Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Console Events

From Aanval Wiki
Jump to: navigation, search

The Aanval console itself can act as a sensor. Console events are logged, correlated, and displayed alongside network events. Because console activity is logged, analysts can further perform Advanced Searches for specific activity and generate reports.

Aanval's Network Host Scanner engine coincides with the console to detect new devices connected to the network, when they or existing devices disconnect, and when a connected device successfully logs into the Aanval console, or even when a failed attempt occurs, and alert the user.

Network scans will produce event IDs specific to the console activity. These IDs will be attached to console events and can be searched and reported.

Below is a table of event IDs and their descriptions.

Console Signature ID Console Class ID Description
3333000 1 Network Host Scanner found 0 new hosts
3333001 1 Network Host Scanner found 1 or more new hosts
3333002 1 Successful login
3333003 1 Failed login attempt
3333004 1 User logout request
3333005 1 New user created
3333006 1 User deleted
3333050 1 Datastore rotation performed
3333051 1 Datastore rotation request
3333052 1 Datastore deletion request
3333053 1 Datastore update request
3333100 1 New sensor created
3333101 1 Sensor deleted
3333105 1 Snort tracker reset
3333106 1 Snort reimport request