Writing Regex with Aanval 8

Aanval and Syslog Data

While Aanval can import IDS logs from sources like Snort and Suricata, it can also import from any source outputting in a syslog format, and have available to both IDS and syslog formats the same powerful management tools, such as reporting, alerting, and correlation. This opens the gate to hundreds of vendors, products, and devices that can easily send data to Aanval for syslog processing.

Importing Syslog Data

Syslog data can be imported to Aanval by two methods: directly sending the data over UDP port 514 to Aanval’s own syslog server, or have Aanval fetch the event data from a file.

Screen Shot 2016 07 14 at 3 13 42 PM

Regex Filters

Once syslog sensors are configured and event data starts being imported, users then need to write regex based filters to parse specific data from their logs, such as the source IP or port. Below is a listing of all the values Aanval can parse:

* Date
* Time
* Protocol
* Source Address
* Destination Address
* Risk Level
* Source Port
* Destination Port
* Payload
* Event Name
* Category Name

Screen Shot 2016 07 14 at 3 13 19 PM

Aanval 8 makes it especially easier to write advanced regex filters. Aanval now includes its own regex tester, so now you can quickly see the match results of your regex, without having to externally test or wait for results. Aanval further includes advanced capabilities to join two different regex to be used as one. For example, we may use the following regex to search for and grab everything that follows “src=“ in an attempt to grab the source port where the actual port number is attached to the source address (src=192.168.1.76:62316):

((?<=src=).*)

While this regex would grab the source port, it also grabs everything that follows, which might then include additional details we don’t want for this value, and we still haven’t identified the actual port number or parsed it. By adding a double tilde (~~) to the end of our first regex, we can add a second regex that will then search for and grab what we want from what the smaller portion following “src=“ that was just grabbed:

((?<=:)[0-9]+)

This second expression now searches for the first colon and grabs the number, despite its length, that immediately follows; thus, identifying and parsing the desired source port. Our entire regex would then look like and be entered into Aanval as follows:

((?<=src=).*)~~((?<=:)[0-9]+)

These advanced regex working and testing tools have enabled users to quickly set up their syslog sensors and parse the exact details they need to then have their syslog data appear and work as their IDS data. This then makes searching easier, reports more detailed, and the overall network visibility stronger and clearer.

Screen Shot 2016 07 14 at 3 12 44 PM

See Also

* Aanval Wiki: Syslog Sensor Configuration
* Aanval Wiki: Syslog Filter Assignment