Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Signature Sources

From Aanval Wiki
Jump to: navigation, search

Aanval supports the importing and use of signatures from Snort and Emerging Threats. Both sources offer free (Registered User) and paid-subscription signatures. Both Tactical FLEX, Inc. and Emerging Threats recommend using only rules found in a tarball, as security is increased and individual rules have been pre-categorized.

Preparation

Tactical FLEX, Inc. strongly recommends deleting and/or not enabling outdated signature sources before enabling Signature Downloading & Processing from Configuration > Console Configuration > Preferences menu (enabling Signature Downloading & Processing is necessary for Aanval to automatically obtain new signatures sources and their updates). Adding outdated signatures onto a sensor can cause Snort/Suricata to fail. Adding outdated signatures to the Signature Management window alongside current and valid signatures adds the possibility of those outdated signatures to be accidentally enabled on the sensor when making signature changes via Aanval, again thus causing the sensor to fail. A complete set of current signatures are required to be downloaded and enabled on the sensor as part of the sensor installation, configuration, and activation process. Before adding more signature sources, Tactical FLEX, Inc. first recommends installing and enabling the SMTs and following the steps outlined in the Signature Management instructions for pulling what signatures are currently active on the sensor, along with the current configuration file on the sensor.

Both Snort and Emerging Threats will require the user to create a new account and obtain a user ID or Oinkcode. Along with such an ID, both Snort and Emerging Threats will provide usage instructions, including a personal URL that can be added to Aanval for daily downloads of the latest signatures.

Creating a Signature Source

  1. Navigate to the Configuration menu and under either Unified2 Module or MySQL Module, select Signature Sources.
  2. Click the + button on the right of the menu to create a new source.
  3. With the new source selected, enter the Name (example: Snort Rules - 2.9.8.0), and under Location enter the personalized URL. Check the Enabled box and click Update to commit the changes.

Aanval will then attempt to download the new ruleset, and every twenty-four hours from the time the source was enabled.

Troubleshooting Signature Sources

Once a source is successfully downloaded, values will be provided for Last Download and Last Filesize. Users will also receive a console message stating the signature download is complete. If downloading is not occurring, troubleshoot the following:

  1. Make sure the URL is correct and that the ID or Oinkcode associated is correct and valid. One quick method is to paste the URL into a new browser window. If a download begins, Aanval may be lacking the proper permissions or access to such URLs. Doing so may also show an issue with the URL or specific account.
  2. Signature source groups often pose a limit on the number of times signatures can be downloaded in a given timeframe. Wait at least fifteen minutes and use the Download Signatures button to make another attempt.

See Also