Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Frequently Asked Questions

From Aanval Wiki
Jump to: navigation, search

Frequently Asked Questions about Aanval and related topics.

Contents

The Basics

What is Aanval?

Aanval is the industry's most comprehensive Security Information and Event Management (SIEM) console on the market. Aanval supports both Snort and Suricata as well as virtually any Syslog data source, and is designed specifically to scale from small single-sensor installations to global enterprise deployments.

Aanval's primary function is to correlate data from multiple sources, bring together billions of events, and present users with a holistic view of false-positive-free, network security situational awareness.

What does Aanval mean?

Aanval is Dutch for "attack."

What are a few common terms used to describe Aanval?

As well as

  • Snort Management Console
  • Snort Management System
  • Snort Interface
  • Snort Front-end
  • Snort Control Panel
  • Snort Security Monitor
  • Snort Security Tool
  • Snort Security Toolkit
  • Snort Security Platform
  • Snort Console
  • Snort Web Interface
  • Snort Web Console
  • Snort Web GUI
  • Snort GUI
  • Snort Manager
  • Note: The term Snort, in relation to other Aanval definitions, can interchangeably be used with Suricata or syslog, as in "Suricata Front-end."

What operating system is required to run Aanval?

Aanval is supported on all variants of UNIX, Linux, and Mac OS X.

Aanval

How many Snort/Suricata/Syslog sensors can be managed from a single console?

You can manage an unlimited number of sensors. Hardware will only be your limiting factor. We have clients with greater than 100 Snort sensors and some with 1000s of syslog sensors.

What is the default username and password for Aanval?

The default username is:

root

The default password is:

specter

How do I reset Aanval's 'root' user password?

If you have forgotten or lost the Aanval console's root account password, you may perform the following MySQL query to reset the password to the installation default.

Aanval v4 (the root user id is always 102) MySQL Query:

UPDATE idsUsers SET password = MD5('specter') WHERE id = '102';

Aanval v5 and greater (the root user id is always 1) MySQL Query:

UPDATE idsUsers SET password = MD5('specter') WHERE id = '1';

How do I create additional Aanval user accounts?

The Aanval Administrator can create additional user accounts and assign them Administrator or User rights.

To create a new user account:

  1. Click Console Configuration (in the lower righthand corner, the gear icon).
  2. Under General settings select Account Management.
  3. On the right of the screen, first select Create Account.
  4. On the left of the screen select the Enabled checkmark box to activate and make changes to the new account.
  5. Below you’ll then enter the user’s information, including Aanval username and password, and timezone.
  6. Then select the user’s Privileges from the drop-down box: Administrator or User.
  • Note: Ensure you also visit Console Configuration > Snort Module > Sensor Configuration, and enable User Permissions for each active sensor for every user; otherwise, additional users will not be able to see traffic and events.

Does Aanval work on any browser?

Yes, but its display and functionality are optimized when used with Safari, Firefox, or Chrome.

Some features, like GeoLocation, may not be functional if accessed from a mobile browser.

How do I activate my license(s)?

To activate or update your v7 license(s):

  1. Click Console Configuration (in the lower right-hand corner, the gear icon).
  2. Under General settings select License Management.
  3. Click Create License and then enter the key.
  4. Click Update to commit changes.
  5. On the right of the screen you’ll be shown the type of license and its status.
  • Note: You can also remove/delete an outdated or invalid license by selecting the given license, checking the box at the bottom of all licenses listed, and then clicking Delete License.

Is there a way to delete all the user messages at once, rather than one at a time?

Yes. Navigate to Console Configuration (in the lower right-hand corner, the gear icon) > Console > Maintenance > Clear User Messages.

How do I change the date and time format?

Aanval supports worldwide date and time formats.

To change the date and time:

  1. Click Console Configuration (in the lower right-hand corner, the gear icon).
  2. Under General settings select Console Preferences.
  3. The top first option to change is the date and time.
  4. Once any change has been made, click Update at the bottom, and the change will be reflected in the Example box adjacent your changes.

See Also

The following link will provide the necessary symbols and definitions for the various worldwide formats: http://php.net/manual/en/function.date.php.

How do I configure timezones properly in Aanval?

Timezone settings within Aanval are critical to the operation and display of system details and event data.

In order for Aanval to function properly and provide meaningful results, the current timezone setting for the console, each user, and each sensor must be correctly configured to reflect their appropriate timezone.

Timezone problems are very common, and many times can be resolved quickly by ensuring proper configuration within the console.

Console Time

The Aanval Console's timezone setting can be found within the System Manager and should reflect the timezone of the operating system in which the console is installed.

User Time

The user timezone setting can be found within each user account and should reflect the timezone of the users physical location.

Sensor Time

The sensor timezone setting can be found within the sensor edit feature of the appropriate Module Manager and should reflect the timezone setting of the sensor's operating system.

First verify the correct timezone settings for console, user, and sensor match their respecting operating system and physical environments. If no configuration problems are identified, ensure the console is logging and displaying the appropriate time/date by checking the timestamp of new entries in the Logs Manager.

If you cannot find your city, we can add cities/locations to the timezone list upon request; however, this may not be necessary. Simply locate the city that is closest but within your timezone.

Where are Aanval's datastores actually stored?

Datastores are stored in the Aanval database. The files are self contained and in a MySQL format.

Will datastores, especially after Aanval imports millions of events, affect console performance?

Datastores actually allow Aanval to successfully store and manage billions of events without any effect to the console or other systems on the machine.

How do I change Aanval's database settings?

This is an advanced process and is not necessary for most deployments or configurations of Aanval. Please use caution when modifying console settings within this file as the contents are highly syntax sensitive.

Aanval uses a standard PHP based configuration file (conf.php) to store the console path and required database credentials using a $name = "value"; variable syntax.

Aanval database and path information is stored at the following location (default):

/path/to/aanval/conf/conf.php

How do I update Aanval on a disconnected network?

Aanval is easily updated on disconnected networks.

  1. From a machine with internet access, log in to your Aanval account at https://www.aanval.com/login or download the package directly from the following URL to a local network machine or USB drive:
  2. http://download.aanval.com/aanval-7-latest-stable.tar.gz
    
  3. Transfer the package to the disconnected machine, copy it into the current Aanval directory (generally the root of the web server), and untar it:
  4. tar -zxvf aanval-7-latest-stable.tar.gz
    
  5. Perform a cleanup by removing the tarball:
  6. rm -f aanval-7-latest-stable.tar.gz
    
  7. Direct your browser to the Aanval location where you will then be guided through an on-screen installation, just as one would upgrading Aanval on a connected network, and similar to its initial installation. Where this upgrade process differs is that the location of the Aanval database has already been predefined and will not be asked. The console will continue to perform basic environmental checks and then allow the user to log in. Like upgrading on a connected network, all console data and settings will be saved.

How do I create a database?

It is recommended that Aanval be installed in its own database; however, if the need arises, Aanval can be installed in an existing database. (Aanval tables are prefixed with "ids")

Three options for creating MySQL databases are shown below:

Option A

Using the MySQL administrative tools, the following command will create the database named "aanvaldb"

mysqladmin create aanvaldb

Option B

Login to your MySQL command line client and issue the following command to create the database named "aanvaldb"

create database aanvaldb;

Option C

If you use a web-based system management tool such as PLESK, CPANEL, phpMyAdmin, or Webmin then please follow the instructions available for these tools to correctly create your database.

  • Note: After creating an Aanval database, you may need to modify or provide permissions.

How does False Positive Protection/Event Validation work?

Event Validation (false positive protection) uses the Device Management system to match events against configuration profiles of devices, addresses, ports, and protocols.

If on the left of an event or within the event details under Event Validation you see a green circle with a check, the event has passed validation. If you see a gray circle, the event has not passed and could be a false positive. If you see a gray dash, those configuration profiles have not been created.

Background Processing Units (BPUs)

How do I verify the BPUs are running?

Open terminal and run the following the command:

ps aux | grep BPU

The terminal should give results that are similar to the following:

root  77524   0.0  0.0  2438464    784   ??  Ss   12:13PM   0:00.00 Aanval BPU - Importer    
root  77552   0.0  0.0  2438464    784   ??  Ss   12:13PM   0:00.00 Aanval BPU - Core
root  77545   0.0  0.0  2438464    784   ??  Ss   12:13PM   0:00.00 Aanval BPU - Queue    

Your particular version of Aanval may differ slightly in output.

Sensor Management Tools (SMTs)

What port(s) need to be open to utilize the SMTs when managing multiple remote sensors over the internet?

80 is the only port necessary for SMT functionality of sending and receiving status updates, IDS configuration files, and signatures.

Appliances

Which is the right appliance for me?

The Aanval Mini appliance is based on the Mac mini machine and can be used as a sole sensor or as a console to manage two to three sensors. The Aanval Mini is also rack-mountable, with mounts available to stack two to eight units.

The Aanval Pro appliance is based on the Apple Pro machine and can manage eight to ten sensors.

All Aanval Appliances are designed to handle as many as 1 billion events or more.

Aanval Appliances are available in a variety of hardware and software combinations to fit every environment, and each is pre-configured and optimized for Aanval with Snort and/or Suricata intrusion detection and Syslog correlation. Appliances are installed with the most recent release of Mac OS X, along with the latest compatible versions of Apache, MySQL, Perl, PHP, GD, and more. All appliances may be custom configured with specific destination network details (IP, DNS, etc), ensuring the installation is as simple as plugging in and powering on the Appliance. From single-sensor deployments to large-scale enterprise intrusion arrays, Aanval Appliances are pre-configured for full intrusion detection and correlation functionality out-of-the-box.

What is the default installation directory on OS X-based appliances?

The default installation direction of Aanval on all OS X-based appliances is:

/Library/WebServer/Documents/

Action Management

How do I pass values to external shell scripts?

A listing of values that are available to be passed from Aanval to external shells scripts within the Action system.

Aanval's action system supports an option to execute an external shell script (bash) upon specific event criteria matches. Passing values from Aanval to these external scripts is necessary to allow systems to add or enhance the functionality of Aanval.

Values from Aanval can be passed by simply including the following variable information as it is shown below (case sensitive).

An example script might take parameters as such:

/my/bin/script.sh -sp SOURCE_IP -dp DESTINATION_IP

At this time, clients around the globe use this feature to perform additional analyses, firewall updates, active defense operations, as well as facilitate port-knocking concepts. The options are nearly limitless.

Variables

TIMESTAMP

RISK_LEVEL

SOURCE_IP SOURCE_PORT

DESTINATION_IP DESTINATION_PORT

SENSOR

SIG_NAME SIG_NAME_ID

SIG_CLASS SIG_CLASS_ID

AANVALID ACTIONID

PAYLOAD

Support

How do I create a support ticket?

To create a trouble ticket, request a feature, or report a bug, simply email support.group [at] tacticalflex.com. Include your issue in the subject line (or enter Feature Request or Bug Report, for such a case) and as many details (including any screenshots) in the body of the email, enabling faster responses and resolutions.

Snort

How do I add and configure Snort sensors?

Although the title of this document implies that Aanval has something to do with the adding of Snort sensors, this is not necessarily the case. Snort is responsible for the adding of sensors to the Snort database, while Aanval simply reads and imports these details.

Aanval has been designed to obtain its listing of Snort sensors directly from the Snort database. Sensors are placed into the Snort database directly or either by Snort or by using other compatible tools and utilities available to the industry, such as Barnyard.

Because Aanval reads Snort sensor details directly from the Snort database, access to the Snort database from the system running Aanval is critical. Problems resulting in not being able to see Snort sensors within Aanval are more than likely related to improper database credentials.

The following assumes that the system from which Aanval is running has proper Snort database privileges as well as network connectivity to the Snort database, should it be applicable.

Enable Snort processing

Prior to enabling Snort sensors or configuring settings for them within Aanval, the Snort database settings within Aanval must be configured to allow Aanval to read the sensor listing from the Snort database.

We do this in two steps.

  1. Visit the Snort Module Settings display (under Console Configuration) within Aanval and check the Enabled box.
  2. Enter the proper Snort database details including database name, hostname, username, and password. This information will be used by Aanval to connect to the Snort database for retrieval of sensor and event data.
  3. Once you are satisfied with these settings, submit and save this information.

Enable Snort sensors

Now that Snort processing is configured and enabled, we move on to enable the actual individual Snort sensors as well as configure their details and set user permissions for viewing events. We do this by visiting the Snort Configuration display. The Snort sensor listing should contain the available Snort sensors read directly from the Snort database. If this listing is empty, refresh the display (button) or verify that the previous Snort Settings details are properly entered and retry this page until successful.

This process is performed in two steps as well.

  1. Select and enable a Snort sensor from the list and begin making configuration changes specific to this sensor. For instance, setting a relevant name, description, operating system, and timezone, as well as the longitude and latitude of the sensor (for GeoLocation displays). Once you are satisfied, submit the information to save it to the server. Please note, if you do not have the proper number of available Snort licenses, you will see an error and cannot continue any further until this requirement is resolved.
  2. Configure the sensor access control (permissions) for various user accounts within the Aanval console for the selected sensor. This information will appear once the sensor has been enabled from the previous step. Select each user of the Aanval console that may view events from this sensor and submit this information to the server.
  3. Repeat for each additional sensor and as licenses are available.

At this point, the Aanval should be processing event information from the enabled Snort sensors as long as the Background Processing Units (BPUs) are properly running. If you are not sure or need to start the BPUs, please see Starting and Stopping the BPUs.

Does Aanval include Snort?

No, it is not included. Aanval is an Intrusion Detection and Correlation console that supports Snort, Suricata, and syslog data.

We recommend that Snort be installed and functioning prior to the installation of Aanval or shortly thereafter, if Snort is to be used. However, if you are using Aanval solely for syslog data, Snort is of no concern.

Snort may be obtained by visiting the official Snort website: http://www.snort.org.

What versions of Snort does Aanval support?

Aanval supports virtually all versions of Snort. Aanval has been developed with a dynamic detection module that can support multiple versions of Snort simultaneously.

How do I get help installing Snort?

With a long and diverse technical background, our Aanval engineers and analysts are very skilled in deploying Snort in nearly any environment.

Contact support by email or telephone and we'll be more than happy to speak with you.

Where can I find more information about and definitions for specific Snort rules?

There are two sites that can provide more information about signatures:

  • http://snortid.com (on this site you must first enter the genID, followed by a colon, and then the signature ID. If the genID is unknown, try 1 as the default, as in 1:13249)

How do I configure Snort to natively write to a MySQL database?

  1. Locate your snort.conf (usually found within /etc/snort)
  2. Open the file for editing and locate the lines regarding database output as shown below:
    # database
    # output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
  3. Once located, alter this line to match the line below for your particular MySQL database, which should have already been created and configured (schema imported):
    # database
    output database: alert, mysql, user=mysql_user password=my_password dbname=snortdb host=localhost
  4. Replace the variables as they relate to your specific environment and ensure the word "test" is removed as well as the "#" (comment) that precedes the line.

If in fact you make changes to the snort.conf while Snort is running, you will need to ensure that you stop and restart Snort for these changes to take effect.

How do I manually list all sensors in the Snort database?

The following MySQL query will display the Snort sensor table contents. This can be used to determine if your Snort sensors are correctly reporting to your configured mysql database.

SELECT * FROM sensor;

How do I delete a Snort sensor?

Help with permanently deleting or removing a Snort sensor from the Snort database. Aanval pulls the list of available Snort sensors directly from the configured Snort database, and removing a sensor from this database will cause a loss of event data associated with the deleted sensor.

For this reason, the console does not provide a simple or automated method of removing or deleting a Snort sensor.

Removing a Snort sensor from Aanval's view is as easy as simply disabling the sensor within the Snort Configuration window.

However, this process (for those who understand the implications) is relatively simple.

You may delete the associated sensor from the "sensor" table of the configured Snort database.

This can be done from the MySQL command line, with the following command:

DELETE FROM sensor WHERE sid = X;

Where X is the sid of the sensor you wish to permanently delete.

You may see a list of available Snort sensors (to obtain the correct sid), using the following MySQL command:

SELECT * FROM sensor;

Note, this process does orphan events associated with this sensor as they will remain in the database. Only the sensor record is affected.

Suricata

How do I add and configure Suricata sensors?

Although the title of this document implies that Aanval has something to do with the adding of Suricata sensors, this is not necessarily the case. Suricata is responsible for the adding of sensors to the Snort database, while Aanval simply reads and imports these details.

  • Note: users have the option to write Suricata events to a syslog database, in which case active Suricata sensors would be displayed and configured under the Syslog Sensor Management menu. For the sake of these instructions, when speaking of a Snort database, it is implied a user may instead incorporate the use of a syslog database.

Aanval has been designed to obtain its listing of Suricata sensors directly from the Snort database. Sensors are placed into the Snort database directly or either by Suricata or by using other compatible tools and utilities available to the industry, such as Barnyard.

Because Aanval reads Suricata sensor details directly from the Snort database, access to the Snort database from the system running Aanval is critical. Problems resulting in not being able to see Suricata sensors within Aanval are more than likely related to improper database credentials.

The following assumes that the system from which Aanval is running has proper Snort database privileges as well as network connectivity to the Snort database, should it be applicable.

Enable Snort processing

Prior to enabling Suricata sensors or configuring settings for them within Aanval, the Snort database settings within Aanval must be configured to allow Aanval to read the sensor listing from the Snort database.

We do this in two steps.

  1. Visit the Snort Module Settings display (under Console Configuration) within Aanval and check the Enabled box.
  2. Enter the proper Snort database details including database name, hostname, username, and password. This information will be used by Aanval to connect to the Snort database for retrieval of sensor and event data.
  3. Once you are satisfied with these settings, submit and save this information.

Enable Suricata sensors

Now that Snort processing is configured and enabled, we move on to enable the actual individual Suricata sensors as well as configure their details and set user permissions for viewing events. We do this by visiting the Snort Sensor Configuration display. The Snort sensor listing should contain the available Suricata sensors read directly from the Snort database. If this listing is empty, refresh the display (button) or verify that the previous Snort Settings details are properly entered and retry this page until successful.

This process is performed in two steps as well.

  1. Select and enable a Suricata sensor from the list and begin making configuration changes specific to this sensor. For instance, setting a relevant name, description, operating system, and timezone, as well as the longitude and latitude of the sensor (for GeoLocation displays). Once you are satisfied, submit the information to save it to the server. Please note, if you do not have the proper number of available Suricata licenses, you will see an error and cannot continue any further until this requirement is resolved.
  2. Configure the sensor access control (permissions) for various user accounts within the Aanval console for the selected sensor. This information will appear once the sensor has been enabled from the previous step. Select each user of the Aanval console that may view events from this sensor and submit this information to the server.
  3. Repeat for each additional sensor and as licenses are available.

At this point, the Aanval should be processing event information from the enabled Suricata sensors as long as the Background Processing Units (BPUs) are properly running. If you are not sure or need to start the BPUs, please see Starting and Stopping the BPUs.

See Also

While Suricata sensors are managed within the Snort or Syslog Sensor Management menus, you may visit the following FAQ links for further Suricata sensor management:

Syslog

How do I add and configure syslog sensors?

Add, enable, and configure syslog sensors within Aanval as well as regular expression filters Introduction

Aanval is capable of processing any syslog data source (UDP 514) or locally accessible plain text log file as a syslog sensor source.

Aanval can either listen on UDP port 514 for incoming syslog data or be configured to import syslog data from plain text files, which are locally accessible from the Aanval server.

Syslog sensors, regardless of source, are processed and imported into the Aanval console where data is normalized and correlated directly with other event data including all data from other syslog sources and Snort sensors.

Enable syslog processing

Syslog module processing is enabled by visiting the Syslog Settings display of Aanval. Once enabled, the console is capable of processing events from either the companion idsSyslog.pl script or from configured, locally accessible plain text log files.

Adding a streaming syslog sensor

Within the /apps/ directory of the Aanval console, a perl script named idsSyslog.pl exists and is responsible for listening on UDP 514 for incoming syslog data. When syslog data is received, this information is written in the console's /syslog/ directory to a file corresponding to the network address of the sender (source).

To start the idsSyslog.pl script in the background to listen on UDP 514 for incoming syslog data, use the following command:

nohup perl idsSyslog.pl > /dev/null &

alternatively, you can run the script in the foreground when testing for incoming data (it will be displayed in the terminal window):

perl idsSyslog.pl

As long as the background processing units (BPU's) are running, this sensor will be automatically added to the syslog sensor list found within the Syslog Configuration display.

  • Adding a plain text syslog file as a sensor

To add a log file or plain text file source as a sensor to Aanval, visit the Syslog Configuration display and select the Create tab / option. Enter the full absolute pathname of the log file that is to be used for processing and submit the form to the server.

Once added, the newly created syslog file sensor will be added to the main syslog sensor list within the Syslog Configuration display.

  • Enable syslog sensors

Enabling a syslog sensor is very much similar to that of enabling a Snort sensor and is done by visiting the Syslog Configuration display. The syslog sensor listing should contain the available syslog sensors that are available for processing. If this listing is empty, refresh the display (button) or review the previous steps to add syslog sensor sources as appropriate.

This process is performed in two steps.

  1. Select and enable a syslog sensor from the list and begin making configuration changes specific to this sensor. For instance, setting a relevant name, description, operating system, and timezone, as well as the longitude and latitude of the sensor (for GeoLocation displays). Once you are satisfied, submit the information to save it to the server. Please note: if you do not have the proper number of available syslog licenses, you will see an error and cannot continue any further until this requirement is resolved.
  2. Configure the sensor access control (permissions) for various user accounts within the Aanval console for the selected sensor. This information will appear once the sensor has been enabled from the previous step. Select each user of the Aanval console that may view events from this sensor and submit this information to the server.
  3. Repeat for each additional sensor and as licenses are available.

IMPORTANT: Syslog sensors require regular expression filters to be created and assigned in order to normalize incoming data and correctly assign it to event fields within Aanval. Please see below.

Creating syslog filters expressions

Because syslog data is not standardized, it cannot be automatically parsed without some type of detail or hinting as to what format the source data is in or what it actually contains. For this reason, Aanval uses a syslog filtering system to break down incoming syslog messages into multiple components, which can then be assigned to matching fields. Syslog filters are comprised of regular expressions and used to parse this incoming syslog data for field mapping.

Users create syslog filters by visiting the Syslog Manage Filters display and selecting the Create / option. Each filter should be given an accurate name followed by a helpful description and most importantly an appropriate filter (regular expression) for parsing.

As an example, a user could create a new filter with the name 'Payload' followed with a regular expression of '.*', which would grab the entire syslog message during parsing. In the next step, a user could assign this newly created payload filter to the payload field for this sensor.

Filters can be as specific or greedy as you wish and should be based upon perl or php regular expressions.

Filters should be created to identify source and destination addresses, ports, event names, risk levels, timestamps, and more.

Assigning syslog filters to fields

We do this by visiting the Syslog Filter Assignment display and selecting the appropriate sensor for which we wish to adjust or assign filters. Once within this display, directly below the desired field (Date, Time, Source Address, etc.) select the appropriate filter from the available drop-down box and click Add. Matching data from the filter parsing phase will be assigned to the appropriate fields of the event, which can then be used throughout the console for searching, reporting, and event display.

Filters can be stacked within fields, one on top of another and will be processed in a top-down order. If the first filter in the list does not return any results and an additional filter is listed, Aanval will continue to process through the list of filters until a result is returned and this result will be assigned to this field.

If you are unfamiliar with regular expressions, we recommend any of the O'Reilly books on regular expressions as helpful guides and tutorials to understand how regular expressions work. Regular expressions are incredibly powerful and with little effort and ingenuity can be made to parse literally just about any data stream.

Additionally, many regular expression examples exist within the Aanval support system, and further examples are only a web-search away.

See Also