Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Signature Management

From Aanval Wiki
Jump to: navigation, search

By way of Aanval's Sensor Management Tools (SMTs), users can manipulate and sync policies and signatures between a Snort sensor and their Aanval console. This guide is updated for Aanval 8.

Note: Aanval is currently optimized for signature management between Aanval and Snort. Functionality for Suricata signature management will be available in future Aanval updates.

Prerequisites

  1. The Aanval's Sensor Management Tools (SMTs) must be installed, configured, and started.
  2. A Signature Source must be active and rules available for management on the Signature Management menu (found under either Unified2 Module or MySQL Module in the Configuration menu).

Creating Signature Policies

  1. Once the SMTs are installed, navigate Aanval to Configuration > Unified2 Module or MySQL Module > Sensor Management.
  2. Select a sensor from those available on the left of the screen. Using the SMT Communication drop-down box, select the message Engine Rules > Get. This action will retrieve the rules from that specific sensor and automatically create a new policy with a name based on that sensor’s SMT ID.
  3. Using the SMT Communication drop-down box, send a second message: Engine Configuration > Get. This action will retrieve the sensor’s configuration file and load it into Aanval.
  4. Note: These steps of first gathering the sensor’s rules and configuration file are necessary to sync with Aanval before any signature changes can be made; otherwise, Aanval, not aware of the engine’s configuration or current ruleset, would send a blank configuration file and rules to the sensor, wiping out any current setup, during the automatic or manual process of updating sensor signatures.

  5. Using the Change Sensor Policy drop-down box, users can change the selected sensor’s policy to another existing policy. Users can also go back one menu to Configuration and navigate to Policy Management, available under the Unified2 Module or MySQL Module menus, and there modify the new policy created or other existing policies, by updating policy names, deleting them, or even selecting to create a new policy.

Signature and Sensor Management

With a first-time sync complete, users can continue to enable or disable signatures from the Signature Management menu by selecting individual categories and checking or unchecking signatures. Any signature changes are atomically saved, and any signatures enabled in categories that have never had signatures enabled, those categories are automatically added to the configuration file.

To send those signature changes back to a sensor or sensors, first ensure each sensor, under its Sensor Management menu, has the option for Auto Policy Update selected and a policy chosen. Auto Policy Update allows Aanval to send signature changes to any and all sensors tied to a specific policy.

  1. After signature changes on the selected policy are complete, and with each sensor tied to that policy enabled with Auto Policy Update, users can simply select the Update Sensors button on the Signature Management menu. Aanval will then send the updated signatures and configuration file to the connected sensors, and then restart them so that the changes take effect.

Using Custom Signatures

While Aanval's signature management system is primarily designed for the importing, updating, and management of downloaded signatures from sources like Snort or Emerging Threats, users can further import and use their own custom signatures.

  1. Custom signatures must first be manually added to an IDS sensor that has an SMT connection to Aanval. Custom signatures must be added to an existing signature category on the connected sensor. It is recommended to use a category fitting to the signature's purpose. For example, add a custom rule intended for environment-specific malware to the malware-other.rules category.
  2. Once the signature is loaded to the sensor, navigate to the Sensor Management menu (found under either Unified2 Module or MySQL Module), select the sensor with the custom signature, and using the SMT Communication drop-down box, send the message Engine Rules > Get. This will import the existing and now custom signatures to Aanval's management tables and allow users to enable it on the Signature Management menu, update the sensor's policy, and then, if necessary, send updates to other connected sensors using the same policy and the Update Sensors method.

See Also