BLOG     |     FORUM
Welcome, Guest
Username: Password: Remember me
Issues related to installation, running, bugs, and features.
  • Page:
  • 1
  • 2

TOPIC: Can we get a 32-bit build for Trisul 2.0, please?

Re:Can we get a 32-bit build for Trisul 2.0, please? 12 years 5 months ago #595

  • FGYM101
  • FGYM101's Avatar
Hello, Vivek

I just had a chance to upgrade Trisul from 1.4 to 2.x on a 32-bit Ubuntu.

Trisul failed to start with this error

trisul -nodemon /usr/local/etc/trisul/trisulConfig.xml -mode fullblown_u2
terminate called after throwing an instance of 'sqlite3x::database_error'
what(): sqlite3_command::prepare([ SELECT id, code FROM RO_ORGS; ]) failed. Reason=[no such table: RO_ORGS]
Aborted

I tried to initialize the db with trisul -nodemon /usr/local/etc/trisul/trisulConfig.xml -mode initdb
hoping that would create the database tables. But it still failed.


Do you have any idea?

FYI: Trisul failed to upgrade due a dependency failure on hiredis library. I found the hiredis lib and client on a Ubuntu site and installed them. After that, I was able to install/upgrade Trisul.

Thanks.
The administrator has disabled public write access.

Re:Can we get a 32-bit build for Trisul 2.0, please? 12 years 5 months ago #596

Hi,

Definitely an issue going from 1.x to 2.0. RO_ORS is the remote office monitoring feature.


Can you try this ?

1. Do a cleanenv - this will unfortunately get rid of all data.
cd /usr/local/share/trisul
./cleanenv -f -init

2. Start
trisul -nodemon /usr/local/etc/trisul/trisulConfig.xml -mode fullblown_u2 


I am double checking this build from my end right now. The hiredis requirement is a build error, will straighten it out now.




Let me know if this works.
Vivek R
Unleash Networks
Support : www.unleashnetworks.com/forums
The administrator has disabled public write access.

Re:Can we get a 32-bit build for Trisul 2.0, please? 12 years 5 months ago #597

  • FGYM101
  • FGYM101's Avatar
Your instructions fixed the database issue.
Trisul started fine. It's running now.

How can I correctly configure Trisul to read snort barnyard2 alerts?

I have the following set in trisul config
<IDSAlerts>
<Enabled>True</Enabled>
<UnixSocket>/nsm/sensor_data/host-eth1/snort.unified2.*</UnixSocket>
<SnortVersion>2.9+</SnortVersion>
</IDSAlerts>

I have seen many snort.unified2.* files so I used * to see if it reads all or not.

Barnyard2 conf has the following

config logdir: /nsm/sensor_data/host-eth1
config classification_file: /etc/nsm/host-eth1/classification.config
config reference_file: /etc/nsm/host-eth1/reference.config
config sid_file: /etc/nsm/host-eth1/sid-msg.map
config gen_file: /etc/nsm/host-eth1/gen-msg.map
config hostname: bulldog1-eth1
config interface: eth1
input unified2
output sguil: sensor_name=host-eth1 agent_port=8001
output alert_unixsock

Thanks.
The administrator has disabled public write access.

Re:Can we get a 32-bit build for Trisul 2.0, please? 12 years 5 months ago #598

Actually Trisul reads alerts from the Unix Socket not from the unified2.* logs.


Do you see a file called barnyard2_alert in the following directory ?

/nsm/sensor_data/host-eth1/

Once again, the file should be called /nsm/sensor_data/host-eth1/barnyard2_alert

This is the unix socket into which barnyard2 writes alert data into. You then point Trisul to read from this socket


<IDSAlerts>
<Enabled>True</Enabled>
<UnixSocket>/nsm/sensor_data/host-eth1/barnyard2_alert</UnixSocket>
<SnortVersion>2.9+</SnortVersion>
</IDSAlerts>



If you are running Security Onion maybe this blog post might help you get going.

www.unleashnetworks.com/blog/?p=322

Thanks,
Vivek R
Unleash Networks
Support : www.unleashnetworks.com/forums
Last Edit: 12 years 5 months ago by vivek [unleash].
The administrator has disabled public write access.

Re:Can we get a 32-bit build for Trisul 2.0, please? 12 years 5 months ago #599

Hi,

We just uploaded a new 32-bit Ubuntu package.

It fixes :

1. The hiredis dependency problem.

2. A case of segmentation fault under certain conditions.


Please login and download the new build. To install simply

dpkg -r trisul

followed by

dpkg -i trisul_xyz.deb


Thanks,
Vivek R
Unleash Networks
Support : www.unleashnetworks.com/forums
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Moderators: vivek [unleash]
Time to create page: 0.038 seconds