2.15. Geo Plugin

The Geo plugin is an add-on package to Trisul. It enhances the base Trisul functionality by adding

  1. A Country Counter group – for country wise traffic metering
  2. A ASN Counter Group – for Autonomous System Number wise metering
  3. A CITY Counter Group – for City/Region wise metering.
  4. A Prefix Counter Group – for IP Prefix (AS BGP blocks) wise metering
New Updated to use GeoLite2 CSV database

This allows you to

  1. Tracks top countries In/Out
  2. Tracks top ASNs In/Out
  3. Historical country and ASN wise traffic trends
  4. Correlate country and ASN to flows/packets/alerts
  5. Count City wise traffic and Prefixes
City By default the CITY database is disabled because it requires a significant memory use of about 300MB. Enable it using cfgedit too. See Edit Configuration below.

2.15.1 Samples

Here is a screenshot to give you an idea of what functionality is added by this plugin.

By ASN
Traffic by ASN 		Traffic by country
Traffic by country

2.15.2 Setup

Installation

This plugin is distributed as a RPM / DEB package. Follow instructions in the Downloads page to install the trisul-geo package

Starting

Once installed, the plugin will become effective the next time you restart Trisul.

2.15.3 Database used

In order to work accurately, this plugin needs an upto-date Geo location database. We currently support geo location databases from Maxmind

The basic install includes trial database in CSV format. Once install they are automatically updated weekly.


/usr/local/share/trisul_geo/plugins/GeoLite2-*.csv

Commercial – Recommended

You need to independently procure latest copies of these databases from https://www.maxmind.com.

  1. GeoIP Country
  2. GeoIP ASN
  3. GeoIP City
Please contact the list vendor directly for a subscription.

2.15.4 Edit settings

Use cfgedit to edit the config settings. Select the Trisul Geo option in the menu.

Once installed Trisul will automatically keep the databases updated at 2AM everyday. See the Frequency parameter in the config file.

The main parameters you may be interested to edit are :

ReloadListSeconds Trisul checks for new files every so many seconds
URL Where do we download this from
RunAt What time do we want to download new data files
Frequency Number of seconds between runs. 86400 seconds = 1 day
MeterCountry Enable Country Wise metering
MeterASN Enable ASN Wise metering
MeterCity Enable City/Location metering – This will result in about 500MB RAM extra usage, disabled by default
MeterPrefix Enable Network Prefixs (AS numbers as found in BGP) 


<TrisulPluginConfiguration>
  <Policy>
    <description>Controls how the Trisul geo plugin works, currently very little policy  </description>
    <ReloadListSeconds>3600</ReloadListSeconds>

    <MeterCountry>TRUE</MeterCountry>
    <MeterASN>TRUE</MeterASN>
    <MeterCity>TRUE</MeterCity>
    <MeterPrefix>TRUE</MeterPrefix>

  </Policy>

  <Update>
    <Sources>
      <Source>
              <URL>https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip</URL>
              <Target>GeoLite2-Country-CSV.zip</Target>
      </Source>
      <Source>
              <URL>https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip</URL>
              <Target>GeoLite2-ASN-CSV.zip</Target>
      </Source>
      <Source>
              <URL>https://geolite.maxmind.com/download/geoip/database/GeoLite2-City-CSV.zip</URL>
              <Target>GeoLite2-City-CSV.zip</Target>
      </Source>
    </Sources>

    <Output>
      <Filename></Filename>
    </Output>

    <Post>
      <Cmd>gunzip</Cmd>
    </Post>

    <Run>
      <RunAt>0200</RunAt>
      <Frequency>86400</Frequency>
    </Run>
  </Update>

</TrisulPluginConfiguration>

2.15.5 License

The following statement


This product includes GeoLite2 data created by MaxMind, available from
<a href="https://www.maxmind.com">https://www.maxmind.com</a>.