You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Tactical FLEX, Inc.<br />
AANVAL® 7 PRODUCT MANUAL<br />
Snort & Syslog Intrusion Detection, Correlation and Threat Management<br />
Aanval is a <strong>product</strong> of Tactical FLEX, Inc. - Copyright 2012 - All Rights Reserved
What is Aanval?<br />
Aanval is the industry's leading and most comprehensive Snort and Syslog SIEM<br />
(“Security Information & Event Management”) console. Aanval is designed<br />
specifically to scale from small single sensor installations to global enterprise<br />
deployments.<br />
Government Security, defense organizations from more than a half dozen countries,<br />
educational institutions from around the world, global financial organizations as well as<br />
space exploration and military weapons manufacturers rely upon Aanval as a part of<br />
their security infrastructure.<br />
SIEM ("Security Information and Event Management")<br />
Aanval does more than just display event data. We do the work for you. Aanval includes<br />
a sophisticated event correlation engine to logically group detected attacks from your<br />
Snort and syslog sensors together. We even do it in real-time.<br />
Billions! Yes, Billions<br />
Aanval is built upon a sophisticated and time-tested data storage mechanism that<br />
allows for event storage that is only limited by disk space resources. Store billions of<br />
Snort and syslog events locally or remotely without adversely affecting performance.<br />
Web-Browser, iPhone and iPad<br />
Aanval is written in the most standards based HTML and Javascript, works in every<br />
major browser and is accompanied by a native iPhone and iPad application available on<br />
the iTunes App Store.<br />
Full Text Event & Payload Searching<br />
Not only browse and search events by ip, port, signature, risk level, protocol and more -<br />
Take control of your data and perform real-time packet payload searching and reporting.<br />
Real-time GeoLocation Displays<br />
View attack vectors in real-time using Aanval's new wide-range of GeoLocation<br />
displays. Know the precise location on this planet where those pesky little attackers are<br />
sourcing attacks from.<br />
Why IT Security Departments Worldwide Choose Aanval?<br />
• Aanval is a fully integrated event management and attack data correlation<br />
engine. Aanval compares and correlates attacks in real-time and provides easy<br />
on the eyes charts & visual representations of related attack data across.<br />
• Aanval, with support for Snort and Syslog capable devices tells you when your<br />
network is at risk. View data by most frequent offenders, most frequent events –<br />
sort by time periods, signatures, threats and even plot the location of attacks on a<br />
fully interactive global map.<br />
2
• In addition to supporting the world’s most widely used intrusion detection engine,<br />
Aanval supports any device with syslog capabilities. Routers, firewalls, switches,<br />
servers & more can be seamlessly integrated into the Aanval console for<br />
complete data management.<br />
• Aanval simplifies the daunting task of managing 1,000’s, 100,000’s to billions of<br />
events. Full background processing, automated database management, remote<br />
storage and selective deletions put you back in the drivers seat.<br />
• Statistical analysis and advanced methods of attack pattern identification are only<br />
a few of the ongoing research projects available within Aanval. Discover internal<br />
& external network attack and infrastructure abuse patterns not normally<br />
identified by competing <strong>product</strong>s.<br />
• Aanval is the most competitively priced intrusion console in the sector. Feature<br />
for feature, Aanval is the most cost-effective Snort and syslog threat<br />
management solution available.<br />
View the Aanval Online Demo<br />
Tactical FLEX, Inc. has created a public online demo (limited) of Aanval for prospective<br />
users to browse and become familiar with. Visit the link http://demo.aanval.com/ and<br />
use the username “root” and password “demo” to login.<br />
3
Aanval v7 Detailed Installation Guide<br />
Installing Aanval is quite simple and can be completed under most circumstances in just<br />
a few minutes or less.<br />
Aanval will install on all major linux and Unix distributions including Mac OS X.<br />
Step 1<br />
Create a database for Aanval to use<br />
Note: You may need to enter credentials to create a database in your particular<br />
environment. ie: "mysql -u user -p" followed by enter will prompt for a password prior to<br />
accessing the MySQL prompt.<br />
Using the MySQL prompt, the command "create database aanvaldb;" creates an<br />
MySQL database named "aanvaldb"<br />
Using the MySQLAdmin command line tools, the command "mysqladmin create<br />
aanvadb" creates this database<br />
Step 2<br />
Create a directory within your web root directory for Aanval<br />
Issuing the command "mkdir aanval" creates a directory to store Aanval<br />
Step 3<br />
Download the latest Aanval console release from Aanval<br />
Note: The name of the file includes the most recent major version number, this should<br />
be changed to reflect the latest major release available from Aanval.<br />
When you are ready to proceed, change into the newly created "aanval" directory and<br />
run the following wget command:<br />
"wget download.aanval.com/aanval-7-latest-stable.tar.gz" will download this package<br />
and place it in the current directory<br />
Step 4<br />
Uncompress the newly downloaded Aanval package<br />
The command "tar -zxvf aanval-7-latest-stable.tar.gz" will uncompress and extract the<br />
Aanval package contents into the current directory<br />
4
Step 5<br />
Remove the downloaded archive file to clean up the Aanval directory structure<br />
Step 6<br />
Browse to the web-root directory in your browser to start the installation process<br />
Read and accept the Aanval End User License Agreement ("EULA")<br />
Step 7<br />
Configure the installation details to complete the final installation steps<br />
Database Hostname should either be "localhost" or "127.0.0.1" for a local database, or<br />
enter the name or network address of the actual database host.<br />
Database Username should be a user with general MySQL permissions to perform all<br />
operations on the "aanvaldb" database<br />
Database Password should be the associated password, leave blank if a password is<br />
not necessary<br />
Note: Please pay attention to any errors that may occur, and attempt to resolve them<br />
through either the information provided or by using available Aanval support options.<br />
Step 8<br />
Take note of the default username and password provided. You will need this to access<br />
the console.<br />
Note: You should change your password immediately after installation to prevent<br />
unauthorized access!<br />
Upon completing installation you will be taken to the login page.<br />
Step 9<br />
Your Aanval console has been successfully installed. You may now login.<br />
Step 10<br />
Start the Aanval background processing units ("BPU's") which are responsible for<br />
importing events, processing actions and ensuring the console functions properly.<br />
5
Note: You must start the BPU's in order for the console to operate correctly, and it<br />
should be done with root or equivalent privileges.<br />
Change into the /apps/ directory of your Aanval installation and run the following<br />
command: "perl idsBackground.pl -start"<br />
Complete!<br />
Next, you will want to configure and enable the snort and / or syslog modules from with<br />
the Aanval console. Please see the documentation provided for these topics should you<br />
require assistance.<br />
Should you have had any problems during your installation, please see the online<br />
documentation for assistance. Alternatively, you may purchase support and installation<br />
assistance to have this process performed by an authorized Aanval engineer.<br />
6
Aanval Modules<br />
Snort<br />
Aanval’s snort module is designed to import and normalize events from a single snort<br />
database. Sensors are determined by the sensors available within the snort database<br />
sensor table. Each reporting snort instance will have a unique entry within this database<br />
table.<br />
The Snort Settings display is used to configure Aanval’s snort module. The settings in<br />
this display should be configured to allow Aanval to access the snort database. Incorrect<br />
settings will prevent proper importing and normalization of snort sensors and event<br />
data.<br />
Available snort sensors are listed within the Snort Configuration display of Aanval. This<br />
list is read directly from the snort database. If this list is empty, either there are no<br />
sensors available within the configured snort database, or the snort database settings<br />
within Aanval are incorrect.<br />
Each snort sensor that is activated / enabled within the Aanval console requires a<br />
unique license. Attempting to enable a snort sensor without an available license seat will<br />
display an error message indicating that there are not enough licenses available to<br />
perform that action.<br />
Snort data is imported out of the snort database and normalized for processing and<br />
storage in Aanval. The Aanval storage engine is highly optimized and designed to store<br />
large numbers of events. Regardless of module, all imported event data is normalized to<br />
this same storage format.<br />
A this time, multiple separate snort databases are not supported. All snort sensors must<br />
be configured to report to a single snort database instance to be managed within an<br />
Aanval console.<br />
Syslog<br />
Aanval’s syslog module is capable of processing both locally accessible text / log files or<br />
syslog data transmitted to Aanval’s syslog daemon (idsSyslog.pl) on UDP port 514.<br />
Aanval refers to all sources of data as sensors.<br />
Local log file sensors that are to be processed by Aanval must be <strong>manual</strong>ly added<br />
within the Syslog Configurations display of Aanval. These sources must be locally<br />
available to Aanval for processing.<br />
7
Syslog data that comes into the console by way of the Aanval syslog daemon<br />
(idsSyslog.pl), will automatically create A placeholder syslog sensor. This sensor by<br />
default is disabled.<br />
Enabling and configuring a syslog sensor is done through the Aanval Syslog<br />
Configuration display.<br />
Each syslog sensor that is activated / enabled within the Aanval console requires a<br />
unique license. Attempting to enable a syslog sensor without an available license seat<br />
will display an error message indicating that there are not enough licenses available to<br />
perform that action.<br />
Much like snort data, syslog event data is imported and normalized for processing and<br />
storage in Aanval. The Aanval storage engine is highly optimized and designed to store<br />
large numbers of events. Regardless of module, all imported event data is normalized to<br />
this same storage format.<br />
Syslog data requires an additional processing step in order to successfully normalize<br />
the data for storage. Because no standard exists for syslog data, Aanval uses a<br />
sophisticated system of regular expression filters that are <strong>manual</strong>ly configured to parse<br />
incoming syslog data assign it to normalization fields.<br />
Upon enabling or activating a syslog sensor, users must create a series of regular<br />
expressions that parse needed data out of each syslog string and assign it to the<br />
appropriate normalization fields within Aanval.<br />
Creating syslog filters (regular expressions) is done within the Syslog Filter<br />
Management display and assigning regular expression filters to normalization fields is<br />
done through the Syslog Assign Filters display.<br />
Syslog filters are designed to be shared across multiple syslog sensors.<br />
Syslog filters can also be stacked, meaning that should a filter not return a valid result,<br />
the system will automatically step through to the next filter if available. Stacking filters is<br />
done on the Assign Filters display by simply adding more than one filter to any given<br />
normalization field.<br />
Without any filters, syslog events will be imported into the console, however they will<br />
empty or blank. Creating and assigning basic filters immediately is highly<br />
recommended.<br />
8
My Account<br />
Account Details<br />
Refer to Figure 1.1<br />
A user may edit their first and last name in the text boxes provided.<br />
The email contact thats entered into the email text box will be the email address that<br />
alerts are sent to for this user.<br />
User may edit the organization and telephone number by editing the text boxes given.<br />
This information does not affect the operation of the account.<br />
A Location and Timezone box is provided for entering the country and timezone this<br />
account will be used in. This information is used to calculate the correct timezone offset<br />
for consoles that have sensors in different or varying timezones.<br />
The account username may be changed in the text box labeled Username. This is the<br />
name that should be used for logging into the console.<br />
* Note, you must commit your changes for them to take effect.<br />
Figure 1.1<br />
9
Search History<br />
Refer to Figure 1.2<br />
Search History displays the exact text the user searched.<br />
The date and time of the search are shown in the far right.<br />
Figure 1.2<br />
Tagging System<br />
Refer to Figure 1.3<br />
The tagging system allows users the opportunity to have a better way of tracking and<br />
organizing events.<br />
Users may delete and create tags within the Tag Management display. Users may<br />
assign tags within the Event Details display in the assigned tagging section.<br />
10
All created tag choices are located in the Select Tag drop down box in the tagging<br />
section within the Event Details display.Tags can be added to an event by choosing an<br />
already created tag from the drop down box and selecting the Add button. Tags can be<br />
searched by using the Advanced search text box or be viewed within the Frequent tags<br />
display.<br />
Figure 1.3<br />
Activity Logs<br />
Refer to Figure 1.4<br />
The purpose of this feature is to keep track of all activity on the Aanval interface.<br />
Activity logs go into great detail on all actions that have taken place within the Aanval<br />
console.<br />
For example the activity logs show the date, the time, the specific activity that occurred,<br />
the GMT offset.<br />
In order to refresh this list, click the refresh button.<br />
A sample of an activity log is as follows:<br />
"Feb 08 16:04:39 [CONSOLE] [10.1.1.220] [root : 1] Console OP Request: prv_main"<br />
11
Figure 1.4<br />
Live GeoLocation<br />
Refer to Figure 1.5<br />
Aanval's Live GeoLocation feature is a real-time, auto-updating global display of attack<br />
and threat vectors plotted on a world map, by way of Google Maps.<br />
Features of the Live GeoLocation display:<br />
Display all sensors or display GeoLocation plots for a single sensor<br />
Display all risk levels or plots within a selected risk level<br />
User selectable update / polling frequency<br />
User selectable number of threat vectors to display<br />
Time based color coding is also provided so that analysts can quickly (visually) identify<br />
or determine if threat vectors are new to the system, rather than comparing time / date<br />
stamps or <strong>manual</strong>ly interfacing with the display.<br />
Figure 1.5<br />
12
Frequent Offenders<br />
Figure 1.6<br />
Frequent Offenders gives a user the ability to view the most frequent offending IP<br />
addresses within the active datastore. This view may be sorted by both frequent<br />
(descending) and infrequent (ascending) event order.<br />
Frequent Offender provides IP and host details as well as options to allow the user to<br />
browse the offenders related events or map the offending address on the consoles geo<br />
location map.<br />
The Frequent Offenders display gives the user the ability to see the overall event<br />
percentage of events from a specific, offending host / IP.<br />
Additionally, a pie chart is provided that demonstrates the events from specific IP<br />
addresses broken down by percentage.<br />
Figure 1.6<br />
13
Frequent Targets<br />
Refer to Figure 1.7<br />
In Frequent Targets Aanval gives the ability to view your most frequent targets from the<br />
active datastore.This view may be sorted by both frequent (descending) and infrequent<br />
(ascending) event order.<br />
Under frequent targets a display of targets is given. User has the ability to list events by<br />
Frequent, infrequent and Resolve Host names. Options allows you to view the offender<br />
on live Geolocation and to browse events.<br />
Frequent Targets display gives the ability to see the over all event percentage of events<br />
from a specific host/IP.<br />
In the far right display Frequent Targets gives a pie chart of an overall look of the<br />
amount of events from specific IP addresses.<br />
Figure 1.7<br />
14
Frequent Events<br />
Refer to Figure 1.8<br />
In Frequent Events Aanval gives the ability to view your most frequent events from the<br />
active datastore.This view may be sorted by both frequent (descending) and infrequent<br />
(ascending) event order.<br />
Under Frequent Events a display of signatures is given. Details given on the signature is<br />
ID , Events, and the Options icon. The Options icon allows you to browse events.<br />
Frequent Events display gives the ability to see the over all event percentage from a<br />
specific Signature Name/IP.<br />
In the far right display Frequent Events gives a pie chart of an overall look of the amount<br />
of events from specific Signature Names<br />
Figure 1.8<br />
15
Reports<br />
Refer to Figure 1.9<br />
Reports may be displayed, scheduled, managed and emailed through the console<br />
Report display.<br />
Create<br />
To create a Report, user must go to the Event Browser display and enter the Source<br />
and Destination Addresses and the port numbers in text boxes provided .<br />
User may select the risk level of the report from the drop down box provided. User may<br />
also choose the Protocol they wish to use.<br />
By default, the query will be used for the name if nothing is provided.<br />
View<br />
A user may select what format the report will be displayed in. Reports are traditionally<br />
available in text, HTML, XML, Text and an in-console / native format.<br />
Figure 1.9<br />
16
Action Management<br />
Refer to Figure 2.0<br />
Create<br />
To create an action select the Create Action button.<br />
Edit<br />
User may name the action and write a description of the action in the text boxes that are<br />
labeled to do so.<br />
User may enter a Threshold Count, and the Threshold Seconds.<br />
User may choose the action to disable on the first match by selecting the checkbox<br />
under the /description text box.<br />
Users may choose to have a action Match Any or Match All, to choose the two choices<br />
select the given box of users preference.<br />
17
User may activate action by selecting the enable check box. Once action is enabled<br />
action will have the green active light to the left of the action.<br />
*Note, user must commit to changes for them to take effect.<br />
Figure 2.0<br />
Note Management<br />
Refer to Figure 2.1<br />
Note Management<br />
In this display user has the ability to write a no on a specific event.<br />
Add Note<br />
In order to create a note, enter in the Event ID of the users liking, then user types the<br />
note information in the text box given.User can choose whether to have this as a Private<br />
Note or Public Read.<br />
Once the user is finished writing the note and adding the viewing preference, select the<br />
Update button.<br />
If done correctly the note will be updated in the far right column display.<br />
18
To view an already created note, select the desired note from the far right display and<br />
the note details will appear in the main display.<br />
User can change whether to have this as a Private Note, Public Read, or Public Read.<br />
* Note, user must commit changes for them to take effect.<br />
To see the changes on the note left-click the refresh button in browser.<br />
If user wishes to delete a note select the specific note from the left column display and<br />
select the Delete checkbox and then click the Delete button.<br />
Figure 2.1<br />
Snort Settings<br />
Refer to Figure 2.2<br />
Module Settings<br />
You can enable and disable the processing module using the provided checkbox.<br />
Enter in the name of the snort database that will be used for processing.<br />
Enter in the hostname of the database server. This may be either local or remote. For local<br />
databases, use localhost or 127.0.0.1 as necessary.<br />
19
Enter in the appropriate username and password for the snort database selected.<br />
Database Options<br />
Database trimming allows Aanval to help maintain the overall health of your Snort database and<br />
tables, by automatically trimming old events. * Warning, this feature does delete events from the<br />
Snort database; please ensure you have proper backups prior to use if necessary.<br />
You may enable database trimming by selecting the trimming checkbox.<br />
Set the trimming threshold to a number of your choosing, appropriate for your hardware.<br />
500,000 or 1,000,000 is recommended for small to medium installations, while 5,000,000 may<br />
be adequate for larger hardware architectures.<br />
* Note, you must commit your changes for them to take effect<br />
Figure 2.2<br />
Syslog Module Configuration<br />
Refer to Figure 2.3<br />
Manage<br />
Name the sensor by using the Name text box provided. Add a description of the sensor in the<br />
text box labeled Description. These values are referenced throughout the console and should<br />
be kept relatively short in length.<br />
The latitude and longitude should be entered using the text box that is labeled "Location".<br />
Examples of longitude and latitude, New York City at 40.82,-74.00 and Budapest at 47.41,19.09<br />
20
Edit the time zone of that sensor by using the drop down box provided.<br />
Once the user has finished configuring a selected sensor, click the update button to commit<br />
these settings to the server.<br />
Delete a sensor by selecting the sensor within the display and select the delete checkbox, then<br />
left-click the delete button. Warning, deleting a sensor will have adverse effects and may render<br />
all data from this sensor useless.<br />
User may reimport data or reset the tracker by selecting the check mark box for desired option<br />
then selecting the desired option button. The description of Re-import Data and Reset Tracker<br />
are listed in the far right display.<br />
Figure 2.3<br />
BPU Status<br />
Refer to Figure 2.4<br />
Management<br />
21
The BPU status gives the user the ability to view if the BPU’s are running in a user<br />
friendly way.<br />
User is now able to determine if BPU’s are running by Simply looking at the three green<br />
Status Indicators (SI) to the right of the main Aanval Icons.<br />
If the three SI’s are green this means the BPU’s are running. If the SI’s are white that<br />
means the BPU’s are not running and if one specific BPU is dead then that specific SI<br />
will be red.<br />
You may view how to start and stop BPU’s by going to the BPU Status display. This<br />
display can be reached by simply selecting one of the three SI’s.<br />
Figure 2.4<br />
Datastore Management<br />
Refer to Figure 2.5<br />
Management<br />
22
In Console Preferences display the user has rotation options, which allow the user to<br />
rotate a datastore by days or by the number of events in the an active datastore. This<br />
feature is optional.<br />
The option to <strong>manual</strong>ly force rotation is available in the Datastore Management display.<br />
This can be done by simply selecting the "Rotate Datastore" button.<br />
The Manage display shows the user the total number of datastores and displays the<br />
total number of events in all listed datastores.<br />
* Note, the user must commit changes for them to take effect.<br />
Configure<br />
A text box is provided to name a datastore.<br />
Each Datastore is given a store number when created, this can be seen as ID in the far<br />
right column window.<br />
A user has the option to select a datastore to make it active. The datastore that is<br />
currently active can be found in the far right display and is signified by a green dot to the<br />
left of the datastore name. A user can select a different datastore and make it active by<br />
selecting the datastore from the display and left-clicking the "Make Active" button.<br />
Changing the active datastore will allow a user to view the events from this datastore<br />
while all new events will continue to be processed into the correct (most recent)<br />
datastore.<br />
* Note, the user must commit changes for them to take effect.<br />
Figure 2.5<br />
23
Snort Sensor 1<br />
Snort Sensor 2<br />
Snort Database<br />
Aanval > Multiple Snort Sensor Architecture<br />
INTERNET/Untrusted Nestork<br />
Hub/<br />
Span/<br />
Tap<br />
Firewall<br />
PRO 1260<br />
Aanval<br />
Aanval Database<br />
25
END USER LICENSE AGREEMENT (EULA)<br />
Version 6, August 2008<br />
Copyright (C) 2012 Tactical FLEX, Inc.<br />
TERMS AND CONDITIONS<br />
1. GRANT OF LICENSE. Tactical FLEX, Inc. grants the user the following rights provided the<br />
user complies with all terms and conditions of this EULA:<br />
. Installation and use. The user may install, use, access, display and run one copy of the <strong>product</strong><br />
on a single computer such as a workstation or server.<br />
. Storage / Backup. The user may store a functioning copy of the <strong>product</strong> on a dedicated<br />
computer or device for the purpose of backup recovery and / or disaster recovery. Licenses for<br />
the Product may not be shared or used concurrently on different computers.<br />
. Reservation of Rights. Tactical FLEX, Inc. reserves all rights not expressly granted to the user<br />
in this EULA.<br />
2. UPGRADES. To use a Product identified as an upgrade, you must first be licensed for the<br />
<strong>product</strong> identified by Tactical FLEX, Inc. as eligible for the upgrade.<br />
3. LIMITATION ON REVERSE ENGINEERING, DECOMPILATION, AND DISASSEMBLY. You<br />
may not reverse engineer, decompile, or disassemble the Product, except and only to the extent<br />
that it is expressly permitted by applicable law notwithstanding this limitation.<br />
4. MODIFICATION / INTEGRATION. Modification and / or integration of the <strong>product</strong> for<br />
commercial purposes without proper authorization from Tactical FLEX, Inc. is prohibited.<br />
Product modifications affecting directly or indirectly <strong>product</strong> features, functionality, licenses or<br />
<strong>product</strong> license mechanisms is prohibited. This <strong>product</strong> may not be integrated or combined with<br />
any other <strong>product</strong> for commercial purposes without express written authorization from Tactical<br />
FLEX, Inc..<br />
5. TERMINATION. Without prejudice to any other rights, Tactical FLEX, Inc. may cancel this<br />
EULA if the user does not abide by the terms and conditions of this EULA, in which case the user<br />
must destroy all copies of the Product.<br />
6. COPYING / DISTRIBUTION. Copying and / or distributing licensed or unlicensed copies of<br />
this <strong>product</strong> or this <strong>product</strong>s components is prohibited. Only authorized Tactical FLEX, Inc.<br />
agents and authorized Tactical FLEX, Inc. Reseller Member agents may distribute copies of this<br />
<strong>product</strong> in its original state and configuration as officially released and observed by Tactical<br />
FLEX, Inc..<br />
7. LIMITED WARRANTY FOR PRODUCT. Tactical FLEX, Inc. warrants that this Product (in<br />
conjunction with commercially purchased licenses) will perform substantially in accordance with<br />
26
the accompanying materials for a period of ninety days from the date of receipt. Any supplements<br />
or updates to this Product, including without limitation, any (if any) upgrades or patches<br />
provided to the user after the expiration of the ninety day Limited Warranty period are not<br />
covered by any warranty or condition, express, implied or statutory. Tactical FLEX, Inc. has the<br />
right to grant usage and does not infringe intellectual property rights of any third party.<br />
8. LIMITATION ON REMEDIES; NO CONSEQUENTIAL OR OTHER DAMAGES. The users<br />
exclusive remedy for any breach of this Limited Warranty. Except for any refund elected by<br />
Tactical FLEX, Inc., THE USER IS NOT ENTITLED TO ANY DAMAGES, INCLUDING BUT<br />
NOT LIMITED TO CONSEQUENTIAL DAMAGES, if the Product does not meet Tactical FLEX,<br />
Inc.'s Limited Warranty, and, to the maximum extent allowed by applicable law, even if any<br />
remedy fails of its essential purpose. Tactical FLEX, Inc. cannot be held liable for damages<br />
caused by improper use of or negligence of or on the part of the user. Tactical FLEX, Inc. cannot<br />
be held liable for damages resulting from the use of this program or conclusions drawn from the<br />
use of this program either by the user or Tactical FLEX, Inc..<br />
9. ADDITIONAL SUPPORT SERVICES. Tactical FLEX, Inc. and its suppliers provide additional<br />
levels of <strong>product</strong> support which do not alter or modify the terms and conditions of this EULA.<br />
Warranties, support or remedies purchased in addition to this <strong>product</strong> are provided as<br />
independant <strong>product</strong>s and services.<br />
10. LICENSE OWNERSHIP. All licenses issued by Tactical FLEX, Inc. remain the property of<br />
Tactical FLEX, Inc. and are issued on a lease basis. License lease periods may vary and may or<br />
may not be subject to renewal. Direct or indirect trading, selling or auctioning of licenses is<br />
prohibited and will result in immediate license revocation. Tactical FLEX, Inc. reserves the right<br />
and permission to revoke licenses at any time. Revoked licenses become immediately invalid. The<br />
use of revoked or invalid licenses is prohibited and constitutes a direct violation of this<br />
agreement. Retaining ownership of valid and invalid licenses, Tactical FLEX, Inc. reserves the<br />
right to publish and print publicly available customer information for marketing and sales<br />
purposes. Customers are provided the right to deny inclusion of company customer information<br />
through written communication expressing intent to Tactical FLEX, Inc..<br />
11. ENTIRE AGREEMENT. This EULA (including any addendum or amendment to this EULA<br />
which is included with this Product) are the entire agreement between the user and Tactical<br />
FLEX, Inc. relating to this Product and the support services (if any) and they supersede all prior<br />
or contemporaneous oral or written communications, proposals and representations with respect<br />
to this Product or any other subject matter covered by this EULA. To the extent the terms of any<br />
Tactical FLEX, Inc. policies or programs for support services conflict with the terms of this<br />
EULA, the terms of this EULA shall control.<br />
12. This Product is protected by copyright and other intellectual property laws and treaties.<br />
Tactical FLEX, Inc. or its suppliers own the title, copyright, and other intellectual property rights<br />
in this Product. This Product is licensed, not sold.<br />
END OF TERMS AND CONDITIONS.<br />
27
Tactical FLEX, Inc.<br />
800-921-2584<br />
http://www.aanval.com/<br />
AANVAL® 7 PRODUCT MANUAL<br />
Snort & Syslog Intrusion Detection, Correlation and Threat Management<br />
28