Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:v7 Installation Guide

From Aanval Wiki
Jump to: navigation, search

Aanval Installation Guides Home

Installing Aanval is quite simple and can be completed in just minutes under most circumstances.

Hardware Requirements

Below are the minimum hardware requirements for the most common deployments of Aanval.

Environment Sensor Capacity Memory CPU Cores Disk Space
Small Scale 1-3 4GB 2 100GB
Large Scale 8 or more 8+GB 4 or more 500GB

Network Requirements

The following ports will need to be opened for proper functionality.

Port Direction
22 SSH access will be needed to access the console and sensors for installation and necessary maintenance and troubleshooting
80 / 443 HTTP/HTTPS access will be needed to view the console as well as console to sensor communication will use 80 / 443 as well

The console will occasionally contact the following locations for updates and maintenance.

URL Reasoning
download.aanval.com The console will download packages from this URL.
update.aanval.com The console will check for new versions and updates from this URL.

Software Requirements

Each of the following requirements should be satisfied prior to starting your Aanval installation. Testing for any additional requirements will be performed during the installation process. Details and remediation instructions will be available as necessary.

Requirement Reasoning Reference
Operating System Aanval will install on all major Linux and Unix distributions, including Mac OS X. Linux: CentOS has been a popular choice as a Linux OS for Aanval users. The most current version of CentOS can be obtained from the following site: [1]
Unix: BSD has been a popular choice as a Unix OS for Aanval users. Any variant of BSD will work with Aanval, and Free BSD can be obtained from the following site: [2]
OS X: Mac OS X has also been a popular choice for Aanval users.
Appliances are available in a variety of hardware and software combinations to fit every environment, and each is pre-configured and optimized for Aanval with Snort and/or Suricata intrusion detection and Syslog correlation. Appliances are installed with the most recent release of Mac OS X, along with the latest compatible versions of Apache, MySQL, Perl, PHP, GD, and more. All appliances may be custom configured with specific destination network details (IP, DNS, etc.), ensuring the installation is as simple as plugging in and powering on the Appliance. From single-sensor deployments to large-scale enterprise intrusion arrays, Aanval Appliances are pre-configured for full intrusion detection and correlation functionality out-of-the-box.
To find which appliance is right for your network, contact our friendly and knowledgable sales department at 800-921-2584 or sales.group [at] tacticalflex.com.
(at least version 5)
Aanval will require PHP for server-side scripting. The most current version of PHP can be obtained from the following site: [3]
It is recommended when using the Unified2 Module for importing IDS events that the php.ini file be updated the following changes:
upload_max_filesize = 256M
After making changes, restart Apache. These changes allow Aanval to receive all necessary files from sensors, including event data and especially sid-msg.map and gen-msg.map files.
PHP Modules Specific PHP modules required for Aanval functionality php-xml, php-pdo, php-mysql, php-dom
(any version)
Aanval uses PERL to launch the PHP scripts in wrapper fashion. The most current version of PERL can be obtained from the following site: [4]
Web Server Aanval will require an Apache web server capable of serving PHP scripting. The most current version of Apache can be obtained from the following site: [5]
IDS Engine Aanval requires an Intrusion Detection System (IDS) for monitoring and retrieving (sometimes called "sniffing") network traffic and packets. Snort and Suricata have been the most popular IDS engines used with Aanval.
Snort: The most current version of Snort can be downloaded from the following link: [6]
Suricata: The most current version of Suricata can be downloaded from the following link: [7]


  1. Create a directory within your web root directory for Aanval. Issuing the following command creates a directory to store Aanval:
  2. mkdir aanval
  3. Download Aanval. Issuing the following command will download Aanval:
  4. wget download.aanval.com/aanval-7-latest-stable.tar.gz
  5. Uncompress Aanval. The following command will uncompress and extract the Aanval package contents into the current directory:
  6. tar -zxvf aanval-7-latest-stable.tar.gz
  7. Create a MySQL database for Aanval. (See How do I create a database? for further instructions.)


  1. Direct your web browser to the location of Aanval, where you should be presented with the Aanval End-User-License-Agreement.
  2. After reading the EULA, click 'I agree' to continue.
  3. Aanval Installation EULA

  4. Ensure all compatibility tests are successful; otherwise, resolve the problems listed and select 'Continue'.
  5. Aanval Installation Environment Compatibility

  6. Configure database settings for the Aanval database with the following recommended settings:
  7. Database Server

    {IP or hostname of your database server}

    Database Name


    Database Username


    Database Password

  8. Submit these settings to continue.
  9. Aanval Installation DB Configuration

  10. Click Continue to proceed.
  11. Aanval Installation DB Confirmation

    • Database settings will be confirmed and a Success message will be provided if everything is correct; otherwise, return and resolve the problem.
  12. The Aanval installation process will take place and is relatively quick. This process creates and loads all required database tables as well as provisions the console for initial usage. When complete, click Continue to proceed.
  13. Aanval Installation Process

    Installation complete!

    Once you have successfully installed Aanval, you will be presented with the default username and password of this Aanval console as well as the instructions to start the Aanval BPUs (Background Processing Units).

    You may proceed to login to Aanval.

    Aanval Installation Complete

  14. Login to Aanval using the credentials provided on the previous screen. Typically these will be a username of 'root' and a password of 'specter'.
  15. Aanval Console Login

Starting the BPUs

  1. The Aanval Background Processing Units (BPUs) are responsible for importing events, processing actions, and ensuring the console functions properly. You must start the BPUs in order for the console to operate correctly, and it should be done with root or equivalent privileges. To start the BPUs, change into the /apps/ directory of your Aanval installation and run the following command:
  2. perl idsBackground.pl -start

Installing and Starting the SMTs (Optional)

The Sensor Management Tools (SMT) enable the management of local or remote Snort services and signatures from within Aanval. SMTs are used to start and stop Snort as well as auto-update and manage Snort signatures.

Management operations are primarily performed within the Snort Sensor Management section of Aanval.

  • The SMTs are found within the /contrib/smt/ directory of any Aanval installation.
  1. On the same machine as the sensor(s), create a directory to store a copy of the SMTs and copy the contents of the /contrib/smt/ directory into this location. Users commonly do this off the root directory with the following command:
  2. mkdir /smt

    To then copy the SMT contents to the new directory, enter the following command:

    cp {/your/aanval/install}/contrib/smt/* /smt/
  3. Edit and configure conf.php according to its contents and comments (ensuring the SMT ID matches that of the appropriate sensor in the console).
  4. Test the SMTs to ensure your configuration is appropriate with the following command:
  5. php smt.php
  6. When testing has been satisfied, start the SMTs with the following command:
  7. perl idsSensor.pl -start
    • Note: If necessary, the SMTs can be stopped with the following command:
    perl idsSensor.pl -stop


  1. Take note of the default username and password provided. You will need this to access the console. You should change your password immediately after installation to prevent unauthorized access!


  1. Remove the downloaded archive file to clean up the Aanval directory structure.

Continued Configuration

  1. To start importing and viewing data and events, users will next need to configure Aanval to their chosen IDS database.
    1. For Snort and Suricata users, please first visit Snort Settings.
    2. Once the database is configured, please visit Sensor Configuration to enable and further configure each active Snort/Suricata sensor available on the database.
  2. Once Aanval starts importing and processing data, we recommend following the Getting Started instructions from the articles below to maximize your console's performance and your network's security posture: