Tools hakin9 5/2007

Remote Assessment

Aanval 3

 

System: Unix/Linux

License: Commercial

Application: Aanval 3

Homepage: http://www.aanval.com/

One of the challenges in modern security is what do you do with the data from your IDS probes and system logs. Aanval (pronounced anvil) is an event consolidation and correlation for syslog and the popular Snort IDS. It provides powerful consolidation, visualisation and reporting for security events from multiple sources.

 

Quick Start: Installation is quick and straightforward with a web-based wizard firstly checking the required dependencies (PHP, Perl and MySQL) are installed and then prompting for the MySQL server to use. A few short steps later and you’re greeted with the Aanval dashboard. Provide Aanval with the details of your Snort MySQL database store and Aanval provides an easy to use and flexible interface to your alerts. The syslog module can be configured to listen for UDP messages, effectively acting as a syslog server, or to read events from a log file. The sensor management tools (SMT) feature allows you to monitor, start, stop and deploy new signatures to Snort servers.

There is a wealth of reporting features including several preconfigured high-level reports showing information like the most frequent security events and offending IP addresses. Ad-hoc reports can be quickly created by querying the built-in search engine and clicking on the generate report button. Reports can be viewed in the browser as HTML or as PDF documents and scheduled to be delivered by email. Aanval correlates alerts into groups of related events together making it easy to tactically spot trends and ongoing attacks.


Aanval does a good job of visualising security events, a graph at the top of the console showing the number of events being received per second and the live monitoring option gives a top-level view of incoming alerts in real time. Clicking on an event drills down to provide detailed information and useful links including details of the snort signature and whois information on the IP addresses involved.

Extra features:

  • Cisco, Sonicwall, Microsoft, Linux and more

  • Native Snort and Syslog support

  • Web-based – Access from anywhere

  • Centralized Alerts and Reports

  • Fully Automated

Advantages: This is a powerful tool with plenty of useful features. Sensor management tools allows full control over your deployed Snort sensors making Aanval a complete Snort command and control console. Secured with industry standard user/password authentication, Aanval provides a multi-level user access system to provide administrators with control over what a user can see and change within the console.

Disadvantages: Snort is the only supported IDS platform supported so if you are using another IDS product then Aanval might not be for you.



by Jim Halfpenny