Hello, I am installing trisul in security onion, it installs well, but when seeing the events, no alert appears. I do not know what log file to put in /usr/local/etc/trisul-probe/domain0/probe0/context0/trisulProbeConfig.xml in the <IDSAlerts> <UnixSocket> part.
Installing Trisul on Security Onion
Did you follow the instructions in https://www.trisul.org/docs/howto/installseco.html Section 3 ?
Trisul picks up the alert from a Unix socket that barnyard2 writes to. The unix socket is named barnyard2_alert The location depends on your interface name. Can you check if you have a directory similar to the one shown below ?
/nsm/sensor_data/xx-yy-eth0/barnyard2_alertYou put that in the trisulConfig.xml file - it will look something like
<UnixSocket>
/nsm/sensor_data/unpl-seco-16-prod-enp1s0/barnyard2_alert
</UnixSocket>Do the other parts of Trisul work like PCAPs, Statistics, Flows??
Regds,
Vivek (Trisul)