Installing Trisul on Security Onion

guada1903

Hello, I am installing trisul in security onion, it installs well, but when seeing the events, no alert appears. I do not know what log file to put in /usr/local/etc/trisul-probe/domain0/probe0/context0/trisulProbeConfig.xml in the <IDSAlerts> <UnixSocket> part.

admin

guada1903

Did you follow the instructions in https://www.trisul.org/docs/howto/installseco.html Section 3 ?

Trisul picks up the alert from a Unix socket that barnyard2 writes to. The unix socket is named barnyard2_alert The location depends on your interface name. Can you check if you have a directory similar to the one shown below ?

/nsm/sensor_data/xx-yy-eth0/barnyard2_alert

You put that in the trisulConfig.xml file - it will look something like

<UnixSocket>
    /nsm/sensor_data/unpl-seco-16-prod-enp1s0/barnyard2_alert
</UnixSocket>

Do the other parts of Trisul work like PCAPs, Statistics, Flows??

Regds,

Vivek (Trisul)