aanval® 7 product manual

Tactical FLEX, Inc.
AANVAL® 7 PRODUCT MANUAL
Snort & Syslog Intrusion Detection, Correlation and Threat Management
Aanval is a product of Tactical FLEX, Inc. - Copyright 2012 - All Rights Reserved

What is Aanval?
Aanval is the industry's leading and most comprehensive Snort and Syslog SIEM
(“Security Information & Event Management”) console. Aanval is designed
specifically to scale from small single sensor installations to global enterprise
deployments.
Government Security, defense organizations from more than a half dozen countries,
educational institutions from around the world, global financial organizations as well as
space exploration and military weapons manufacturers rely upon Aanval as a part of
their security infrastructure.
SIEM ("Security Information and Event Management")
Aanval does more than just display event data. We do the work for you. Aanval includes
a sophisticated event correlation engine to logically group detected attacks from your
Snort and syslog sensors together. We even do it in real-time.
Billions! Yes, Billions
Aanval is built upon a sophisticated and time-tested data storage mechanism that
allows for event storage that is only limited by disk space resources. Store billions of
Snort and syslog events locally or remotely without adversely affecting performance.
Web-Browser, iPhone and iPad
Aanval is written in the most standards based HTML and Javascript, works in every
major browser and is accompanied by a native iPhone and iPad application available on
the iTunes App Store.
Full Text Event & Payload Searching
Not only browse and search events by ip, port, signature, risk level, protocol and more -
Take control of your data and perform real-time packet payload searching and reporting.
Real-time GeoLocation Displays
View attack vectors in real-time using Aanval's new wide-range of GeoLocation
displays. Know the precise location on this planet where those pesky little attackers are
sourcing attacks from.
Why IT Security Departments Worldwide Choose Aanval?
• Aanval is a fully integrated event management and attack data correlation
engine. Aanval compares and correlates attacks in real-time and provides easy
on the eyes charts & visual representations of related attack data across.
• Aanval, with support for Snort and Syslog capable devices tells you when your
network is at risk. View data by most frequent offenders, most frequent events –
sort by time periods, signatures, threats and even plot the location of attacks on a
fully interactive global map.
2

• In addition to supporting the world’s most widely used intrusion detection engine,
Aanval supports any device with syslog capabilities. Routers, firewalls, switches,
servers & more can be seamlessly integrated into the Aanval console for
complete data management.
• Aanval simplifies the daunting task of managing 1,000’s, 100,000’s to billions of
events. Full background processing, automated database management, remote
storage and selective deletions put you back in the drivers seat.
• Statistical analysis and advanced methods of attack pattern identification are only
a few of the ongoing research projects available within Aanval. Discover internal
& external network attack and infrastructure abuse patterns not normally
identified by competing products.
• Aanval is the most competitively priced intrusion console in the sector. Feature
for feature, Aanval is the most cost-effective Snort and syslog threat
management solution available.
View the Aanval Online Demo
Tactical FLEX, Inc. has created a public online demo (limited) of Aanval for prospective
users to browse and become familiar with. Visit the link http://demo.aanval.com/ and
use the username “root” and password “demo” to login.
3

Aanval v7 Detailed Installation Guide
Installing Aanval is quite simple and can be completed under most circumstances in just
a few minutes or less.
Aanval will install on all major linux and Unix distributions including Mac OS X.
Step 1
Create a database for Aanval to use
Note: You may need to enter credentials to create a database in your particular
environment. ie: "mysql -u user -p" followed by enter will prompt for a password prior to
accessing the MySQL prompt.
Using the MySQL prompt, the command "create database aanvaldb;" creates an
MySQL database named "aanvaldb"
Using the MySQLAdmin command line tools, the command "mysqladmin create
aanvadb" creates this database
Step 2
Create a directory within your web root directory for Aanval
Issuing the command "mkdir aanval" creates a directory to store Aanval
Step 3
Download the latest Aanval console release from Aanval
Note: The name of the file includes the most recent major version number, this should
be changed to reflect the latest major release available from Aanval.
When you are ready to proceed, change into the newly created "aanval" directory and
run the following wget command:
"wget download.aanval.com/aanval-7-latest-stable.tar.gz" will download this package
and place it in the current directory
Step 4
Uncompress the newly downloaded Aanval package
The command "tar -zxvf aanval-7-latest-stable.tar.gz" will uncompress and extract the
Aanval package contents into the current directory
4

Step 5
Remove the downloaded archive file to clean up the Aanval directory structure
Step 6
Browse to the web-root directory in your browser to start the installation process
Read and accept the Aanval End User License Agreement ("EULA")
Step 7
Configure the installation details to complete the final installation steps
Database Hostname should either be "localhost" or "127.0.0.1" for a local database, or
enter the name or network address of the actual database host.
Database Username should be a user with general MySQL permissions to perform all
operations on the "aanvaldb" database
Database Password should be the associated password, leave blank if a password is
not necessary
Note: Please pay attention to any errors that may occur, and attempt to resolve them
through either the information provided or by using available Aanval support options.
Step 8
Take note of the default username and password provided. You will need this to access
the console.
Note: You should change your password immediately after installation to prevent
unauthorized access!
Upon completing installation you will be taken to the login page.
Step 9
Your Aanval console has been successfully installed. You may now login.
Step 10
Start the Aanval background processing units ("BPU's") which are responsible for
importing events, processing actions and ensuring the console functions properly.
5

Note: You must start the BPU's in order for the console to operate correctly, and it
should be done with root or equivalent privileges.
Change into the /apps/ directory of your Aanval installation and run the following
command: "perl idsBackground.pl -start"
Complete!
Next, you will want to configure and enable the snort and / or syslog modules from with
the Aanval console. Please see the documentation provided for these topics should you
require assistance.
Should you have had any problems during your installation, please see the online
documentation for assistance. Alternatively, you may purchase support and installation
assistance to have this process performed by an authorized Aanval engineer.
6

Aanval Modules
Snort
Aanval’s snort module is designed to import and normalize events from a single snort
database. Sensors are determined by the sensors available within the snort database
sensor table. Each reporting snort instance will have a unique entry within this database
table.
The Snort Settings display is used to configure Aanval’s snort module. The settings in
this display should be configured to allow Aanval to access the snort database. Incorrect
settings will prevent proper importing and normalization of snort sensors and event
data.
Available snort sensors are listed within the Snort Configuration display of Aanval. This
list is read directly from the snort database. If this list is empty, either there are no
sensors available within the configured snort database, or the snort database settings
within Aanval are incorrect.
Each snort sensor that is activated / enabled within the Aanval console requires a
unique license. Attempting to enable a snort sensor without an available license seat will
display an error message indicating that there are not enough licenses available to
perform that action.
Snort data is imported out of the snort database and normalized for processing and
storage in Aanval. The Aanval storage engine is highly optimized and designed to store
large numbers of events. Regardless of module, all imported event data is normalized to
this same storage format.
A this time, multiple separate snort databases are not supported. All snort sensors must
be configured to report to a single snort database instance to be managed within an
Aanval console.
Syslog
Aanval’s syslog module is capable of processing both locally accessible text / log files or
syslog data transmitted to Aanval’s syslog daemon (idsSyslog.pl) on UDP port 514.
Aanval refers to all sources of data as sensors.
Local log file sensors that are to be processed by Aanval must be manually added
within the Syslog Configurations display of Aanval. These sources must be locally
available to Aanval for processing.
7

Syslog data that comes into the console by way of the Aanval syslog daemon
(idsSyslog.pl), will automatically create A placeholder syslog sensor. This sensor by
default is disabled.
Enabling and configuring a syslog sensor is done through the Aanval Syslog
Configuration display.
Each syslog sensor that is activated / enabled within the Aanval console requires a
unique license. Attempting to enable a syslog sensor without an available license seat
will display an error message indicating that there are not enough licenses available to
perform that action.
Much like snort data, syslog event data is imported and normalized for processing and
storage in Aanval. The Aanval storage engine is highly optimized and designed to store
large numbers of events. Regardless of module, all imported event data is normalized to
this same storage format.
Syslog data requires an additional processing step in order to successfully normalize
the data for storage. Because no standard exists for syslog data, Aanval uses a
sophisticated system of regular expression filters that are manually configured to parse
incoming syslog data assign it to normalization fields.
Upon enabling or activating a syslog sensor, users must create a series of regular
expressions that parse needed data out of each syslog string and assign it to the
appropriate normalization fields within Aanval.
Creating syslog filters (regular expressions) is done within the Syslog Filter
Management display and assigning regular expression filters to normalization fields is
done through the Syslog Assign Filters display.
Syslog filters are designed to be shared across multiple syslog sensors.
Syslog filters can also be stacked, meaning that should a filter not return a valid result,
the system will automatically step through to the next filter if available. Stacking filters is
done on the Assign Filters display by simply adding more than one filter to any given
normalization field.
Without any filters, syslog events will be imported into the console, however they will
empty or blank. Creating and assigning basic filters immediately is highly
recommended.
8

My Account
Account Details
Refer to Figure 1.1
A user may edit their first and last name in the text boxes provided.
The email contact thats entered into the email text box will be the email address that
alerts are sent to for this user.
User may edit the organization and telephone number by editing the text boxes given.
This information does not affect the operation of the account.
A Location and Timezone box is provided for entering the country and timezone this
account will be used in. This information is used to calculate the correct timezone offset
for consoles that have sensors in different or varying timezones.
The account username may be changed in the text box labeled Username. This is the
name that should be used for logging into the console.
* Note, you must commit your changes for them to take effect.
Figure 1.1
9

Search History
Refer to Figure 1.2
Search History displays the exact text the user searched.
The date and time of the search are shown in the far right.
Figure 1.2
Tagging System
Refer to Figure 1.3
The tagging system allows users the opportunity to have a better way of tracking and
organizing events.
Users may delete and create tags within the Tag Management display. Users may
assign tags within the Event Details display in the assigned tagging section.
10

All created tag choices are located in the Select Tag drop down box in the tagging
section within the Event Details display.Tags can be added to an event by choosing an
already created tag from the drop down box and selecting the Add button. Tags can be
searched by using the Advanced search text box or be viewed within the Frequent tags
display.
Figure 1.3
Activity Logs
Refer to Figure 1.4
The purpose of this feature is to keep track of all activity on the Aanval interface.
Activity logs go into great detail on all actions that have taken place within the Aanval
console.
For example the activity logs show the date, the time, the specific activity that occurred,
the GMT offset.
In order to refresh this list, click the refresh button.
A sample of an activity log is as follows:
"Feb 08 16:04:39 [CONSOLE] [10.1.1.220] [root : 1] Console OP Request: prv_main"
11

Figure 1.4
Live GeoLocation
Refer to Figure 1.5
Aanval's Live GeoLocation feature is a real-time, auto-updating global display of attack
and threat vectors plotted on a world map, by way of Google Maps.
Features of the Live GeoLocation display:
Display all sensors or display GeoLocation plots for a single sensor
Display all risk levels or plots within a selected risk level
User selectable update / polling frequency
User selectable number of threat vectors to display
Time based color coding is also provided so that analysts can quickly (visually) identify
or determine if threat vectors are new to the system, rather than comparing time / date
stamps or manually interfacing with the display.
Figure 1.5
12

Frequent Offenders
Figure 1.6
Frequent Offenders gives a user the ability to view the most frequent offending IP
addresses within the active datastore. This view may be sorted by both frequent
(descending) and infrequent (ascending) event order.
Frequent Offender provides IP and host details as well as options to allow the user to
browse the offenders related events or map the offending address on the consoles geo
location map.
The Frequent Offenders display gives the user the ability to see the overall event
percentage of events from a specific, offending host / IP.
Additionally, a pie chart is provided that demonstrates the events from specific IP
addresses broken down by percentage.
Figure 1.6
13

Frequent Targets
Refer to Figure 1.7
In Frequent Targets Aanval gives the ability to view your most frequent targets from the
active datastore.This view may be sorted by both frequent (descending) and infrequent
(ascending) event order.
Under frequent targets a display of targets is given. User has the ability to list events by
Frequent, infrequent and Resolve Host names. Options allows you to view the offender
on live Geolocation and to browse events.
Frequent Targets display gives the ability to see the over all event percentage of events
from a specific host/IP.
In the far right display Frequent Targets gives a pie chart of an overall look of the
amount of events from specific IP addresses.
Figure 1.7
14

Frequent Events
Refer to Figure 1.8
In Frequent Events Aanval gives the ability to view your most frequent events from the
active datastore.This view may be sorted by both frequent (descending) and infrequent
(ascending) event order.
Under Frequent Events a display of signatures is given. Details given on the signature is
ID , Events, and the Options icon. The Options icon allows you to browse events.
Frequent Events display gives the ability to see the over all event percentage from a
specific Signature Name/IP.
In the far right display Frequent Events gives a pie chart of an overall look of the amount
of events from specific Signature Names
Figure 1.8
15

Reports
Refer to Figure 1.9
Reports may be displayed, scheduled, managed and emailed through the console
Report display.
Create
To create a Report, user must go to the Event Browser display and enter the Source
and Destination Addresses and the port numbers in text boxes provided .
User may select the risk level of the report from the drop down box provided. User may
also choose the Protocol they wish to use.
By default, the query will be used for the name if nothing is provided.
View
A user may select what format the report will be displayed in. Reports are traditionally
available in text, HTML, XML, Text and an in-console / native format.
Figure 1.9
16

Action Management
Refer to Figure 2.0
Create
To create an action select the Create Action button.
Edit
User may name the action and write a description of the action in the text boxes that are
labeled to do so.
User may enter a Threshold Count, and the Threshold Seconds.
User may choose the action to disable on the first match by selecting the checkbox
under the /description text box.
Users may choose to have a action Match Any or Match All, to choose the two choices
select the given box of users preference.
17

User may activate action by selecting the enable check box. Once action is enabled
action will have the green active light to the left of the action.
*Note, user must commit to changes for them to take effect.
Figure 2.0
Note Management
Refer to Figure 2.1
Note Management
In this display user has the ability to write a no on a specific event.
Add Note
In order to create a note, enter in the Event ID of the users liking, then user types the
note information in the text box given.User can choose whether to have this as a Private
Note or Public Read.
Once the user is finished writing the note and adding the viewing preference, select the
Update button.
If done correctly the note will be updated in the far right column display.
18

To view an already created note, select the desired note from the far right display and
the note details will appear in the main display.
User can change whether to have this as a Private Note, Public Read, or Public Read.
* Note, user must commit changes for them to take effect.
To see the changes on the note left-click the refresh button in browser.
If user wishes to delete a note select the specific note from the left column display and
select the Delete checkbox and then click the Delete button.
Figure 2.1
Snort Settings
Refer to Figure 2.2
Module Settings
You can enable and disable the processing module using the provided checkbox.
Enter in the name of the snort database that will be used for processing.
Enter in the hostname of the database server. This may be either local or remote. For local
databases, use localhost or 127.0.0.1 as necessary.
19

Enter in the appropriate username and password for the snort database selected.
Database Options
Database trimming allows Aanval to help maintain the overall health of your Snort database and
tables, by automatically trimming old events. * Warning, this feature does delete events from the
Snort database; please ensure you have proper backups prior to use if necessary.
You may enable database trimming by selecting the trimming checkbox.
Set the trimming threshold to a number of your choosing, appropriate for your hardware.
500,000 or 1,000,000 is recommended for small to medium installations, while 5,000,000 may
be adequate for larger hardware architectures.
* Note, you must commit your changes for them to take effect
Figure 2.2
Syslog Module Configuration
Refer to Figure 2.3
Manage
Name the sensor by using the Name text box provided. Add a description of the sensor in the
text box labeled Description. These values are referenced throughout the console and should
be kept relatively short in length.
The latitude and longitude should be entered using the text box that is labeled "Location".
Examples of longitude and latitude, New York City at 40.82,-74.00 and Budapest at 47.41,19.09
20

Edit the time zone of that sensor by using the drop down box provided.
Once the user has finished configuring a selected sensor, click the update button to commit
these settings to the server.
Delete a sensor by selecting the sensor within the display and select the delete checkbox, then
left-click the delete button. Warning, deleting a sensor will have adverse effects and may render
all data from this sensor useless.
User may reimport data or reset the tracker by selecting the check mark box for desired option
then selecting the desired option button. The description of Re-import Data and Reset Tracker
are listed in the far right display.
Figure 2.3
BPU Status
Refer to Figure 2.4
Management
21

The BPU status gives the user the ability to view if the BPU’s are running in a user
friendly way.
User is now able to determine if BPU’s are running by Simply looking at the three green
Status Indicators (SI) to the right of the main Aanval Icons.
If the three SI’s are green this means the BPU’s are running. If the SI’s are white that
means the BPU’s are not running and if one specific BPU is dead then that specific SI
will be red.
You may view how to start and stop BPU’s by going to the BPU Status display. This
display can be reached by simply selecting one of the three SI’s.
Figure 2.4
Datastore Management
Refer to Figure 2.5
Management
22

In Console Preferences display the user has rotation options, which allow the user to
rotate a datastore by days or by the number of events in the an active datastore. This
feature is optional.
The option to manually force rotation is available in the Datastore Management display.
This can be done by simply selecting the "Rotate Datastore" button.
The Manage display shows the user the total number of datastores and displays the
total number of events in all listed datastores.
* Note, the user must commit changes for them to take effect.
Configure
A text box is provided to name a datastore.
Each Datastore is given a store number when created, this can be seen as ID in the far
right column window.
A user has the option to select a datastore to make it active. The datastore that is
currently active can be found in the far right display and is signified by a green dot to the
left of the datastore name. A user can select a different datastore and make it active by
selecting the datastore from the display and left-clicking the "Make Active" button.
Changing the active datastore will allow a user to view the events from this datastore
while all new events will continue to be processed into the correct (most recent)
datastore.
* Note, the user must commit changes for them to take effect.
Figure 2.5
23

Snort Sensor 1
Snort Sensor 2
Snort Database
Aanval > Multiple Snort Sensor Architecture
INTERNET/Untrusted Nestork
Hub/
Span/
Tap
Firewall
PRO 1260
Aanval
Aanval Database
25

END USER LICENSE AGREEMENT (EULA)
Version 6, August 2008
Copyright (C) 2012 Tactical FLEX, Inc.
TERMS AND CONDITIONS
1. GRANT OF LICENSE. Tactical FLEX, Inc. grants the user the following rights provided the
user complies with all terms and conditions of this EULA:
. Installation and use. The user may install, use, access, display and run one copy of the product
on a single computer such as a workstation or server.
. Storage / Backup. The user may store a functioning copy of the product on a dedicated
computer or device for the purpose of backup recovery and / or disaster recovery. Licenses for
the Product may not be shared or used concurrently on different computers.
. Reservation of Rights. Tactical FLEX, Inc. reserves all rights not expressly granted to the user
in this EULA.
2. UPGRADES. To use a Product identified as an upgrade, you must first be licensed for the
product identified by Tactical FLEX, Inc. as eligible for the upgrade.
3. LIMITATION ON REVERSE ENGINEERING, DECOMPILATION, AND DISASSEMBLY. You
may not reverse engineer, decompile, or disassemble the Product, except and only to the extent
that it is expressly permitted by applicable law notwithstanding this limitation.
4. MODIFICATION / INTEGRATION. Modification and / or integration of the product for
commercial purposes without proper authorization from Tactical FLEX, Inc. is prohibited.
Product modifications affecting directly or indirectly product features, functionality, licenses or
product license mechanisms is prohibited. This product may not be integrated or combined with
any other product for commercial purposes without express written authorization from Tactical
FLEX, Inc..
5. TERMINATION. Without prejudice to any other rights, Tactical FLEX, Inc. may cancel this
EULA if the user does not abide by the terms and conditions of this EULA, in which case the user
must destroy all copies of the Product.
6. COPYING / DISTRIBUTION. Copying and / or distributing licensed or unlicensed copies of
this product or this products components is prohibited. Only authorized Tactical FLEX, Inc.
agents and authorized Tactical FLEX, Inc. Reseller Member agents may distribute copies of this
product in its original state and configuration as officially released and observed by Tactical
FLEX, Inc..
7. LIMITED WARRANTY FOR PRODUCT. Tactical FLEX, Inc. warrants that this Product (in
conjunction with commercially purchased licenses) will perform substantially in accordance with
26

the accompanying materials for a period of ninety days from the date of receipt. Any supplements
or updates to this Product, including without limitation, any (if any) upgrades or patches
provided to the user after the expiration of the ninety day Limited Warranty period are not
covered by any warranty or condition, express, implied or statutory. Tactical FLEX, Inc. has the
right to grant usage and does not infringe intellectual property rights of any third party.
8. LIMITATION ON REMEDIES; NO CONSEQUENTIAL OR OTHER DAMAGES. The users
exclusive remedy for any breach of this Limited Warranty. Except for any refund elected by
Tactical FLEX, Inc., THE USER IS NOT ENTITLED TO ANY DAMAGES, INCLUDING BUT
NOT LIMITED TO CONSEQUENTIAL DAMAGES, if the Product does not meet Tactical FLEX,
Inc.'s Limited Warranty, and, to the maximum extent allowed by applicable law, even if any
remedy fails of its essential purpose. Tactical FLEX, Inc. cannot be held liable for damages
caused by improper use of or negligence of or on the part of the user. Tactical FLEX, Inc. cannot
be held liable for damages resulting from the use of this program or conclusions drawn from the
use of this program either by the user or Tactical FLEX, Inc..
9. ADDITIONAL SUPPORT SERVICES. Tactical FLEX, Inc. and its suppliers provide additional
levels of product support which do not alter or modify the terms and conditions of this EULA.
Warranties, support or remedies purchased in addition to this product are provided as
independant products and services.
10. LICENSE OWNERSHIP. All licenses issued by Tactical FLEX, Inc. remain the property of
Tactical FLEX, Inc. and are issued on a lease basis. License lease periods may vary and may or
may not be subject to renewal. Direct or indirect trading, selling or auctioning of licenses is
prohibited and will result in immediate license revocation. Tactical FLEX, Inc. reserves the right
and permission to revoke licenses at any time. Revoked licenses become immediately invalid. The
use of revoked or invalid licenses is prohibited and constitutes a direct violation of this
agreement. Retaining ownership of valid and invalid licenses, Tactical FLEX, Inc. reserves the
right to publish and print publicly available customer information for marketing and sales
purposes. Customers are provided the right to deny inclusion of company customer information
through written communication expressing intent to Tactical FLEX, Inc..
11. ENTIRE AGREEMENT. This EULA (including any addendum or amendment to this EULA
which is included with this Product) are the entire agreement between the user and Tactical
FLEX, Inc. relating to this Product and the support services (if any) and they supersede all prior
or contemporaneous oral or written communications, proposals and representations with respect
to this Product or any other subject matter covered by this EULA. To the extent the terms of any
Tactical FLEX, Inc. policies or programs for support services conflict with the terms of this
EULA, the terms of this EULA shall control.
12. This Product is protected by copyright and other intellectual property laws and treaties.
Tactical FLEX, Inc. or its suppliers own the title, copyright, and other intellectual property rights
in this Product. This Product is licensed, not sold.
END OF TERMS AND CONDITIONS.
27

Tactical FLEX, Inc.
800-921-2584
http://www.aanval.com/
AANVAL® 7 PRODUCT MANUAL
Snort & Syslog Intrusion Detection, Correlation and Threat Management
28