Trisul Network Analytics
Developer Zone

**This is an old revision of the document!** ----

====== Connecting Snort to Trisul Network Analytics ====== A step by step guide for Ubuntu 16.04 which explains how to : - Install Snort - Replace with Emerging Threats rules - Configure Oinkmaster for automatic updates - Start snort and view analytics in TrisulNSM ===== Install snort ===== Snort has a package for Ubuntu. This installs all components required. <code bash> apt-get update apt-get install snort </code> Also install oinkmaster , which also has an Ubuntu package <code bash> apt-get install oinkmaster </code> ===== Replace with Emerging Threats rules ===== We like the ET and ET Pro rulesets for a number of reasons. If you wish to remain with the Snort community rules or move to the excellent Talos ruleset, you can skip this step. ==== Download ET Community rules ==== <code> cd /etc/snort mv rules rules_old wget https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz tar xf emerging.rules.tar.gz -C /etc/snort </code> ==== Point to the new ET rules ==== Open snort.conf and copy the lines from rules/emerging.conf into snort.conf and comment out the old snort.conf rules. ==== Specify a HOMENET ==== If you dont do this, you will find out soon enough. Many ET rules wont load Example: <code> ipvar HOME_NET 192.168.0.0/16,10.0.0.0/8 </code> ===== Configure Oinkmaster ===== Oinkmaster will keep the rules updated. Open /etc/oinkmaster.conf and add the ET (or ET-Pro) rule path using the ''url'' directive <code> # EMERGING THREATS COMMUNITY url = https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz </code> Then you can test it out <code> oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules </code> ==== Make oinkmaster refresh at 2AM every night ==== The following crontab entry will - Run at 2:00 AM every night - Download latest rules and install them correctly - Send a SIGUSR1 to snort to reload the new rules Open ''crontab -e'' and add the following line <code cron> 0 2 * * * root ( /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules; sleep 5; kill -USR1 `pidof -s snort` ) </code> That is pretty much it. ===== Start snort and view analytics in TrisulNSM ===== First stop the old instance of snort pkill snort Then Login to Trisul as admin/admin ; * then go to Admin Tasks -> Start/Stop Tasks * on the selected network adapters -> More Options -> click on "How to start snort?" * copy paste that into a terminal. You're all done. To view analytics in Trisul you can start with the **Real Time Alerts dashboard**.