Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Automation

From Aanval Wiki
(Redirected from Aanval:Action Management)
Jump to: navigation, search
Action Management.png

Automation (formerly known as Action Management) allows users to quickly and easily create custom automated actions to perform any number of tasks, including alerts, event management, scans, and executing shell commands. Users can create multiple actions that all execute independently when criteria is matched.

Create an Action

  1. Navigate to the My Options icon at the top-left the Aanval display.
  2. Select Action Management.
  3. Select Create Action from the bottom of the menu or an existing action.
  4. Once the new or existing action is selected, click edit.

Manage an Action

  1. Name the action and write a description of the action in the text boxes labeled.
  2. Threshold executes the action after the criteria matched has been triggered X number of times within the Threshold Time (always entered in seconds). If the Threshold Count is zero, meaning every time the criteria is triggered the action will perform, the Threshold Time's use is obviated. (If, for example, too many email alerts are being generated--more than likely because the Threshold is set to 0--increase the Threshold and Threshold time: if Criteria is matched 30 times (Threshold) in the amount of 300 seconds (Threshold Time), then perform the following actions.)
  3. (Optional) Users can check the Automatic Disable box so that when the set criteria is matched the first time, any set actions will perform only once, and the action itself will then be disabled (not deleted) until the user manually re-enables it.
    Users can also reset the Match Count which will set the number of times the criteria was matched back to zero.
  4. Select whether the action will Match Any or Match All set criteria.
  5. Add criteria to the action by selecting one of the options provided in the drop-down menu. Once the option is chosen and any necessary values entered (such as an IP or email address), select the Add button. Click Update to commit any changes to the values entered/updated for each option.

Below are the available Criteria to Match options:

Source IP
Destination IP
Source Port
Destination Port
Protocol
Risk Level
Sensor
Module
Signature ID
Category ID
Text / String

Note: Both single IPs and network ranges (192.168.0.1/24, for example) are supported for Source and Destination IP options.

Below are the available Actions to be Performed options:

Do Nothing
Ignore Event
Send Email
Send User Message
Execute Shell Command
Delete Event
Tag Event
Offensive Reconnaissance

Email Alerts

Users may edit the Custom Email preferences.

  • Users may edit the body of the email text but should also be aware that the body is currently configured to send matching data based on the alert criteria.

Users may send email alerts to multiple addresses.

  • After the Send Email action is selected under Actions to be Performed, and if multiple recipients are desired, simply enter a comma between each address.

Additional Note

  • Click Update to commit any changes.

See Also