Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Aanval 9 Installation and Sensor Setup Guide

From Aanval Wiki
Jump to: navigation, search

Aanval Installation Guides Home

Aanval has been designed from its core outward to support a broad variety of installation environments and be as simple to install as possible. 

Downloading and installing Aanval takes only minutes to accomplish. Designed to work with all current Linux, UNIX, and Mac OS X flavors, you can quickly be up and running.

Hardware Requirements

Below are the minimum hardware requirements for the most common deployments of Aanval.

Environment Sensor Capacity Memory CPU Cores Disk Space
Small Scale 1-3 4GB 2 100GB
Large Scale 8 or more 8+GB 4 or more 500GB

Network Requirements

The following ports will need to be opened for proper functionality.

Port Direction
22 SSH access will be needed to access the console and sensors for installation and necessary maintenance and troubleshooting
80 / 443 HTTP/HTTPS access will be needed to view the console as well as console to sensor communication will use 80 / 443 as well

The console will occasionally contact the following locations for updates and maintenance.

URL Reasoning
download.aanval.com The console will download packages from this URL.
update.aanval.com The console will check for new versions and updates from this URL.

Software Requirements

Each of the following requirements should be satisfied prior to starting your Aanval installation. Testing for any additional requirements will be performed during the installation process. Details and remediation instructions will be available as necessary.

Requirement Reasoning Reference
Operating System Aanval will install on all major Linux and Unix distributions, including Mac OS X. Linux: CentOS has been a popular choice as a Linux OS for Aanval users. The most current version of CentOS can be obtained from the following site: [1]
Unix: BSD has been a popular choice as a Unix OS for Aanval users. Any variant of BSD will work with Aanval, and Free BSD can be obtained from the following site: [2]
OS X: Mac OS X has also been a popular choice for Aanval users.
Appliances are available in a variety of hardware and software combinations to fit every environment, and each is pre-configured and optimized for Aanval with Snort and/or Suricata intrusion detection and Syslog correlation. Appliances are installed with the most recent release of Mac OS X, along with the latest compatible versions of Apache, Perl, PHP, GD, and more. All appliances may be custom configured with specific destination network details (IP, DNS, etc.), ensuring the installation is as simple as plugging in and powering on the Appliance. From single-sensor deployments to large-scale enterprise intrusion arrays, Aanval Appliances are pre-configured for full intrusion detection and correlation functionality out-of-the-box.
To find which appliance is right for your network, contact our friendly and knowledgable sales department at 800-921-2584 or sales.group [at] tacticalflex.com.
(at least version 7)
Aanval will require PHP for server-side scripting. The most current version of PHP can be obtained from the following site: [3]
It is recommended when using the Unified2 Module for importing IDS events that the php.ini file be updated the following changes:
upload_max_filesize = 256M
After making changes, restart Apache. These changes allow Aanval to receive all necessary files from sensors, including event data and especially sid-msg.map and gen-msg.map files.
PHP Modules Specific PHP modules required for Aanval functionality php-xml, php-pdo, php-dom
(any version)
Aanval uses PERL to launch the PHP scripts in wrapper fashion. The most current version of PERL can be obtained from the following site: [4]
Web Server Aanval will require an Apache web server capable of serving PHP scripting. The most current version of Apache can be obtained from the following site: [5]
IDS Engine Aanval requires an Intrusion Detection System (IDS) for monitoring and retrieving (sometimes called "sniffing") network traffic and packets. Snort and Suricata have been the most popular IDS engines used with Aanval.
Snort: The most current version of Snort can be downloaded from the following link: [6]
Suricata: The most current version of Suricata can be downloaded from the following link: [7]

Aanval Installation


  1. Users should install Aanval in the root of the web server directory or the root of a virtual host configured within Apache. To change to this directory:
  2. cd /var/www/html/
  3. After changing into the root of the web server directory or virtual host, which is generally /var/www/html/), issuing the following command will download Aanval:
  4. wget http://download.aanval.com/aanval-9-latest-stable.tar.gz

    Or on Mac OS

    curl -O http://download.aanval.com/aanval-9-latest-stable.tar.gz
  5. Uncompress Aanval. The following command will uncompress and extract the Aanval package contents into the current directory:
  6. tar -zxvf aanval-9-latest-stable.tar.gz
  7. Execute the requirements script from the /bin directory of your installation directory to test your system for any pre-requisites (fix as necessary):
  8. php requirements
  9. Execute the Aanval install script from the /bin directory of your installation to build the data structure and finalize the installation:
  10. php console aanval:install

Apache Configuration

  1. Configure Apache
  2. Web server configuration example:

    DocumentRoot "/var/www/html/web/"
    <Directory "/var/www/html/web/">
        AllowOverride None
        Require all granted

    Virtual host configure example with aanval.local hostname:

    <VirtualHost *:80>
            DocumentRoot "/var/www/html/web/"
            ServerName aanval.local
            <Directory "/var/www/html/web/">
                AllowOverride All
                Require all granted
  3. Restart Apache
  4. apachectl restart
  5. Configure hostname
  6. Edit /etc/hosts and add the following (if you are using a virtual host from the local machine)	aanval.local

Aanval BPUs

The Aanval Background Processing Units (BPUs) are responsible for importing events, processing actions, and ensuring the console functions properly. You must start the BPUs in order for the console to operate correctly, and it should be done with root or equivalent privileges.

To test the BPUs, change into the /bin directory of your Aanval installation and run the following command:

php console aanval:BPU:run

To launch the BPUs into the background, change into the /bin directory of your Aanval installation and run the following command:

php console aanval:BPU:start

Installing and Starting the SMTs

The Sensor Management Tools (SMTs) enable the management of local or remote IDS engine services and signatures from within Aanval. They can start and stop IDS engines, auto-update and manage IDS signatures, and with Aanval 8 also allow the console to directly import Unified2 files and network events.
The SMTs are found within the /var/smt/ directory of any Aanval installation.

  1. On the same machine as the sensor(s), create a directory to store a copy of the SMTs and copy the contents of the /var/smt/ directory into this location. Users commonly do this off the root directory with the following command:
  2. mkdir /smt
  3. To then copy the SMT contents to the new directory, enter the following command:
  4. cp {/your/aanval/install}/var/smt/* /smt/
  5. Edit and configure smtConfig.php, adding the proper paths ($consoleHost, $consoleHostPath, etc.) and values ($id, $confSnort, $rulesSnort, etc.), and save the file. Note: for Unified2-based sensors where the SMT2s are utilized, only the values of SMT ID (smtID) and the location of Aanval (aanvalURL) are required; the additional details of the IDS sensor configuration file and rules paths are provided in the Unified2 Sensor Management menu of Aanval. A random SMT ID is generated when adding a new sensor inside Aanval, as described below. Users can also generate their own 11-digit number; it is only critical that the SMT ID be unique and match the specific sensor inside Aanval under Sensor Configuration and with the sensor's conf.php file in its /smt directory.
  6. Test the SMTs by issuing the following command in the /smt directory:
  7. php smt aanval:SMT:run

  8. Resolve any communication or configuration errors, and then start the SMTs with the following command:
  9. php smt aanval:SMT:start

  10. The SMTs can be stopped using the following command:
  11. php smt aanval:SMT:stop

See Also