Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Aanval 8 Installation and Sensor Setup Guide

From Aanval Wiki
Jump to: navigation, search

Aanval Installation Guides Home

This guide can also be downloaded in a PDF format at the following link: [1]

Aanval has been designed from its core outward to support a broad variety of installation environments and be as simple to install as possible. 

Downloading and installing Aanval takes only minutes to accomplish. Designed to work with all current Linux, UNIX, and Mac OS X flavors, you can quickly be up and running.

Hardware Requirements

Below are the minimum hardware requirements for the most common deployments of Aanval.

Environment Sensor Capacity Memory CPU Cores Disk Space
Small Scale 1-3 4GB 2 100GB
Large Scale 8 or more 8+GB 4 or more 500GB

Network Requirements

The following ports will need to be opened for proper functionality.

Port Direction Reasoning
22 Workstation -> Aanval server and sensors Users will need SSH access to manage Aanval and its onboard/remote sensors.
3306 Aanval -> MySQL Using the IDS MySQL Module, Aanval will secure a direct connection to MySQL and import IDS logs from the Snort database (for setups using a Snort database and Barnyard2 only; not required if using the Aanval 8 Unified2 Module for IDS log importing).
80/443 Aanval <-> sensors Using the IDS Unified2 Module, Aanval will import IDS logs from and send and receive secure communications to and from each sensor over 80 or 443 (depending on network setup).

The following URL will need to be opened for proper functionality.

URL Reasoning
aanval.com Aanval will perform regular console update checks and allow the user to download and install available updates.

Software Requirements

Each of the following requirements should be satisfied prior to starting your Aanval installation. Testing for any additional requirements will be performed during the installation process. Details and remediation instructions will be available as necessary.

Requirement Reasoning Reference
Operating System Aanval will install on all major Linux and Unix distributions, including Mac OS X. Linux: CentOS has been a popular choice as a Linux OS for Aanval users. The most current version of CentOS can be obtained from the following site: [2]
Unix: BSD has been a popular choice as a Unix OS for Aanval users. Any variant of BSD will work with Aanval, and Free BSD can be obtained from the following site: [3]
OS X: Mac OS X has also been a popular choice for Aanval users.
Appliances are available in a variety of hardware and software combinations to fit every environment, and each is pre-configured and optimized for Aanval with Snort and/or Suricata intrusion detection and Syslog correlation. Appliances are installed with the most recent release of Mac OS X, along with the latest compatible versions of Apache, MySQL, Perl, PHP, GD, and more. All appliances may be custom configured with specific destination network details (IP, DNS, etc.), ensuring the installation is as simple as plugging in and powering on the Appliance. From single-sensor deployments to large-scale enterprise intrusion arrays, Aanval Appliances are pre-configured for full intrusion detection and correlation functionality out-of-the-box.
To find which appliance is right for your network, contact our friendly and knowledgable sales department at 800-921-2584 or sales.group [at] tacticalflex.com.
MySQL Aanval will require a MySQL database for event processing and storage. The most current version of MySQL can be obtained from the following site: [4]
PHP
(at least version 5)
Aanval will require PHP for server-side scripting. The most current version of PHP can be obtained from the following site: [5]
It is recommended when using the Unified2 Module for importing IDS events that the php.ini file be updated the following changes:
upload_max_filesize = 256M
After making changes, restart Apache. These changes allow Aanval to receive all necessary files from sensors, including event data and especially sid-msg.map and gen-msg.map files.
PHP Modules Specific PHP modules required for Aanval functionality php-xml, php-pdo, php-mysql, php-dom
PERL
(any version)
Aanval uses PERL to launch the PHP scripts in wrapper fashion. The most current version of PERL can be obtained from the following site: [6]
Web Server Aanval will require an Apache web server capable of serving PHP scripting. The most current version of Apache can be obtained from the following site: [7]
Wget Aanval uses Wget to download external data like console updates, GeoLocation databases, and signatures. The most current version of Wget can be obtained from the following site: [8]. Users can also use their OS' built-in installation or update commands to obtain the utility.
Unzip Aanval uses Unzip to decompress downloaded data like console updates and GeoLocation databases. Oracle offers an unzip utility, and the most current version can be obtained from the following site: [9]. Users can also use their OS' built-in installation or update commands to obtain the utility.
IDS Engine Aanval requires an Intrusion Detection System (IDS) for monitoring and retrieving (sometimes called "sniffing") network traffic and packets. Snort and Suricata have been the most popular IDS engines used with Aanval.
Snort: The most current version of Snort can be downloaded from the following link: [10]
Suricata: The most current version of Suricata can be downloaded from the following link: [11]
Barnyard2 Barnyard2 is used to parse Snort/Suricata Unified2 events and send them to an IDS MySQL database. The most current version of Barnyard2 can be obtained from the following site: [12]

Barnyard2 is only required for such MySQL-Barnyard2-based sensors. Aanval 8 has the capability to directly import the Unified2 logs from the IDS sensor by use of its Sensor Management Tools (SMTs).

Aanval Installation

Watch the Aanval 8 Installation and Unified2 Sensor Setup video guide on YouTube

Preparation

  1. Users can store Aanval in the root of the web server directory. Users can also create a directory within the web root directory for Aanval; issuing the following command from the web root directory creates a directory to store Aanval:
  2. mkdir aanval
    
  3. Change to the new aanval directory (if you selected to create a new directory; otherwise, change to the root of the web server directory, which is generally /var/www/html). Issuing the following command will download Aanval:
  4. wget download.aanval.com/aanval-8-latest-stable.tar.gz
    
  5. Uncompress Aanval. The following command will uncompress and extract the Aanval package contents into the current directory:
  6. tar -zxvf aanval-8-latest-stable.tar.gz
    
  7. Create a MySQL database for Aanval. Using the MySQL administrative tools, the following command will create the database named aanvaldb:
  8. mysqladmin create aanvaldb
    

Installation

  1. Direct your web browser to the location of Aanval, where you should be presented with the Aanval End-User-License-Agreement.
  2. After reading the EULA, click I agree to continue.
  3. Aanval will then perform environmental and compatibility tests. Ensure all tests are successful; otherwise, resolve the problems listed and click Continue.
  4. Direct Aanval to the location of the newly created Aanval database by providing values for the following:
  5. Database Server (IP or hostname of the database server)
    
    Database Name (this should be aanvaldb)
    
    Database Username
    
    Database Password (in some instances this value may be blank)
    
  6. Submit the settings for testing. Once confirmed, a Success message will be provided if everything is correct; otherwise, return and resolve any problems. Click Continue.
  7. The Aanval installation process will take place and is relatively quick. This process creates and loads all required database tables as well as provisions the console for initial usage. When complete, click Continue to proceed.
  8. Once you have successfully installed Aanval, you will be presented with the default username and password of this Aanval console as well as the instructions to start the Aanval Background Processing Units (BPUs).
  9. Log in to Aanval using the credentials provided on the previous screen. Typically these will be a username of root and a password of specter.

Starting the Aanval BPUs

  1. The Aanval Background Processing Units (BPUs) are responsible for importing events, processing actions, and ensuring the console functions properly. You must start the BPUs in order for the console to operate correctly, and it should be done with root or equivalent privileges. To start the BPUs, change into the /apps directory of your Aanval installation and run the following command:
perl idsBackground.pl -start

Adding an IDS MySQL Sensor

An IDS MySQL sensor is an IDS engine that uses Barnyard2 to send its event logs to a local or remote MySQL database, and from which Aanval reads and imports its logs. Aanval’s Sensor Management Tools (SMTs) are not necessary for this mode of event importing; however, users can continue to set up and use them for advanced sensor and signature management functions.

  1. Inside the Aanval console, go to the Configuration menu by hovering over the user login at the top-right of the screen. Under Event Import Options, go to MySQL Module > Settings.
  2. Check the Enabled box at the top and then continue to enter the location and user information of the IDS MySQL database where Barnyard2 would be sending IDS logs. Click Update to commit the changes. Users will receive two Success messages for the database connection and name; resolve any issues.
  3. Note: The Database Trimming option, when selected, will automatically remove the oldest events from the IDS database once the threshold is met. Enabling this feature is recommended and can assist to prevent the MySQL disk from running out of disk space.

  4. From the menu directory display in the upper-right of the screen, go back one menu by clicking Configuration, and then under Event Import Options, select MySQL Module > Sensor Configuration.
  5. On the left of the screen will be displayed all IDS sensors that are reporting or have reported to the database to which Aanval is connected. If no sensors appear, ensure Aanval is connected to the correct database and that Barnyard2 has the permissions to access and is properly reporting to the proper database. Select the desired sensor from the left, check the Enabled box, enter relevant sensor information (name, description, location, etc.), and click Update to commit the changes. Repeat these steps for any additional sensors.
  6. Ensure the Sensor Permissions at the bottom of the menu are enabled for each user that will be viewing and managing the events for the given sensor; otherwise, events will not display or be available on any menu.

Aanval is now connected to the IDS database and the sensor is enabled. New IDS events should be imported and displayed at the Home menu or one of the Live event menus. If events are not being displayed, check the following items:

IDS engine: ensure the engine is running in daemon mode and that network traffic is flowing to 		it.
IDS signatures: ensure signatures are enabled that match corresponding network traffic.
Barnyard2: ensure the process is running in daemon mode.

If events still aren’t being imported and displayed, check the Aanval Troubleshooting Guide for further assistance.

Installing and Starting the SMTs

The Sensor Management Tools (SMTs) enable the management of local or remote IDS engine services and signatures from within Aanval. They can start and stop IDS engines, auto-update and manage IDS signatures, and with Aanval 8 also allow the console to directly import Unified2 files and network events.
The SMTs are found within the /contrib/ directory of any Aanval installation.
Note: for MySQL-based IDS sensors, utilize the SMT or /smt package. For Unified2-based sensors, utilize the SMT2 or /smt2 package. Both packages are found within the /contrib/ directory. Each package is specifically designed for its type of sensor; the SMTs designed for MySQL-based IDS sensors will not work with Unified2-based sensors, and visa versa.

  1. On the same machine as the sensor(s), create a directory to store a copy of the SMTs and copy the contents of the /contrib/{smt or smt2/} directory into this location. Users commonly do this off the root directory with the following command:
  2. mkdir /smt
    
  3. To then copy the SMT contents to the new directory, enter the following command:
  4. cp {/your/aanval/install}/contrib/{smt/ or smt2/}* /smt/
    
  5. Edit and configure conf.php, adding the proper paths ($consoleHost, $consoleHostPath, etc.) and values ($id, $confSnort, $rulesSnort, etc.), and save the file. Note: for Unified2-based sensors where the SMT2s are utilized, only the values of SMT ID (smtID) and the location of Aanval (aanvalURL) are required; the additional details of the IDS sensor configuration file and rules paths are provided in the Unified2 Sensor Management menu of Aanval. A random SMT ID is generated when adding a new sensor inside Aanval, as described below. Users can also generate their own 11-digit number; it is only critical that the SMT ID be unique and match the specific sensor inside Aanval under Sensor Configuration and with the sensor's conf.php file in its /smt directory.
  6. Test the SMTs by issuing the following command in the /smt directory:
  7. php smt.php
    
  8. Resolve any communication or configuration errors, and then start the SMTs with the following command:
  9. perl idsSensor.pl -start
    
  10. The SMTs can be stopped using the following command:
  11. perl idsSensor.pl -stop
    

Adding an IDS Unified2 Sensor

Watch the Aanval 8 Installation and Unified2 Sensor Setup video guide on YouTube

An IDS Unified2 sensor is an IDS engine that uses Aanval’s Sensor Management Tools (SMTs) to directly import its event logs. Aanval’s SMTs can further be utilized for IDS sensor and signature management.

  1. Inside the Aanval console, go to the Configuration menu by hovering over the user login at the top-right of the screen. Under Event Import Options, go to Unified2 Module > Sensor Configuration.
  2. To add a new sensor, click the + button at the upper-right of the menu.
  3. Select the new sensor, check the Enabled box at the top, continue to enter sensor information (name, description, location, etc.) and click Update to commit the changes. Take note of the SMT ID provided, as it will need to be added to the SMT configuration file in its /smt directory.
  4. Ensure the Sensor Permissions at the bottom of the menu are enabled for each user that will be viewing and managing the events for the given sensor; otherwise, events will not display or be available on any menu.
  5. From the menu directory display in the upper-right of the screen, go back one menu by clicking Configuration, and then under Event Import Options, select Unified2 Module > Sensor Management.
  6. Select a sensor from those listed on the left of the menu and click its Configuration (gear icon) button.
  7. Provide the paths and values to the following:
  8. Configuration File: the location of the IDS engine configuration file (/etc/snort/snort.conf for example)
    
    Unified2 Path: the location of the IDS log files (/var/log/snort/ for example)	
    
    sid-msg.map File: the location of the sid-msg.map file (/etc/snort/rules/sid-msg.map for example)	
    
    gen-msg.map File: the location of the gen-msg.map file (/etc/snort/rules/gen-msg.map for example)
    
    Engine Start Command: the command used to start the IDS engine (snort -c /etc/snort/snort.conf -i eth1 for example)
    
    Engine Stop Command: the command used to stop the IDS engine (pkill snort for example)
    
    Engine Reload Command: the command used to reload the IDS engine
    
    Engine Status Command: the command used to check the IDS engine status (ps aux | grep -v grep | grep snort for example)
    
  9. Ensure the SMTs are running and that the SMT IDs that are on the sensor conf.php (located on the sensor itself in the /smt directory) and the Unified2 Module > Sensor Configuration locations match, and click Update to commit the changes. Aanval will then initiate first-time and continuous communication; paths for the engine rules (Rules Path, SO Rules Path, etc.) will be imported and displayed, and IDS event log importing will commence.

Adding a Syslog Sensor

A Syslog sensor can be a logging file from which Aanval imports log data, or a log data stream sent to the Aanval console (UDP port 514) from an external device. In either mode of transport, if the data is in a syslog format, Aanval will import the data for normalization and processing alongside any other syslog or IDS sensors.

  1. Inside the Aanval console, go to the Configuration menu by hovering over the user login at the top-right of the screen. Under Event Import Options, go to Syslog Module > Settings.
  2. Check the box that enables the Aanval Syslog module and click Update.
  3. From the menu directory display in the upper-right of the screen, go back one menu by clicking Configuration, and then under Event Import Options, select Syslog Module > Sensor Configuration.
  4. (Note: The following step is only necessary for adding a syslog sensor in which the logging device is directly sending log data to Aanval.) From the command line on the Aanval console, go to Aanval’s /apps directory. The following command will start a basic syslog server designed to receive UDP syslog messages on port 514:
  5. nohup perl idsSyslog.pl > /dev/null &
    
  6. On the Sensor Configuration menu, if external logging devices are streaming data logs to Aanval, and with the syslog server from step 4 running, those devices will appear under the Sensors listing on the left of the menu. To create a file-based sensor, in which Aanval will retrieve the data logs from a given location, click the + button in the upper-right.
  7. Select the new sensor from the Sensors listing and check the Enabled box at the top. A file-based sensor below the Enabled box will ask for the Log File Path; on a data stream-based sensor the value displayed will be the device’s IP address and cannot be changed. Continue to enter sensor information (name, description, location, etc.) and click Update to commit the changes.
  8. Ensure the Sensor Permissions at the bottom of the menu are enabled for each user that will be viewing and managing the events for the given sensor; otherwise, events will not display or be available on any menu.
  9. From the menu directory display in the upper-right of the screen, go back one menu by clicking Configuration, and then select Event Import Options > Syslog Module > Filter Management. It’s on this menu users will create regex-based filters to parse specific values from the imported syslog events such as Source Address, Destination Address, Risk Level, Payload, etc.
  10. Click the + button to create a new filter. Edit the filter and provide a name and the regular expression, and click Update to commit the changes. New to Aanval 8 are tools to test the regex with the desired value to parse. They’ll be found on this menu and are further designed to work with Aanval’s advanced syslog filtering options. For example, a user can link two separate regex that will be recognized as a single regex by adding a double tilde (~~) between the two expressions. Continue to create all necessary filters. A full listing of available import values (Source Address, Source Port, etc.) will be shown on the next menu.
  11. From the menu directory display in the upper-right of the screen, go back one menu by clicking Configuration, and then under Event Import Options, select Syslog Module > Filter Assignment.
  12. Select a sensor from the listing on the left of the menu and from the import values listed on the right, click the drop-down box, select the proper filter, and click Add. Users may select and add multiple filters for a single value. In the event the imported data may have various formats of a single value, Aanval will cycle through the filters listed until a value in the data matches a filter. Repeat these steps for every necessary sensor and value.

See Also