Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Troubleshooting Guide

From Aanval Wiki
Jump to: navigation, search

Below are some common problems users have with Aanval, the reason(s) why the problem is occurring, and how to easily solve them.

See Also

Console

Problem Prognosis Remedy
“I created some additional users, but they can’t see any events.” Permission are not enabled for those new users. Visit Console Configuration > Snort Module > Sensor Configuration, and select the active sensor(s) from the far-right pane. Once selected and its information displayed, check the box of each user that intends to see events from the selected sensor(s).
“New events are very delayed.” 1. Timezone settings of the console and/or the sensor(s) may be off.
2. Events may be backed up due to an influx of new events, a network bottleneck, or due to processes like Barnyard being down.
1. To change timezone settings for sensors or the console, see the following link: How do I change timezone settings?. Users must ensure timezone settings are set for the sensor, console, and user account. In some cases, while all timezone settings are correct and time is still delayed or sometimes future dated, users may need to hard code the Aanval server's timezone in php.ini.
2. It is recommended processes like Snort and Barnyard are checked and even stopped and started in the foreground to check for errors and ensure each process is running without issue. Further checks for high event/network activity and possible bottlenecks are also recommended.
"When trying to update Aanval to the latest build I can click Update and even Force Update, and though I'm told the process has started and even completed, the update never actually occurs." The machine used for the update is lacking permissions to download.aanval.com or routes through a proxy. Enable the proper permissions to download.aanval.com in the aanval/tmp directory and/or visit Console Configuration > Console > Preferences, scroll to Proxy settings, and enable and enter your proxy settings.
"Aanval 7.1 automatically logs console events, but I'm not seeing any additional Active Sensors or console events?" The user permissions for the console sensor have not been enabled. Visit Console Configuration > Console > Sensor Configuration > and under User Permissions enable each user that needs to view console events.
"While using Signature Management I can't select more than 1,000 signatures in a given category." Default settings for PHP limit those values to 1,000. 1. Edit the php.ini file.
2. Find the line that reads "max_input_vars = 1000".
3. Change 1000 to the desired value.
4. Uncomment the line by removing the semicolon at the beginning (if it's present).
5. Save the file and restart Apache.
"I only see 'Snort Alert' rather than the actual Snort event name listed on the dashboard." Snort's Signature Message (sid-msg.map) file that provides the detailed names for events is outdated or missing. Aanval's Sensor Management Tools (SMTs) retrieve the latest signatures and sid-msg.map file from sources such as Snort VRT and Emerging Threats and apply them to active sensors. During the configuration of these tools it is critical the locations of the sensor's configuration file and rules are specified, as the SMTs will place a new or updated sid-msg.map file in that location.
Once the SMTs are properly configured and started (or restarted if any changes have been made to the configuration file), you may further need to update the configuration file of the sensor's Barnyard2 instance. Search for the line that reads
config sid_file: /etc/snort/sid-msg.map
and update the directory to the sensor's /rules directory. Restart Barnyard2 in the foreground and look for any errors. Once satisfied, start Barnyard2 in daemon mode. Upon the next signature download, the SMTs will load/update the latest Signature Message file and you should start seeing the event names listed on the dashboard.

Datastores

Problem Prognosis Remedy
"I am doing an upgrade from v6 to v7 and am having datastore issues. We have datastores 1001 through 1034; the install is using the default 1000. How do I display all datastores and make the next one 1035?" Datastores are out of sync. Navigate Aanval to Console Configuration > Console > Maintenance, and click Repair Datastore Listing.
"When I perform Advanced Searches for the Source or Destination IP (SIP, DIP) the console returns zero results, even when the IP is found in one of the recent events." An older datastore has been selected and searches for recent IPs are being performed in older datastores where the IP doesn't exist. (In some instances where the IP may exist in older datastores, outdated data will simply be displayed.) In the upper right-hand corner of the console, the current datastore is displayed (datastores begin at 1000). Click the icon next to the number. You will then be directed to My Options where you can select the most recent (or older, if you choose) datastore from a drop-down box, and then click Change.
See Also: Advanced Search Help.
"Aanval is days behind. I can confirm Snort is running, and even Sensor Configuration confirms the Last Event was today." Aanval is bottlenecked with queued events and messages, which may stem from one or more of three possibilities: the hardware on which Aanval is installed is inadequate, a sensor was recently added and Aanval is busy importing possibly millions or billions of events, or there are datastore issues. 1. Confirm the hardware is adequate for your Aanval environment. See our Installation Guide for hardware requirements.
2. If a sensor was recently added, refresh Aanval to confirm new events are being imported and displayed on the home page or Live Monitor.
Of the three (what should be green) lights in the lower right corner, showing the status of the BPUs, the third light (the Message BPU) may be red, signifying it's busy importing events.
3. If hardware is adequate and events aren't being imported and displayed, and it has been days since the sensor was added and events in the beginning were importing and displaying, and the BPUs are running, the issue may lie within datastore management. If that is the case, we recommend contacting support for a further diagnosis and repair. You can email support at support.group [at] tacticalflex.com.

Installation

Problem Prognosis Remedy
"During the web-based install, I receive an error during the Environmental Compatibility Test saying the PHP MySQL module does not exist, and I can't continue the install." Either the CLI (command line) MySQL module for PHP or the Apache MySQL module for PHP is missing. Implement the missing module and continue the web-based install. You may need to refresh the browser at its current position, go Back, or start again to ensure all compatibility tests are complete.
"During the web-based install under Directory Structure Tests, I'm told there's a write failure because write permissions aren't enabled. But I checked and after creating the /aanval directory as root I also gave it full permissions. What's happening?" While root may have permissions, the web user running Apache does not. Enable the proper permissions for the web user running Apache, and then refresh the browser or start the web-based install again.
"During the web-based portion of the Aanval installation, I get to a menu where I enter the location of the aanvaldb and the credentials to access it, but upon submitting them I get a few errors saying "Failure! DB Connection Failure: Invalid Configuration" and I can’t proceed. I can connect to MySQL on the command line and confirm it’s running and the credentials are correct. What’s going on?" Aanval connects to MySQL with the default port of 3306. If these errors display, it is because the MySQL instance is started and accessible only by port 3307 (used in SSL connections). There are two methods to remedy the error. The first is to locate and edit the script or plist that starts MySQL and update the line which would read something similar to <string>--port=3307</string> to read <string>--port=3306</string> and then restart MySQL.

The other method would be to return to the configuration menu on the browser and when entering the location of the Aanval database enter also the specific port. So in the example of a local installation, you'd enter 127.0.0.1:3307

Login

Problem Prognosis Remedy
"I received error code 2002 at login: 'Failed to connect to MySQL: (2002) Connection refused.'" Bad hostname or MySQL is not running. 1. Confirm hostname, connection, and/or permissions.
2. Ensure MySQL is running. If MySQL fails to start, ensure it has enough disk space.
"Instead of getting the login page, I get a notice that says 'Important: Thank you for your interest in Aanval, unfortunately this installation of Aanval has expired!'"

"When I try to log in to the console, my login credentials are rejected, saying they're not correct, but I haven't made any changes to them."
1. Your Aanval license key has expired.
2. MySQL is not accessible, where license and login information is stored.
1. Contact Support or your preferred contact at Tactical FLEX, Inc. to acquire a new license.
2. MySQL is down or not accessible; one of the following is likely:
* MySQL is simply not running and needs to be started/restarted.
* The disk is full. Clean the disk and restart it.
* The disk/databases/tables are corrupted and need to be repaired.

Once license/MySQL issues are resolved, to access the login page, direct your browser to the Aanval console and then add the following to the end of the URL:
/?op=pub_login
If your license expired, once logged in you can add/update it with the following steps:
1. Navigate to Console Configuration > License Management.
2. Enter the new license and delete previous license(s).

GeoLocation

Problem Prognosis Remedy
"The GeoLocation database won't actually download and import, even though I see console messages saying it's happening." 1. Console permission are not enabled.
2. A PHP hardening system is enabled.
3. Necessary utilities aren't installed.
1. Enable console permissions in the aanval/tmp directory.
2. Security systems like Suhosin (found in the Linux OS SUSE), filter and block many Aanval processes. Disable or remove such systems.
3. Ensure wget (responsible for downloading the database) and unzip (responsible for unzipping the database, preparatory to import) are installed on your OS.
Users can check the status of the database import and ensure processes are installed and working by navigating to Console Status (the light bulb icon in the lower right) and scrolling through Optional Submission Details to the idsGeoData and idsGeoLocation values. Values should be increasing. If values remain at 0, one or more of three items is not in place: wget or unzip are missing, or the server does not have outside internet access.
"When viewing the GeoLocation maps, my own sensors aren't anywhere near their true locations--one is even in the middle of the Pacific." The sensors' true locations have not been entered under Sensor Management and require latitude and longitude points. Visit the following site and enter the sensor's location to retrieve their actual global location and enter the decimal details, separating latitude and longitude only by a comma, in its respective (Console, Snort/Suricata, or syslog) Sensor Management menu: http://itouchmap.com/latlong.html. For US-based users, you can also reference the following FCC site: http://transition.fcc.gov/mb/audio/bickel/atlas.html.
"I've downloaded the GeoLocation database, but I only see a blank screen, not even a map, when I access the feature." Aanval uses the locations of its sensors as reference, and then plots the locations of IPs within the GeoLocation database on the global map. Access Sensor Configuration of the active sensors and input their latitude and longitude. (Reference the Remedy above for assistance determining latitude and longitude.)

Situational Awareness

Problem Prognosis Remedy
“I’ve named my devices in Device Management, but Situational Awareness still returns zero values for each device." While names may have been entered, other necessary information such as IP address and other services like Port, are missing. 1. Visit Console Configuration > General > Device Management again, select an active device, and fill the IP and other fields.
2. Use tools like Aanval's Network Host Scanner to automatically detect and scan new/existing hosts on the network and populate the Device Management table with the found results. Users can then add additional details about detected hosts (additional interfaces and services, etc.). Users can further modify the Nmap scanning options in Console Configuration > Console > Preferences > Network Scanning.

Snort/Suricata

Problem Prognosis Remedy
“Events are being written to the Snort database, but they aren’t appearing in Aanval.” 1. Aanval’s BPUs are off.
2. Snort processing is not enabled.
3. Database hostname is not correct.
4. Database username and password aren’t correct.
5. The sensor is not enabled.
6. Events aren’t actually being written; Snort is not running.
7. User permissions aren’t enabled.
1. Check the lights in the bottom right of the screen. If they’re green, the BPUs are on, and the issue is something else. If they’re white, they have been manually stopped. If they’re red, they have been stopped by a system reboot or power failure. To find how to reenable the BPUs, click here.
2. Visit Console Configuration > Snort Module > Settings, ensure the Enabled box is checked, and check it and click Update if needs be.
3. Visit Console Configuration > Snort Module > Settings. If the hostname is listed as localhost, enter 127.0.0.1, and vise versa, and click Update.
4. Visit Console Configuration > Snort Module > Settings. Check and even reenter the username and password to the Snort database, and click Update.
5. Visit Console Configuration > Snort Module > Sensor Configuration, ensure the Enabled box is checked, and check it and click Update if needs be.
6. Visit Console Configuration > Snort Module > Sensor Management, and check the SMT Heartbeat Count (it’s counted by seconds). When the SMTs are installed and active, Snort sensors ping Aanval every three seconds. If the count is far greater than three seconds, Snort may not be running.
Additionally, check Snort Sensor Configuration and find the date of the Last Event. If that matches the last event in Aanval, Snort is not running.
7. Visit Console Configuration > Snort Module > Sensor Configuration, and select the active sensor(s) from the far-right pane. Once selected and its information displayed, check the box of each user that intends to see events from the selected sensor(s).
“I can’t see the Snort sensor.” 1. Snort database credentials are incorrect.
2. Barnyard is not installed, properly configured, or running.
1. Visit Console Configuration > Snort Module > Settings, and ensure the database is Enabled (check the box and click Update if needs be) and that the Username and Password are correct (even try reentering them). Also, if the Hostname is listed as localhost, try entering 127.0.0.1, and vise versa.
Then while in the Snort Module menu, visit Sensor Configuration and find the listed and active sensor(s). If none are listed, visit Snort to create and activate necessary sensor(s).
2. Barnyard2 is necessary for parsing unified2 event data from Snort 2.9.3 and beyond. Reference the following guide to ensure Barnyard2 is installed, properly configured, and running: [1]
"Snort is not running, and after every attempt to start Snort, it immediately fails." Outdated or incompatible rules are active on the Snort sensor. Navigate to your system.log. Especially after an attempt to start Snort, a new log will be created detailing why Snort failed. You can also search for "Snort" or "Fatal." Within the log, the particular signature category, such as emerging-worm.rules, will be listed, as well as the particular line within that signature folder that is causing the fail. You can simply navigate via the command line to that particular signature folder and delete or comment out the offending rule. In some cases, multiple rules from the same category or even multiple categories can cause Snort to fail. To save time and blanket those multiple offending rules, use Aanval's SMTs and Signature Management system to remove them.
"The signatures I select are not staying enabled." There is no policy created or the signatures selected are not assigned to a policy. To create a policy, visit Console Configuration > Snort Module > Policy Management, and then select Create Policy, name the policy, and then click Update. To assign signatures to a policy, while viewing and selecting signatures under Snort Module > Signature Management, select the desired policy from the drop-down box left of the Enable All, Disable All before clicking Update.
"Signatures are not downloading. When I look at the Last Filesize, the value is 0." 1. Signature downloading and processing is not enabled.
2. Aanval doesn't have permissions to access the signature URL.
3. The URL to the signatures is not correct.
4. The operating system does not support OpenSSL.
5. Attempting to download Snort signatures too frequently.
1. If in addition to the Last Filesize of 0 you see next to the signature sources "Enable download and processing from Console Preferences," visit Console Configuration > Console > Preferences, and scroll to Signature, and ensure Download & Processing is enabled. Check the box and click Update if necessary. See Also: Snort Settings.
2. Enable console permissions found in the aanval/tmp directory.
3. Ensure the link is correct and Oink Code valid. Check the signature source for available signatures; in many cases signatures are not available for a specific build of Snort. Test the signatures URL by pasting it into a new browser window; the signatures will download or an error will be returned.
4. The operating system, like openSUSE for example, may not support SSL by default and have the option to access or download from an HTTPS URL, as all current Snort signatures sources are SSL secured. Ensure PHP includes the OpenSSL extension.
5. Signatures from snort.org can only be downloaded once every fifteen minutes.
"New events aren't being populated. Snort and the Aanval BPUs are running. I've checked Snort's Last Event in Sensor Configuration, and if I use the Reset Tracker option, that date is brought current, but then importing/displaying is immediately frozen again." 1. The time on the Snort box is incorrect, and Aanval is looking for events based on a time that has passed or hasn't and won't occur (future dated).
2. A new Snort sensor has been created and is now logging.
1. Match the sensor's OS time to its location.
2. Access Sensor Configuration and look for newly populated sensors. Disable the current sensor and click Update, and then proceed to Enable the new sensor, click Update. Check the Last Event date. If the date is current, proceed to enable User Permissions so that events can be viewed from that sensor. Navigate to the home screen or Live Monitor to confirm new events are being displayed. Once all is confirmed, revisit Sensor Configuration and enter the necessary sensor identifiers (latitude, longitude, SMT ID, time zone, etc.).
"I just added a Unified2 sensor. The SMTs have a solid connection and said they sent items like the sid-msg.map and gen-msg.map files, but all events are showing 'unknown signature' or 'Snort alert' instead of the signature names themselves, and all events are showing risk level 5." 1. The sid-msg.map and gen-msg.map files have not been sent to Aanval in their entirety or at all, which are required to map event names and their risk levels to the events imported.
2. The actual location or the location of the most up-to-date version of the sig-msg.map and/or gen-msg.map files are different from what was entered on the Sensor Management menu on Aanval.
3. Permission aren't set on the files to be read.
1. In most cases, when testing the SMTs and a message is generated that the sid-msg.map and gen-msg.map files were sent to Aanval yet signature names and/or risk levels are not displaying as they should, it's because those files were not sent in their entirety to Aanval. Your php.ini file dictates how large of file can be sent, within the file on the upload_max_filesize line. The default value is 2M; we recommend increasing the value to 256M. Once changes are made, save the file, restart Apache, and then issue another SMT test. The SMTs should then send the full-size sid-msg.map and gen-msg.map files to Aanval and start properly displaying all signature names on Aanval's event for all new events (not existing or previously imported events).
2. Confirm the locations of the sid-msg.map and get-msg.map files in the Aanval GUI under Unified2 Module > Sensor Management > Settings, and that they match the current and intended file paths on the sensor itself.
3. Confirm the sid-msg.map and gen-msg.map files have the proper read permissions.