user trisul You need to change the user to sguil so it integrates better with the rest of the Security Onion processes. In particular, Trisul needs to read the Barnyard2 Unix Socket that is owned by sguil.

    • Change the hub and probe permissions to sguil

      Run sudo trisulctl_hub then on the CLI enter the following. Type quit to exit the domain management tool trisulctl_hub CLI

      sudo trisulctl_hub
      changeuser domain domain0 sguil.sguil

      again for the included Trisul-Probe

      sudo trisulctl_probe
      changeuser domain domain0 sguil.sguil
    • Restart web server

      Restart the webserver under new ownership of sguil

      sudo service webtrisuld restart
  • Adjust the config file

    Almost there. You need to make a couple of changes to the config file to connect to IDS alerts from barnyard2.

    • Open the config file in /usr/local/etc/trisul-probe/domain0/probe0/context0/trisulProbeConfig.xml
    • Change the <IDSAlerts><UnixSocket> parameter to /nsm/sensor_data/xx-yy-eth0/barnyard2_alert Replace the directory name xx-yy-eth0 with what you see on your machine. Type ls /nsm/sensor_data to find out what that is.
    • NEW: If you want to listen to multiple sockets, now you can. Just add as many <UnixSocket> sections as you want. See example below for two sockets.
  • Configure and restart Barnyard

    • Open the barnyard2 configuration file in /etc/nsm/xx-yy-eth0/barnyard2-1.conf and add the following line at the end of configuration file.

      output alert_unixsock

      If you are listening on more than one unix socket, change all the barnyard2-1.conf files to enable the output alert_unixsock option

    • Restart barnyard.

      sudo nsm_sensor_ps-restart --only-barnyard2
  • Start Trisul from the web interface

    Go to ip:3000 then login as admin/admin
    Then Go to Context : default > Admin Tasks > Start/Stop Tasks and restart the Hub and Probe(s)

    Default eth0 By default Trisul listens on eth0, if you wish to change it read Change capture adapter

Congratulations ! You have finished installing Trisul.

Login as user/user and check if you see the various dashboards. Check if you are seeing alerts on the real time alert stabber Dashboard > Real Time Alerts

More things to do

  • How to move the Trisul database to /nsm ?

    Trisul stores its data under /usr/local/var, Security Onion likes to store it in /nsm.

    You will need to use the Domain management CLI tools trisulctl_probe and trisulctl_hub commands to move the database to the /nsm volume.

    Move probe DB
    relocate context domain0 probe0 default 
    Move hub DB
    relocate context domain0 hub0 default 

    For more see Relocate database or type help relocate in the domain management CLI tool.

  • How to switch to NETFLOW mode

    You can choose to use Trisul on the Security Onion box to monitor Netflow. Follow the instructions in Configure Netflow to start consuming Netflow (and SFLOW/IPFIX/JFLOW etc).

    You can even do the following once you are comfortable with one instance of Trisul.

    1. Use the default context for PCAP based monitoring
    2. Spin up a second, new context say nf1 for monitoring Netflow
    New context for netflow
    create context nf1 

    Then follow instructions in Configure Netflow on the nf1 context.

  • How to automatically start the Trisul Probe on reboot

    By default, the Web Server and the Trisul Hub components start automatically after a reboot. To automatically start the Probe processes use the normal init.d framework.

    update-rc.d trisul-probe0-context0 defaults 
  • How to add a new remote Probe

    Trisul can also be deployed in a distributed hub and probe configuration. See instructions for How to add a new Probe

  • How to change network interfaces amd web server ports
    • Listen on an interface other than eth0 Docs
    • Move Web server ports from 3000 and 3003 Docs
    • Enable SSL for the web interface Docs
  • How to stop and start Trisul processes

    If you want to stop all Trisul processes on a Security Onion system

    trisulctl_hub stop context default
    trisulctl_hub stop domain
    trisulctl_probe stop domain
    service webtrisuld stop

    to start – its the reverse order.

    trisulctl_hub start domain
    trisulctl_probe start domain
    trisulctl_hub start context default
    service webtrisuld start
  • Are there any other useful plugins?

    You may want to install the following plugins from the Download Page

    1. URL Filter
    2. BadFellas
    3. Geo

    Also checkout the NEW Trisul Apps. Login as admin and select “Web Admin>Apps”