Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Event Suppression

From Aanval Wiki
Jump to: navigation, search

Rules flag specific activity for which they're designed and generate events that are shown in Aanval's Live Monitor. The more rules a console has selected, two outcomes will occur. First, the system's operation can slow, as it's scanning for a myriad of activity and producing such events (this is most common when nearly or every rule is selected). Second, Aanval will be bombarded with events, many to most of which don't enhance the scope or situational awareness of the network, as they aren't true threats or at least harmful to the given environment. Though Aanval is designed to handle high loads of traffic and billions of events, disk space can be quickly filled with needless event data, leaving less space for real threats, and necessitating additional work to manage disk space, either by compressing or deleting logs.

Identifying Nuisance Events

Nuisance events are those that simply fill disk space, cloud Aanval's Live Monitor, and don't add to one's situational awareness.

To identify nuisance events and create a dovetailed signature recipe:

Aanval is used from home networks to large-scale enterprise networks, and rules are available for the entire spectrum; thus, it would be misleading to list rules that every Aanval deployment should activate. However, Aanval does come loaded with the correlational features to display those nuisance events, allowing users of every deployment to easily create their own signature recipe, dovetailed for their specific environment.

  1. Visit Charts & Graphs (from the icons on the top-left of the screen).
  2. Click Frequent Events.

Displayed will be the events most frequently topping the charts, found on the Live Monitor, and filling disk space. With each selection, the signature ID will first be displayed on the left. Users can visit the following sites to learn more about that particular signature ID and whether that rule has any precedence in their environment:

For Snort rules, visit http://snort.org/search, and enter the signature ID in the search field.

For Emerging Threats rules, visit http://doc.emergingthreats.net or http://doc.emergingthreats.net/2012345, substituting the numerical value at the end of the URL with the specific signature ID.

The signature name and number of events generated will also be displayed, in addition to visual representations of event traffic by way of bar graphs and pie charts. Users can also perform an Advanced Search (by clicking the Search button displayed next to the signature ID) to display every instance of that particular event, the dates, times, and sources and destinations involved.

Once an event has been determined a nuisance, proceed to suppress the event. Event suppression (completely stopping event(s) from being generated or displayed) within Aanval can be accomplished by one of two methods: Signature Management or Action Management, as described below.

Signature Management

To suppress events by way of signature management:

  1. Visit Console Configuration (in the lower right-hand corner, the gear icon) > Snort Module > Signature Management.
  2. From the Policy drop-down box on the left of the screen, select the policy to be modified, and the rules currently selected on that policy will display. If no policy exists, visit Console Configuration > Snort Module > Policy Management, click Create Policy from the right of the screen, enter a name for the policy, and then click Update. Once complete, navigate back to Signature Management. If only one policy exists, it will be displayed in the drop-down box by default.
  3. On the right of the screen, select the category of the rule to be suppressed. The category is found in the message displayed for any event. Example: "WEB-CLIENT Microsoft Windows ASF parsing memory corruption attempt" is the message displayed for this particular event, "WEB-CLIENT" is the category under which the rule would be found. If both VRT (Snort) and Emerging Threats rules are being used, users may need to search two or more categories to find the specific rule, keeping in mind the first or second word of the event message displayed directs to the proper category. If the rule's name or category cannot be determined, or if more information on a rule is desired, visit http://snort.org/search/ and enter the rule's signature ID.
  4. Once the category is selected, navigate to the specific rule and unselect it. (To quickly find the rule, especially in a category with thousands of rules, press Ctrl/Command+F and enter the signature ID.)
  5. Next to the policy drop-down box, click Update.
  6. The updated policy now needs to be pushed to or synced with the sensor(s), and especially so that Snort recognizes the update and changes and operates accordingly, Snort needs to be restarted. This can be done via Aanval when the Sensor Management Tools (SMTs) are installed and running. Reference Signature Management to properly execute commands for syncing Aanval with Snort/Suricata sensors.

Action Management

Users can use the Action Management menu, found under My Options (the paper-with-the-gear icon at the top of the console), to create a new action that deletes events based on a signature or category ID, thus suppressing unnecessary events.

To suppress events by way of the Action Management menu:

  1. Either select Create Action from the bottom of the menu or select an existing action.
  2. Once the new or existing action is selected, click "edit".
  3. Click Enabled.
  4. Enter a name and description for the action.
  5. Click Update.
  6. Click the drop-down box under Criteria to Match and choose the identifying mark. In this case, select Signature ID. Once selected, click Add. Some users may wish to add additional criteria, for example if the signature ID or event is specific to one or a couple machines. If this is the case, ensure the Match All option just above is selected.
  7. Click Update.
  8. Click the drop-down box under Actions to be Performed and choose Delete Event.
  9. Click Update.

Reference Action Management for additional information and commands.