Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:IDS Sensor Management

From Aanval Wiki
Jump to: navigation, search

These tools allow Aanval to manage local and remote IDS sensors, and to import IDS logs/events for Unified2 sensors.

MySQL Sensor Management

This menu is found by navigating to Configuration > MySQL Module > Sensor Management and allows users to send and receive IDS configuration files and signatures, and also change or update selected policies for sensors.

Getting Started

  1. Users must first install, configure, and start Aanval's SMTs.
  2. Note: Ensure the proper SMT (/smt) package is used; details are provided on the Sensor Management Tools (SMTs) page.

  3. Select a sensor from those available on the left of the screen.
  4. From the drop-down boxes on the right of the screen, users can choose to Change Sensor Policy or to send one of many SMT Communication messages:
  5. Engine Status
    Stop
    Start
    Restart
    Reload
    
    Engine Configuration
    Get
    Send
    
    Engine Rules
    Get
    Send
    
  6. Repeat these steps for as many necessary sensors or messages.

Unified2 Sensor Management

This menu is found by navigating to Configuration > Unified2 Module > Sensor Management and allows users to send and receive IDS configuration files and signatures, change or update selected policies for sensors, and to establish or modify sensor-to-Aanval communication and IDS log/event importing.

Getting Started

  1. Users must first install, configure, and start Aanval's SMTs.
  2. Note: Ensure the proper SMT2 (/smt2) package is used; details are provided on the Sensor Management Tools (SMTs) page.

  3. Basic sensor-to-Aanval communication must first be established. Choose an available sensor on the left of the screen and select its gear icon to enter the Sensor Communication Details.
  4. From the Sensor Policy drop-down box, choose a policy for the selected sensor.
  5. Checking the box for Auto Policy Update will allow Aanval to automatically update the sensor's configuration file and rules, and also restart the sensor, when from the Signature Management menu the option to Update Sensors after making rule changes is selected.
  6. The values and paths below need to be entered. Since the values are based on the sensor machine or location itself, its local paths are required.
  7. Configuration File: the location of the IDS engine configuration file (/etc/snort/snort.conf for example)
    
    Unified2 Path: the location of the IDS log files (/var/log/snort/ for example)	
    
    sid-msg.map File: the location of the sid-msg.map file (/etc/snort/rules/sid-msg.map for example)	
    
    gen-msg.map File: the location of the gen-msg.map file (/etc/snort/rules/gen-msg.map for example)
    
    Engine Start Command: the command used to start the IDS engine (snort -c /etc/snort/snort.conf -i eth1 for example)
    
    Engine Stop Command: the command used to stop the IDS engine (pkill snort for example)
    
    Engine Reload Command: the command used to reload the IDS engine
    
    Engine Status Command: the command used to check the IDS engine status (ps aux | grep -v grep | grep snort for example)
    
  8. Click Update to commit the changes. The remaining values of Rules Path, SO Rules Path, PreProc Rules Path, Classification Config, and Threshold Config will be automatically obtained from the IDS configuration file, if available, and entered.
  9. Using the menu navigation/breadcrumb menu near the upper-right of the menu, go back one menu by selecting Unified2 Sensor Management.
  10. With basic sensor-to-Aanval communication and event importing established, users can from this menu view sensor status and change the sensor policy and send the following SMT Communication messages:
  11. Engine Status
    Stop
    Start
    Restart
    Reload
    
    Engine Configuration
    Get
    Send
    
    Engine Rules
    Get
    Send
    

See Also