Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Syslog Sensor Configuration

From Aanval Wiki
Jump to: navigation, search

This feature allows Aanval to manage local and remote syslog sensors. Aanval can process syslog data from any device capable of external logging (file or UDP 514).

Details

Syslog Sensor Configuration displays the sensor's name, description, timezone, location (based on latitude and longitude), and which users have permissions to view events from the selected sensor.

Sensor Setup

Within Aanval's /apps/ directory, the following command will start a basic syslog server designed to receive UDP syslog messages on port 514:

nohup perl idsSyslog.pl > /dev/null &

Enabling syslog sensors within Aanval is done in one of two ways.

  1. Navigate Aanval to Configuration > Syslog Module > Settings.
  2. Check the Enabled syslog module box and click Update.
  3. Navigate back one menu to Syslog Module and select Sensor Configuration.
  4. If Aanval will be fetching a log file, click the + button to create a new log file sensor on the right of the screen.
  5. If the external device is outputting its logs directly to the Aanval console, it will be listed on the left of the screen under Sensors.
  6. Select the desired sensor and check the Enabled box.
  7. Provide the name, description, location, timezone, etc.
  8. Once finished configuring the selected sensor, click the Update button to commit the changes.
  9. After changes are made and the sensor is online, ensure the proper Sensor Permissions are selected; otherwise, unchecked users will not be able to view events from the active sensor.

Sensor Configuration (Filters/Regex)

Once a sensor is set up and online, users will then need create filters that use regular expressions (regex) to parse details from the imported logs to their various values inside Aanval (Source IP, Protocol, etc.).

  1. To create a filter, navigate to Configuration > Syslog Module > Filter Management.
  2. Click the + button to create a new filter.
  3. Select the new filter and provide the name, description, and regular expression in their fields. Use the Filter Testing tool to ensure the new filter works with the sensor's logs.
  4. Click Update to commit changes.
  5. Navigate back one menu to Syslog Module and select Filter Assignment.
  6. On the left of the screen will be shown all active syslog sensors. Click the desired sensor.
  7. All available values that can be parsed will be shown with a drop-down box below it; click the box, select the desired filter, and click Add.
  8. Continue to create and assign filters for all active sensors.

Users may be receiving logs from multiple devices in a single feed, and each device may output its values (Source IP, Protocol, etc.) differently. Users can create multiple filters for the same value for the various devices accounted. Once those filters are created and assigned (Source IP 1, Source IP 2, Source IP 3, for example), upon receiving an event log from the active feed, Aanval will make an attempt to parse the particular value with the first assigned filter. If no value is found, it will continue with the second filter and so forth until a value is found and assigned.

Check out Writing Regex with Aanval 8 on the Aanval Blog for additional resources.

Syslog Regular Expression Examples (Cisco PIX)

The following regular expression examples may be used and applied for any syslog device if modified appropriately.

Listed examples will assume this syslog message structure as input. Modify as necessary.

<161>%PIX-5-305555: Built dynamic UDP translation from inside:192.168.1.2/11087 to outside:10.10.10.4/3308

Matches the entire syslog string; useful for full payload matching.

.*

Matches IP address (numbers 0 through 9 and the .) after "inside:" using a standard look-behind expression:

(?<=inside:)[0-9.]+

Matches the port number (numbers 0 through 9 and the .) after the / and IP address following "inside:"

((?<=inside:)[0-9.\/]+)~~((?<=\/)[0-9]+)

Notice that because variable length look-behind is not supported, we are piping the output of the first expression to the second expression using "~~", which is interpreted by Aanval. This is not standard regular expression behavior but was necessary to overcome the lack of variable length look-behind in various scripting languages.

See Also