Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Snort, Barnyard2, and Aanval Detailed Installation Guide for OS X

From Aanval Wiki
Jump to: navigation, search

Aanval Installation Guides Home

The following guide provides detailed instructions for installing Snort, Barnyard2, and Aanval onto a fresh installation of Mac OS X Yosemite (10.10).

Important Note: This Snort install guide is designed for and tested with Snort 2.9.7.0. You may yield different results if using older versions of Snort and/or OS X.

Hardware Requirements

Below are the minimum hardware requirements for the most common deployments of Aanval.

Environment Sensor Capacity Memory CPU Cores Disk Space
Small Scale 1-3 4GB 2 100GB
Large Scale 8 or more 8+GB 4 or more 500GB

Network Requirements

The following ports will need to be opened for proper functionality.

Port Direction Reasoning
22 Workstation -> Aanval server and sensors Users will need SSH access to manage Aanval and its onboard/remote sensors.
3306 Aanval -> MySQL Using the IDS MySQL Module, Aanval will secure a direct connection to MySQL and import IDS logs from the Snort database (for setups using a Snort database and Barnyard2 only; not required if using the Aanval 8 Unified2 Module for IDS log importing).
80/443 Aanval <-> sensors Using the IDS Unified2 Module, Aanval will import IDS logs from and send and receive secure communications to and from each sensor over 80 or 443 (depending on network setup).

The following URL will need to be opened for proper functionality.

URL Reasoning
aanval.com Aanval will perform regular console update checks and allow the user to download and install available updates.

Software Requirements

Each of the following requirements should be satisfied prior to starting your Aanval installation. Testing for any additional requirements will be performed during the installation process. Details and remediation instructions will be available as necessary.

Requirement Reasoning Reference
Operating System Aanval will install on all major Linux and Unix distributions, including Mac OS X. Linux: CentOS has been a popular choice as a Linux OS for Aanval users. The most current version of CentOS can be obtained from the following site: [1]
Unix: BSD has been a popular choice as a Unix OS for Aanval users. Any variant of BSD will work with Aanval, and Free BSD can be obtained from the following site: [2]
OS X: Mac OS X has also been a popular choice for Aanval users.
Appliances are available in a variety of hardware and software combinations to fit every environment, and each is pre-configured and optimized for Aanval with Snort and/or Suricata intrusion detection and Syslog correlation. Appliances are installed with the most recent release of Mac OS X, along with the latest compatible versions of Apache, MySQL, Perl, PHP, GD, and more. All appliances may be custom configured with specific destination network details (IP, DNS, etc.), ensuring the installation is as simple as plugging in and powering on the Appliance. From single-sensor deployments to large-scale enterprise intrusion arrays, Aanval Appliances are pre-configured for full intrusion detection and correlation functionality out-of-the-box.
To find which appliance is right for your network, contact our friendly and knowledgable sales department at 800-921-2584 or sales.group [at] tacticalflex.com.
MySQL Aanval will require a MySQL database for event processing and storage. The most current version of MySQL can be obtained from the following site: [3]
PHP
(at least version 5)
Aanval will require PHP for server-side scripting. The most current version of PHP can be obtained from the following site: [4]
It is recommended when using the Unified2 Module for importing IDS events that the php.ini file be updated the following changes:
upload_max_filesize = 256M
After making changes, restart Apache. These changes allow Aanval to receive all necessary files from sensors, including event data and especially sid-msg.map and gen-msg.map files.
PHP Modules Specific PHP modules required for Aanval functionality php-xml, php-pdo, php-mysql, php-dom
PERL
(any version)
Aanval uses PERL to launch the PHP scripts in wrapper fashion. The most current version of PERL can be obtained from the following site: [5]
Web Server Aanval will require an Apache web server capable of serving PHP scripting. The most current version of Apache can be obtained from the following site: [6]
Wget Aanval uses Wget to download external data like console updates, GeoLocation databases, and signatures. The most current version of Wget can be obtained from the following site: [7]. Users can also use their OS' built-in installation or update commands to obtain the utility.
Unzip Aanval uses Unzip to decompress downloaded data like console updates and GeoLocation databases. Oracle offers an unzip utility, and the most current version can be obtained from the following site: [8]. Users can also use their OS' built-in installation or update commands to obtain the utility.
IDS Engine Aanval requires an Intrusion Detection System (IDS) for monitoring and retrieving (sometimes called "sniffing") network traffic and packets. Snort and Suricata have been the most popular IDS engines used with Aanval.
Snort: The most current version of Snort can be downloaded from the following link: [9]
Suricata: The most current version of Suricata can be downloaded from the following link: [10]
Barnyard2 Barnyard2 is used to parse Snort/Suricata Unified2 events and send them to an IDS MySQL database. The most current version of Barnyard2 can be obtained from the following site: [11]

Barnyard2 is only required for such MySQL-Barnyard2-based sensors. Aanval 8 has the capability to directly import the Unified2 logs from the IDS sensor by use of its Sensor Management Tools (SMTs).

Objective

The objective of this installation guide is for users to have a fully-functional IDS system, powered by Snort, the world's most widely used and trusted Intrusion Detection System, and Aanval, the industry's longest running Snort threat management console that has been in continual development since 2003.

Preparation

  • You can also watch the Video Tutorial for this section on YouTube: [12]

With only a few minor exceptions, the majority of this installation guide will take place on the command line using the preinstalled Terminal app.

It is assumed that this is a fresh installation of Mac OS X Yosemite (10.10).

  1. If using Safari as the default browser, navigate to its Preferences page and disable (uncheck) the "Open 'safe' files after downloading" box; otherwise, the commands listed below won't work as strictly written if Safari automatically opens them.
  2. Navigate to System Preferences > Security & Privacy > and choose to "Allow application downloaded from:" Anywhere, as applications outside the Mac App Store are necessary for installation.
  3. For the purposes of this installation guide, the following command will require the root password to be entered and allow the rest of the installation to take place without individual sudo commands being necessary:
  4. sudo bash
    
  5. Create the following directories:
  6. mkdir /etc/snort
    mkdir /var/log/snort
    mkdir /var/log/barnyard2
    mkdir /usr/local/src
    mkdir /smt
    mkdir -p /usr/local/lib/snort_dynamicrules
    
  7. Echo the MySQL path information into your root .profile:
  8. echo 'export PATH=/usr/local/mysql/bin:$PATH' >> ~/.profile
    
  9. Exit and close Terminal completely, and reopen for path changes to take effect.

Installation

Command Line Developer Tools

  1. Download and install command line developer tools, necessary to compile packages for OS X.
  2. To initiate the download, using Terminal, execute a command that would normally require the command line developer tools, like "gcc".
  3. gcc
    

    You'll receive the following note:

    no developer tools were found at '/Applications/Xcode.app', requesting install. Choose an option in the dialog to download the command line developer tools.
    

    You'll then see a dialog box with options to download Xcode or simply install the command line developer tools. Choose the option to Install.

  4. After completing the command line developer tools installation, you will need to close your Terminal session and relaunch, running sudo once more for changes to take effect:
  5. sudo bash
    

PCRE

The PCRE (Perl Compatible Regular Expression) library contains the required functionality for linked-applications to implement regular expression matching based on Perl.

The latest version of PCRE can be obtained from http://www.pcre.org/

For the purposes of this installation guide, PCRE 8.36 will be referenced.

  1. Download pcre-8.36.tar.gz
  2. Copy the package into /usr/local/src
  3. cp ~/Downloads/pcre-8.36.tar.gz /usr/local/src
    
  4. Change into the /usr/local/src directory:
  5. cd /usr/local/src
    
  6. Uncompress and unarchive pcre-8.36.tar.gz
  7. tar -zxvf pcre-8.36.tar.gz
    
  8. Change into the newly created package directory:
  9. cd pcre-8.36
    
  10. Configure, compile, and install the PCRE library:
  11. ./configure
    make
    make install
    

DAQ

The DAQ (Data AcQuisition) library is a data acquisition layer that allows applications to replace direct calls to PCAP and is required by Snort as of 2.9.

The latest version of DAQ can be obtained from http://www.snort.org/downloads

For the purposes of this installation guide, DAQ 2.0.4 will be referenced.

  1. Download daq-2.0.4.tar.gz
  2. Copy the package into /usr/local/src
  3. cp ~/Downloads/daq-2.0.4.tar.gz /usr/local/src
    
  4. Change into the /usr/local/src directory:
  5. cd /usr/local/src
    
  6. Uncompress and unarchive daq-2.0.4.tar.gz
  7. tar -zxvf daq-2.0.4.tar.gz
    
  8. Change into the newly created package directory:
  9. cd daq-2.0.4
    
  10. Configure, compile, and install the DAQ library:
  11. ./configure
    make
    make install
    

libdnet

libdnet provides a simplified, portable interface to several low-level networking routines and is required by Snort.

The latest version of libdnet can be obtained from http://libdnet.sourceforge.net/

For the purposes of this installation guide, libdnet 1.11 will be referenced.

  1. Download libdnet-1.11.tar.gz
  2. Copy the package into /usr/local/src
  3. cp ~/Downloads/libdnet-1.11.tar.gz /usr/local/src
    
  4. Change into the /usr/local/src directory:
  5. cd /usr/local/src
    
  6. Uncompress and unarchive libdnet-1.11.tar.gz
  7. tar -zxvf libdnet-1.11.tar.gz
    
  8. Change into the newly created package directory:
  9. cd libdnet-1.11
    
  10. Configure, compile, and install the libdnet library:
  11. ./configure
    make
    make install
    

MySQL

MySQL provides the necessary database storage for event information that will be needed by Aanval.

The most recent MySQL package for OS X can be obtained from http://dev.mysql.com/downloads/mysql/.

For the purposes of this installation guide, mysql-5.6.26-osx10.9-x86_64.dmg was downloaded and used.

  1. Download and install the DMG.
  2. Once the installation is complete, you can open System Preferences to view the status of MySQL and start it. You can also start the process using the following command:
  3. /usr/local/mysql/support-files/mysql.server start
    
  4. Run the following command to place the MySQL libraries in the correct location:
  5. cp /usr/local/mysql/lib/* /usr/local/lib/
    
  6. Create the Aanval database:
  7. mysqladmin create aanvaldb
    
  8. Create the Snort database:
  9. mysqladmin create snort
    

Apache

  1. Edit /etc/apache2/httpd.conf and uncomment the following line to enable PHP script interpretation:
  2. LoadModule php5_module libexec/apache2/libphp5.so
    
  3. Restart Apache:
  4. apachectl restart
    

PHP

  1. Rename php.ini.default to the more recognizable and standardized php.ini
  2. mv /etc/php.ini.default /etc/php.ini
    

Snort

  • You can also watch the Video Tutorial for this section on YouTube: [13]

Snort is the industry's most widely used and trusted Intrusion Detection and Prevention engine available.

  • Note: Interface en0 is being used for this installation guide; substitute the correct interface for your particular system.

The latest version of Snort can be obtained from http://www.snort.org/downloads

The latest rules (those referenced in this guide are 2970) can be obtained from http://www.snort.org/downloads

For the purposes of this installation guide, Snort 2.9.7.0 will be referenced.

  1. Download snortrules-snapshot-2970.tar.gz
  2. Download snort-2.9.7.0.tar.gz
  3. Copy the package into /usr/local/src
  4. cp ~/Downloads/snort-2.9.7.0.tar.gz /usr/local/src
    
  5. Change into the /usr/local/src directory:
  6. cd /usr/local/src
    
  7. Uncompress and unarchive snort-2.9.7.0.tar.gz
  8. tar -zxvf snort-2.9.7.0.tar.gz
    
  9. Change into the newly created package directory:
  10. cd snort-2.9.7.0
    

Compiling

  1. Configure, compile, and install Snort with the following commands:
  2. ./configure  --enable-gre --enable-mpls --enable-targetbased \
    --enable-ppm --enable-perfprofiling --enable-active-response \
    --enable-normalizer --enable-reload --enable-react make make install

Configuration

  1. Copy the default configuration file from the package into the /etc/snort directory:
  2. cp ./etc/* /etc/snort/
    
  3. Edit /etc/snort/snort.conf and make the following changes:
  4. var RULE_PATH /etc/snort/rules
    
    var SO_RULE_PATH /etc/snort/so_rules
    
    var PREPROC_RULE_PATH /etc/snort/preproc_rules
    
    var WHITE_LIST_PATH /etc/snort/rules
    
    var BLACK_LIST_PATH /etc/snort/rules
    
  5. Uncomment the Unified2 output line and remove "nostamp" from the comma-delimited options list:
  6. output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
    
  7. Uncompress and install Snort rules:
  8. cp ~/Downloads/snortrules-snapshot-2970.tar.gz /etc/snort/
    cd /etc/snort
    tar -zxvf snortrules-snapshot-2970.tar.gz
    rm -f snortrules-snapshot-2970.tar.gz
    
  9. Create empty black and white lists:
  10. touch /etc/snort/rules/white_list.rules
    touch /etc/snort/rules/black_list.rules
    
  11. SID map configuration:
  12. cp /etc/snort/etc/sid-msg.map /etc/snort
    rm -rf /etc/snort/etc
    

Starting

Foreground
  1. Initially run Snort in the foreground, looking for errors and/or to ensure Snort is properly functioning:
  2. snort -c /etc/snort/snort.conf -i en0
    
Daemon Mode
  1. Once you are satisfied, running the previous command with the -D option will launch Snort in daemon mode:
  2. snort -c /etc/snort/snort.conf -i en0 -D
    

Barnyard2

  • You can also watch the Video Tutorial for this section on YouTube: [14]

Barnyard2, the successor to Barnyard, is a utility that parses Snort Unified2 format files as input and outputs this data in a variety of other well-known formats. For this installation, Barnyard2 will be used to send Snort Unified2 data to MySQL.

  • Note: Interface en0 is being used for this installation guide; substitute the correct interface for your particular system.

The latest version of Barnyard2 can be obtained from http://download.aanval.com/barnyard2-1.9.tar.gz

For the purposes of this installation guide, Barnyard2 1.9 will be referenced.

  1. Download barnyard2-1.9.tar.gz
  2. Copy the package into /usr/local/src
  3. cp ~/Downloads/barnyard2-1.9.tar.gz /usr/local/src
    
  4. Change into the /usr/local/src directory:
  5. cd /usr/local/src
    
  6. Uncompress and unarchive barnyard2-1.9.tar.gz
  7. tar -zxvf barnyard2-1.9.tar.gz
    
  8. Change into the newly created package directory:
  9. cd barnyard2-1.9
    

Compiling

  1. Configure, compile, and install the libdnet library with support for MySQL:
  2. ./configure --with-mysql
    make
    

    After the "make" command you may encounter a couple errors keeping you from continuing, starting with the first:

    In file included from spot_alert_cef.c:67:
    ../strlcpyu.h:24:8: error: conflicting types...
    
  3. Edit the file src/strlcpyu.h and comment out the following line so that it looks as below:
  4. //size_t strlcpy(char *, const char *, size_t);
    
  5. Save the file and run "make" again. If you received that first error, you'll likely receive a second like unto it:
  6. In file included from spot_alert_cef.c:66:
    ../strlcatu.h:24:8: error: conflicting types...
    
  7. Edit the file src/strlcatu.h and comment out the following line so that it looks as below:
  8. //size_t strlcat(char *, const char *, size_t);
    
  9. Run the "make" command again. All should be successful.
  10. Continue and complete with "make install".

Configuration

  1. Copy the sample configuration file from the package directory into the /etc directory:
  2. cp ./etc/barnyard2.conf /etc/
    
  3. Edit /etc/barnyard2.conf and make the following changes:
  4. config interface:       en0
    
    config waldo_file: /var/log/barnyard2/waldo
    
    output database: log, mysql, user=root dbname=snort host=localhost
    
  5. Load the Snort MySQL database schema file, which creates the database table structure:
  6. mysql snort < ./schemas/create_mysql
    

Starting

Foreground
  1. Initially run Barnyard2 in the foreground, looking for errors and/or to ensure Barnyard2 is properly functioning:
  2. barnyard2 -c /etc/barnyard2.conf -f merged.log -d /var/log/snort
    
Daemon Mode
  1. Once you are satisfied, running the previous command with the -D option will launch Barnyard2 in daemon mode:
  2. barnyard2 -c /etc/barnyard2.conf -f merged.log -d /var/log/snort -D
    

Aanval

  • You can also watch the Video Tutorial for this section on YouTube: [15]

Preparation

  1. Assuming a default installation of Mac OS X, delete the contents of the web-server's root directory with the following command:
  2. rm -rf /Library/WebServer/Documents/*
    
  3. Change into the web-servers root directory:
  4. cd /Library/WebServer/Documents/
    

Download

  1. Download the latest build of Aanval.
  2. The latest version of Aanval can be obtained from http://www.aanval.com/download. Users will first need to sign in to an existing or create a new Aanval account if downloading via a web-browser.

    For the purposes of this installation guide, Aanval SAS v7 will be referenced.

    curl -O http://download.aanval.com/aanval-7-latest-stable.tar.gz
    
  3. Uncompress and unarchive aanval-7-latest-stable.tar.gz
  4. tar -zxvf aanval-7-latest-stable.tar.gz
    
  5. Perform a clean-up by removing the Aanval download package:
  6. rm -f aanval-7-latest-stable.tar.gz
    

Web-based Install

  1. Open Safari or your preferred web-browser and point it to 'localhost', where you should be presented with the Aanval End-User-License-Agreement.
  2. Click 'I agree' to continue.
  3. Aanval Installation EULA


  4. Ensure all compatibility tests are successful; otherwise, resolve the problems listed and select 'Continue'.
  5. Aanval Installation Environment Compatibility


  6. Configure database settings for the Aanval database created earlier in this guide:
  7. Database Server

    127.0.0.1
    

    Database Name

    aanvaldb
    

    Database Username

    root
    

    Database Password

    <blank>
    
  8. Submit these settings to continue.
  9. Aanval Installation DB Configuration


    NOTE: In some instances this portion of the installation may fail with with a "Failure! DB Connection Failure: Invalid Configuration" notice, and even a Warning at the top of the browser: "mysql_error() expects parameter 1 to be mysql, boolean given in /Library/WebServer/Documents/console/core/installUpgrade.php on line 847"

    Aanval connects to MySQL with the default port of 3306. If these errors display, it is because the MySQL instance is started and accessible only by port 3307 (used in SSL connections).

    There are two methods to remedy the error. The first is to navigate to /Library/LaunchDaemons/ and edit the com.oracle.os.mysql.mysqld.plist file and edit the line which reads <string>--port=3307</string> to read <string>--port=3306</string> and then restart MySQL. The other method would be to return to the configuration menu on the browser and when entering the location of the Aanval database enter also the specific port. So in this example of a local installation, you'd enter 127.0.0.1:3307.

  10. Click Continue to proceed.
  11. Aanval Installation DB Confirmation


    • Database settings will be confirmed and a Success message will be provided if everything is correct; otherwise, return and resolve the problem.
  12. The Aanval installation process will take place and is relatively quick. This process creates and loads all required database tables as well as provisions the console for initial usage. When complete, click Continue to proceed.
  13. Aanval Installation Process


    Installation complete!

    Once you have successfully installed Aanval, you will be presented with the default username and password of this Aanval console as well as the instructions to start the Aanval BPUs (Background Processing Units).

    You may proceed to login to Aanval.

    Aanval Installation Complete


  14. Login to Aanval using the credentials provided on the previous screen. Typically these will be a username of 'root' and a password of 'specter'.
  15. Aanval Console Login


  16. Navigate to Console Configuration (in the lower right-hand corner, the gear icon) > Console > Preferences > Miscellaneous and enter your unique Oinkcode obtained earlier in this guide from snort.org in the space labeled Oinkmaster Code, and then click Update at the bottom on the screen.

Starting the BPUs

  1. At the command-line, run the following commands to change into the apps directory of Aanval:
  2. cd /Library/WebServer/Documents/apps
    
  3. Start the BPUs with the following command (it will launch the background processing units in daemon mode):
  4. perl idsBackground.pl -start
    

Installing the SMTs

The Aanval SMTs (Sensor Management Tools) allow Aanval to communicate with and manage Snort, its configuration, and signatures.

  1. Copy the SMTs into the /smt directory that was created earlier in this guide:
  2. cp /Library/WebServer/Documents/contrib/smt/* /smt
    
  3. Change into the /smt directory:
  4. cd /smt
    
  5. Edit conf.php and make the following changes:
  6. $id = "12345678901";
    
    $consoleHost = "localhost";
    
    $consoleHostPath = "/";
    
    $cmdSnortStart = "launchctl load /Library/LaunchDaemons/org.snort.snort.plist";
    $cmdSnortStop = "launchctl unload /Library/LaunchDaemons/org.snort.snort.plist";
    

Configure Snort Module

  1. After you have successfully logged into the Aanval console, you will need to configure and enable the Snort module to allow Aanval to import and normalize events from the Snort database configured in previous steps. To do so, follow these quick, short steps:
    1. Select 'Console Configuration' (the gear) in the lower-right portion of the console.
    2. Select Settings under the Snort Module heading.
    3. Enable the module.
    4. Input the correct database details, which should be configured to a database name of 'snort', a hostname of '127.0.0.1' and a username of 'root', and the password being left blank as previously configured.
    5. Select Update to save these changes.
  2. Return back to the Console Configuration display and select Sensor Configuration under the Snort Module heading.
  3. Enable the listed sensor if available (if not available, no events have been detected).
  4. If you would like to use the Aanval SMT (Sensor Management Tool) option, set the SMT ID to a value that matches the SMT configuration ID below: i.e. 12345678901
  5. Once enabled, click the checkbox to make this sensor visible to the current user under 'User Permissions'.

Launch Daemons

  • You can also watch the Video Tutorial for this section on YouTube: [16]

Configuring Snort, Barnyard2, and Aanval to properly launch upon system boot is critical in the event of power failure or even a simple restart. The following sections provide the appropriate sample LaunchDaemon scripts for this purpose and the commands to load them.

Aanval BPUs

The following launch daemon can be created by following the steps below or by performing the following command from the /Library/LaunchDaemons/ directory:

curl -O http://download.aanval.com/com.aanval.bpu.plist
  1. Create the file /Library/LaunchDaemons/com.aanval.bpu.plist and include the following contents:
  2. <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
       <key>KeepAlive</key>
       <dict>
          <key>SuccessfulExit</key>
          <false/>
       </dict>
       <key>Label</key>
       <string>com.aanval.bpu</string>
       <key>ProgramArguments</key>
       <array>
       <string>/usr/bin/perl</string>
       <string>/Library/WebServer/Documents/apps/idsBackground.pl</string>
       <string>-start</string>
       </array>
       <key>RunAtLoad</key>
       <true/>
       <key>UserName</key>
       <string>root</string>
       <key>WorkingDirectory</key>
       <string>/Library/WebServer/Documents/apps</string>
    </dict>
    </plist>
    
  3. Load the BPU launch daemon:
  4. launchctl load /Library/LaunchDaemons/com.aanval.bpu.plist
    
    • Note: to unload the launch daemon and stop the process, simply change 'load' to 'unload'.

Aanval SMTs

The following launch daemon can be created by following the steps below or by performing the following command from the /Library/LaunchDaemons/ directory:

curl -O http://download.aanval.com/com.aanval.smt.plist
  1. Create the file /Library/LaunchDaemons/com.aanval.smt.plist and include the following contents:
  2. <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
       <key>KeepAlive</key>
       <dict>
          <key>SuccessfulExit</key>
          <false/>
       </dict>
       <key>Label</key>
       <string>com.aanval.smt</string>
       <key>ProgramArguments</key>
       <array>
       <string>/usr/bin/perl</string>
       <string>/smt/idsSensor.pl</string>
       <string>-start</string>
       </array>
       <key>RunAtLoad</key>
       <true/>
       <key>UserName</key>
       <string>root</string>
       <key>WorkingDirectory</key>
       <string>/smt</string>
    </dict>
    </plist>
    
  3. Load the SMT launch daemon:
  4. launchctl load /Library/LaunchDaemons/com.aanval.smt.plist
    
    • Note: to unload the launch daemon and stop the process, simply change 'load' to 'unload'.

Aanval Syslog Daemon

The following launch daemon can be created by following the steps below or by performing the following command from the /Library/LaunchDaemons/ directory:

curl -O http://download.aanval.com/com.aanval.syslog.plist
  1. Create the file /Library/LaunchDaemons/com.aanval.syslog.plist and include the following contents:
  2. <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
       <key>KeepAlive</key>
       <dict>
          <key>SuccessfulExit</key>
          <false/>
       </dict>
       <key>Label</key>
       <string>com.aanval.syslog</string>
       <key>ProgramArguments</key>
       <array>
       <string>/usr/bin/perl</string>
       <string>/Library/WebServer/Documents/apps/idsSyslog.pl</string>
       </array>
       <key>RunAtLoad</key>
       <true/>
       <key>UserName</key>
       <string>root</string>
       <key>WorkingDirectory</key>
       <string>/Library/WebServer/Documents/apps</string>
    </dict>
    </plist>
    
  3. Load the Syslog launch daemon:
  4. launchctl load /Library/LaunchDaemons/com.aanval.syslog.plist
    
    • Note, to unload the launch daemon and stop the process, simply change 'load' to 'unload'.

Snort

The following launch daemon can be created by following the steps below or by performing the following command from the /Library/LaunchDaemons/ directory:

curl -O http://download.aanval.com/org.snort.snort.plist
  1. Create the file /Library/LaunchDaemons/org.snort.snort.plist and include the following contents:
  2. <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
       <key>KeepAlive</key>
       <dict>
          <key>SuccessfulExit</key>
          <false/>
       </dict>
       <key>Label</key>
       <string>org.snort.snort</string>
       <key>ProgramArguments</key>
       <array>
       <string>/usr/local/bin/snort</string>
       <string>-i</string>
       <string>en0</string>
       <string>-c</string>
       <string>/etc/snort/snort.conf</string>
       <string>-D</string>
       </array>
       <key>RunAtLoad</key>
       <true/>
       <key>UserName</key>
       <string>root</string>
       <key>WorkingDirectory</key>
       <string>/etc/snort</string>
    </dict>
    </plist>
    
  3. If you would like to use this launch daemon, simply kill the current Snort process (if started in previous steps) and load this launch daemon:
  4. launchctl load /Library/LaunchDaemons/org.snort.snort.plist
    
    • Note: to unload the launch daemon and stop the process, simply change 'load' to 'unload'.

Barnyard2

The following launch daemon can be created by following the steps below or by performing the following command from the /Library/LaunchDaemons/ directory:

curl -O http://download.aanval.com/org.snort.barnyard2.plist
  1. Create the file /Library/LaunchDaemons/org.snort.barnyard2.plist and include the following contents:
  2. <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
       <key>KeepAlive</key>
       <dict>
          <key>SuccessfulExit</key>
          <false/>
       </dict>
       <key>Label</key>
       <string>org.snort.barnyard2</string>
       <key>ProgramArguments</key>
       <array>
       <string>/usr/local/bin/barnyard2</string>
       <string>-c</string>
       <string>/etc/barnyard2.conf</string>
       <string>-f</string>
       <string>merged.log</string>
       <string>-d</string>
       <string>/var/log/snort</string>
       <string>-D</string>
       </array>
       <key>RunAtLoad</key>
       <true/>
       <key>UserName</key>
       <string>root</string>
       <key>WorkingDirectory</key>
       <string>/var/log/snort</string>
    </dict>
    </plist>
    
  3. If you would like to use this launch daemon, simply kill the current Barnyard2 process (if started in previous steps) and load this launch daemon:
  4. launchctl load /Library/LaunchDaemons/org.snort.barnyard2.plist
    
    • Note: to unload the launch daemon and stop the process, simply change 'load' to 'unload'.

Nmap (Optional)

Nmap is used to scan networks via Aanval's Offensive Reconnaissance tool to find a host's OS fingerprint, up/down state, and available ports, and also utilize Aanval's Network Host Scanning and Rogue Host Detection tools for on-demand and automated network scanning and alerting.

Aanval was designed and tested to work with Nmap version 6 and above. For the purposes of this installation guide, Nmap 6.47 and the package nmap-6.47.tar.bz2 will be referenced.

  1. Download Nmap. The most recent version can be obtained from http://nmap.org/download.html.
  2. Copy the package into /usr/local/bin
  3. cp ~/Downloads/nmap-6.47.tar.bz2 /usr/local/bin
    
  4. Change into the /usr/bin directory:
  5. cd /usr/local/bin
    
  6. Uncompress and unarchive nmap-6.47.tar.bz2
  7. tar -zxvf nmap-6.47.tar.bz2
    
  8. Change into the newly created package directory:
  9. cd nmap-6.47
    
  10. Configure, compile, and install Nmap:
  11. ./configure
    make
    make install
    
  12. From the Aanval console, navigate to Console Configuration > Console > Preferences > Network Scanning > Nmap Binary Path, and confirm Nmap's location:
  13. /usr/local/bin/nmap
    

Enable SSL (Optional)

Enabling SSL on the OS X appliance provides secured access and data transfer.

  1. Create a directory for the SSL host key:
  2. mkdir /etc/apache2/ssl
    
  3. Change into the newly created directory:
  4. cd /etc/apache2/ssl
    
  5. Create the server key file:
  6. ssh-keygen -f server.key
    
  7. Create a certificate request file:
  8. openssl req -new -key server.key -out request.csr
    
    • Note: When providing information about the organization requesting the certificate, while you may answer or leave blank the questions asked, it is recommended you leave the pass phrase field blank.
  9. Create the self-signed SSL certificate using the request file:
  10. openssl x509 -req -days 365 -in request.csr -signkey server.key -out server.crt
    
  11. Create a backup of /etc/apache2/httpd.conf:
  12. cp /etc/apache2/httpd.conf{,.bk}
    
  13. Edit /etc/apache2/httpd.conf and make the following changes:
  14. LoadModule ssl_module libexec/apache2/mod_ssl.so
    Include /private/etc/apache2/extra/httpd-ssl.conf
    Include /private/etc/apache2/extra/httpd-vhosts.conf
    
  15. Edit /etc/apache2/extra/httpd-ssl.conf and make the following changes:
  16. SSLCertificateFile "/etc/apache2/ssl/server.crt"
    SSLCertificateKeyFile "/etc/apache2/ssl/server.key"
    
  17. Edit /etc/apache2/extra/httpd-vhosts.conf and add the following line below the port 80 NameVirtualHost directive:
  18. NameVirtualHost *:443
    
  19. Configure a basic SSL vhost by adding the following lines to the end of the file:
  20. <VirtualHost *:443>
       SSLEngine on
       SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
       SSLCertificateFile /etc/apache2/ssl/server.crt
       SSLCertificateKeyFile /etc/apache2/ssl/server.key
       ServerName localhost
    </VirtualHost>
    
  21. Test the configuration and look for errors:
  22. apachectl configtest
    
  23. Restart Apache:
  24. apachectl restart
    
  25. Direct your browser to Aanval on its HTTPS site: https://127.0.0.1.
  26. After a successful SSL configuration, so that Aanval's SMTs can communicate with the Snort sensor, edit /smt/conf.php and update the connection protocol:
  27. $protocol = "https";
    

Summary

With a fully-functional Aanval-powered IDS system now installed, we strongly recommend purchasing an Aanval SAS solution. These packages provide the following:

  • Annual unlimited sensor capacity licenses (with full support for Snort, Suricata, and any device capable of logging).
  • Telephone and remote support.
  • Console maintenance, which includes all patches, fixes, and minor and major upgrades.

Purchases can be made directly at http://www.aanval.com/purchase (when logged into an Aanval account) or by contacting Tactical FLEX's Sales or Support teams.

See Also

We recommend following the Getting Started instructions from the articles below to maximize your Aanval SAS console's performance and your network's security posture: