Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:v7 Installation Guide

From Aanval Wiki
Jump to: navigation, search

Aanval Installation Guides Home

Installing Aanval is quite simple and can be completed in just minutes under most circumstances.

Hardware Requirements

Below are the minimum hardware requirements for the most common deployments of Aanval.

Environment Sensor Capacity Memory CPU Cores Disk Space
Small Scale 1-3 4GB 2 100GB
Large Scale 8 or more 8+GB 4 or more 500GB

Network Requirements

The following ports will need to be opened for proper functionality.

Port Direction Reasoning
22 Workstation -> Aanval server and sensors Users will need SSH access to manage Aanval and its onboard/remote sensors.
3306 Aanval -> MySQL Using the IDS MySQL Module, Aanval will secure a direct connection to MySQL and import IDS logs from the Snort database (for setups using a Snort database and Barnyard2 only; not required if using the Aanval 8 Unified2 Module for IDS log importing).
80/443 Aanval <-> sensors Using the IDS Unified2 Module, Aanval will import IDS logs from and send and receive secure communications to and from each sensor over 80 or 443 (depending on network setup).

The following URL will need to be opened for proper functionality.

URL Reasoning
aanval.com Aanval will perform regular console update checks and allow the user to download and install available updates.

Software Requirements

Each of the following requirements should be satisfied prior to starting your Aanval installation. Testing for any additional requirements will be performed during the installation process. Details and remediation instructions will be available as necessary.

Requirement Reasoning Reference
Operating System Aanval will install on all major Linux and Unix distributions, including Mac OS X. Linux: CentOS has been a popular choice as a Linux OS for Aanval users. The most current version of CentOS can be obtained from the following site: [1]
Unix: BSD has been a popular choice as a Unix OS for Aanval users. Any variant of BSD will work with Aanval, and Free BSD can be obtained from the following site: [2]
OS X: Mac OS X has also been a popular choice for Aanval users.
Appliances are available in a variety of hardware and software combinations to fit every environment, and each is pre-configured and optimized for Aanval with Snort and/or Suricata intrusion detection and Syslog correlation. Appliances are installed with the most recent release of Mac OS X, along with the latest compatible versions of Apache, MySQL, Perl, PHP, GD, and more. All appliances may be custom configured with specific destination network details (IP, DNS, etc.), ensuring the installation is as simple as plugging in and powering on the Appliance. From single-sensor deployments to large-scale enterprise intrusion arrays, Aanval Appliances are pre-configured for full intrusion detection and correlation functionality out-of-the-box.
To find which appliance is right for your network, contact our friendly and knowledgable sales department at 800-921-2584 or sales.group [at] tacticalflex.com.
MySQL Aanval will require a MySQL database for event processing and storage. The most current version of MySQL can be obtained from the following site: [3]
PHP
(at least version 5)
Aanval will require PHP for server-side scripting. The most current version of PHP can be obtained from the following site: [4]
It is recommended when using the Unified2 Module for importing IDS events that the php.ini file be updated the following changes:
upload_max_filesize = 256M
After making changes, restart Apache. These changes allow Aanval to receive all necessary files from sensors, including event data and especially sid-msg.map and gen-msg.map files.
PHP Modules Specific PHP modules required for Aanval functionality php-xml, php-pdo, php-mysql, php-dom
PERL
(any version)
Aanval uses PERL to launch the PHP scripts in wrapper fashion. The most current version of PERL can be obtained from the following site: [5]
Web Server Aanval will require an Apache web server capable of serving PHP scripting. The most current version of Apache can be obtained from the following site: [6]
Wget Aanval uses Wget to download external data like console updates, GeoLocation databases, and signatures. The most current version of Wget can be obtained from the following site: [7]. Users can also use their OS' built-in installation or update commands to obtain the utility.
Unzip Aanval uses Unzip to decompress downloaded data like console updates and GeoLocation databases. Oracle offers an unzip utility, and the most current version can be obtained from the following site: [8]. Users can also use their OS' built-in installation or update commands to obtain the utility.
IDS Engine Aanval requires an Intrusion Detection System (IDS) for monitoring and retrieving (sometimes called "sniffing") network traffic and packets. Snort and Suricata have been the most popular IDS engines used with Aanval.
Snort: The most current version of Snort can be downloaded from the following link: [9]
Suricata: The most current version of Suricata can be downloaded from the following link: [10]
Barnyard2 Barnyard2 is used to parse Snort/Suricata Unified2 events and send them to an IDS MySQL database. The most current version of Barnyard2 can be obtained from the following site: [11]

Barnyard2 is only required for such MySQL-Barnyard2-based sensors. Aanval 8 has the capability to directly import the Unified2 logs from the IDS sensor by use of its Sensor Management Tools (SMTs).

Preparation

  1. Create a directory within your web root directory for Aanval. Issuing the following command creates a directory to store Aanval:
  2. mkdir aanval
    
  3. Download Aanval. Issuing the following command will download Aanval:
  4. wget download.aanval.com/aanval-7-latest-stable.tar.gz
    
  5. Uncompress Aanval. The following command will uncompress and extract the Aanval package contents into the current directory:
  6. tar -zxvf aanval-7-latest-stable.tar.gz
    
  7. Create a MySQL database for Aanval. (See How do I create a database? for further instructions.)

Installation

  1. Direct your web browser to the location of Aanval, where you should be presented with the Aanval End-User-License-Agreement.
  2. After reading the EULA, click 'I agree' to continue.
  3. Aanval Installation EULA


  4. Ensure all compatibility tests are successful; otherwise, resolve the problems listed and select 'Continue'.
  5. Aanval Installation Environment Compatibility


  6. Configure database settings for the Aanval database with the following recommended settings:
  7. Database Server

    {IP or hostname of your database server}
    

    Database Name

    aanvaldb
    

    Database Username

    root
    

    Database Password

    <blank>
    
  8. Submit these settings to continue.
  9. Aanval Installation DB Configuration


  10. Click Continue to proceed.
  11. Aanval Installation DB Confirmation


    • Database settings will be confirmed and a Success message will be provided if everything is correct; otherwise, return and resolve the problem.
  12. The Aanval installation process will take place and is relatively quick. This process creates and loads all required database tables as well as provisions the console for initial usage. When complete, click Continue to proceed.
  13. Aanval Installation Process


    Installation complete!

    Once you have successfully installed Aanval, you will be presented with the default username and password of this Aanval console as well as the instructions to start the Aanval BPUs (Background Processing Units).

    You may proceed to login to Aanval.

    Aanval Installation Complete


  14. Login to Aanval using the credentials provided on the previous screen. Typically these will be a username of 'root' and a password of 'specter'.
  15. Aanval Console Login


Starting the BPUs

  1. The Aanval Background Processing Units (BPUs) are responsible for importing events, processing actions, and ensuring the console functions properly. You must start the BPUs in order for the console to operate correctly, and it should be done with root or equivalent privileges. To start the BPUs, change into the /apps/ directory of your Aanval installation and run the following command:
  2. perl idsBackground.pl -start
    

Installing and Starting the SMTs (Optional)

The Sensor Management Tools (SMT) enable the management of local or remote Snort services and signatures from within Aanval. SMTs are used to start and stop Snort as well as auto-update and manage Snort signatures.

Management operations are primarily performed within the Snort Sensor Management section of Aanval.

  • The SMTs are found within the /contrib/smt/ directory of any Aanval installation.
  1. On the same machine as the sensor(s), create a directory to store a copy of the SMTs and copy the contents of the /contrib/smt/ directory into this location. Users commonly do this off the root directory with the following command:
  2. mkdir /smt
    

    To then copy the SMT contents to the new directory, enter the following command:

    cp {/your/aanval/install}/contrib/smt/* /smt/
    
  3. Edit and configure conf.php according to its contents and comments (ensuring the SMT ID matches that of the appropriate sensor in the console).
  4. Test the SMTs to ensure your configuration is appropriate with the following command:
  5. php smt.php
    
  6. When testing has been satisfied, start the SMTs with the following command:
  7. perl idsSensor.pl -start
    
    • Note: If necessary, the SMTs can be stopped with the following command:
    perl idsSensor.pl -stop
    

Completion

  1. Take note of the default username and password provided. You will need this to access the console. You should change your password immediately after installation to prevent unauthorized access!

Cleanup

  1. Remove the downloaded archive file to clean up the Aanval directory structure.

Continued Configuration

  1. To start importing and viewing data and events, users will next need to configure Aanval to their chosen IDS database.
    1. For Snort and Suricata users, please first visit Snort Settings.
    2. Once the database is configured, please visit Sensor Configuration to enable and further configure each active Snort/Suricata sensor available on the database.
  2. Once Aanval starts importing and processing data, we recommend following the Getting Started instructions from the articles below to maximize your console's performance and your network's security posture: