Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.
Visit http://www.aanval.com/ for more information.
Aanval:Aanval Installation and Upgrade Guides
Below you'll find detailed guides for upgrading your current Aanval console or performing a fresh install of Aanval, and all necessary software and hardware components.
If Snort or Suricata are intended for use with Aanval (rather than syslog), the IDS engine and necessary components, like Barnyard2, must first be installed. For assistance, please visit our Community Portal and reference the proper IDS installation guide. If OS X is the chosen platform, simply reference the OS X guide below, as it additionally includes detailed instructions for installing Snort, Barnyard2, and all required packages on OS X.
For software prerequisites and hardware system requirements, please see below.
Aanval Installation for Linux or UNIX
Aanval Installation for OS X
Below are the minimum hardware requirements for the most common deployments of Aanval.
|Environment||Sensor Capacity||Memory||CPU Cores||Disk Space|
|Large Scale||8 or more||8+GB||4 or more||500GB|
The following ports will need to be opened for proper functionality.
|22||Workstation -> Aanval server and sensors||Users will need SSH access to manage Aanval and its onboard/remote sensors.|
|3306||Aanval -> MySQL||Using the IDS MySQL Module, Aanval will secure a direct connection to MySQL and import IDS logs from the Snort database (for setups using a Snort database and Barnyard2 only; not required if using the Aanval 8 Unified2 Module for IDS log importing).|
|80/443||Aanval <-> sensors||Using the IDS Unified2 Module, Aanval will import IDS logs from and send and receive secure communications to and from each sensor over 80 or 443 (depending on network setup).|
The following URL will need to be opened for proper functionality.
|aanval.com||Aanval will perform regular console update checks and allow the user to download and install available updates.|
Each of the following requirements should be satisfied prior to starting your Aanval installation. Testing for any additional requirements will be performed during the installation process. Details and remediation instructions will be available as necessary.
|Operating System||Aanval will install on all major Linux and Unix distributions, including Mac OS X.|| Linux: CentOS has been a popular choice as a Linux OS for Aanval users. The most current version of CentOS can be obtained from the following site: |
Unix: BSD has been a popular choice as a Unix OS for Aanval users. Any variant of BSD will work with Aanval, and Free BSD can be obtained from the following site: 
OS X: Mac OS X has also been a popular choice for Aanval users.
Appliances are available in a variety of hardware and software combinations to fit every environment, and each is pre-configured and optimized for Aanval with Snort and/or Suricata intrusion detection and Syslog correlation. Appliances are installed with the most recent release of Mac OS X, along with the latest compatible versions of Apache, MySQL, Perl, PHP, GD, and more. All appliances may be custom configured with specific destination network details (IP, DNS, etc.), ensuring the installation is as simple as plugging in and powering on the Appliance. From single-sensor deployments to large-scale enterprise intrusion arrays, Aanval Appliances are pre-configured for full intrusion detection and correlation functionality out-of-the-box.
To find which appliance is right for your network, contact our friendly and knowledgable sales department at 800-921-2584 or sales.group [at] tacticalflex.com.
|MySQL||Aanval will require a MySQL database for event processing and storage.||The most current version of MySQL can be obtained from the following site: |
(at least version 5)
|Aanval will require PHP for server-side scripting.|| The most current version of PHP can be obtained from the following site:  |
It is recommended when using the Unified2 Module for importing IDS events that the php.ini file be updated the following changes:
upload_max_filesize = 256M
After making changes, restart Apache. These changes allow Aanval to receive all necessary files from sensors, including event data and especially sid-msg.map and gen-msg.map files.
|PHP Modules||Specific PHP modules required for Aanval functionality||php-xml, php-pdo, php-mysql, php-dom|
|Aanval uses PERL to launch the PHP scripts in wrapper fashion.||The most current version of PERL can be obtained from the following site: |
|Web Server||Aanval will require an Apache web server capable of serving PHP scripting.||The most current version of Apache can be obtained from the following site: |
|Wget||Aanval uses Wget to download external data like console updates, GeoLocation databases, and signatures.||The most current version of Wget can be obtained from the following site: . Users can also use their OS' built-in installation or update commands to obtain the utility.|
|Unzip||Aanval uses Unzip to decompress downloaded data like console updates and GeoLocation databases.||Oracle offers an unzip utility, and the most current version can be obtained from the following site: . Users can also use their OS' built-in installation or update commands to obtain the utility.|
|IDS Engine||Aanval requires an Intrusion Detection System (IDS) for monitoring and retrieving (sometimes called "sniffing") network traffic and packets.|| Snort and Suricata have been the most popular IDS engines used with Aanval.|
Snort: The most current version of Snort can be downloaded from the following link: 
Suricata: The most current version of Suricata can be downloaded from the following link: 
|Barnyard2||Barnyard2 is used to parse Snort/Suricata Unified2 events and send them to an IDS MySQL database.|| The most current version of Barnyard2 can be obtained from the following site: |
Barnyard2 is only required for such MySQL-Barnyard2-based sensors. Aanval 8 has the capability to directly import the Unified2 logs from the IDS sensor by use of its Sensor Management Tools (SMTs).