Aanval 8: Coming Soon!

Aanval 8 Sneak Peak
Aanval 8 is almost here, with a brand new look, and loaded with new and improved features and performance!

Nearly a year in the making, Aanval 8 boasts dozens of new features and a complete re-write of nearly the entire code-base to make it our most stable and advanced version of Aanval yet.

Featuring: HTML5, IPv6 Support, Direct Unified2 Support, Threat Levels Displays, Heat Maps, Syslog Updates, New Automation System, and more.

Aanval v8

Check out other screenshots and details at https://www.aanval.com/aanval8

Aanval 8 will be publicly released in the coming weeks, and will be a free upgrade to all current Aanval SMB, SAS, and SAS Enterprise customers.

Aanval’s Event and Host Summaries

IDS engines like Snort and network devices can and generally do log thousands to millions of events per day, which can make it difficult to gather a view as to what has happened and what is happening. 

Aanval provides numerous up-to-date and live views of your data to help you make sense of it, increase your situational awareness, and quickly determine potential threats. One of those views are Summaries.

Event and Host Summaries

Users can quickly select the event name from the dashboard or any Live display to visually see a Timeline browser displaying how often a given event is being generated, along with every host associated as a source and destination.

Event Summary

From there users can then select a given host to get a similar summary that would include a Timeline browser that further details risk level of generated events, Geo IP details, and a listing of events where that host has been associated as a source and destination. Host summaries can also be selected from the dashboard or any Live view by simply selecting the desired host or IP from the main event details.

Aanval’s Advanced, Scheduled, and Emailed Reports

Advanced Reporting

Aanval provides both on-demand and scheduled reports. They are available to view in a number of formats, including PDF, HTML, and XML, and can be emailed in PDF and Text formats.


Creating a Report

Users can generate a report from any search results. Users can also use the My Reports menu to create custom and scheduled reports and filter by sensor, risk level, and more.

Within the String / Text box, users can enter any of the keywords used by the Advanced Search tool to make their searches and reports extremely detailed, for example by returning all events from “lastweek:” Keywords can be combined as well and used alongside other factors already provided in drop-down boxes like Risk Level, and Source and Destination IP/Port.


Scheduled Reports

Users can create any number of scheduled reports and have them emailed to any number of addresses (comma separated).

Report Details

Aanval reports display exactly what the user searched or queried and when, and then proceeds to detail in an easy-to-read format and  with graphs all event values like Source and Destination IPs, Ports, sensors affected, where the events are stored, and more.

Learn More and Take Aanval for a Spin

* Aanval Reports

* Download Aanval

Shellshock: the latest high-risk vulnerability

What is Shellshock?

There is a new security threat affecting and potentially affecting many people and environments.

It’s in the same risk category as Heartbleed and is being called Shellshock. Basically, Shellshock allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.


Tactical FLEX offers its immediate services to scan for Shellshock and other such vulnerabilities. We want to stress the high-risk of Shellshock and the urgency to find and repair any vulnerabilities. Please call us at 800-921-2584 or visit the following link to get connected: https://www.aanval.com/scancontact

Aanval for the Managed Services Provider

Aanval has proven to be an invaluable tool for MSPs, and here’s why.

Flexibility and Growth Potential

As your customer base grows, so does Aanval. Our Aanval SAS Enterprise package allows you as an MSP to add and monitor an unlimited number of sensors and devices (Snort, Suricata, and syslog) without a cost increase. Additionally, there are no data caps; import as much traffic as possible. We encourage the idea of “Responsible Security,” to increase network visibility and situational awareness by monitoring every available network piece.

The Features You Need

On-Demand and Scheduled Reports

Create on-demand and scheduled reports for every customer. Aanval has search and reporting logic to make results extremely refined and detailed. 

Real-Time Actions and Alerts

Create custom actions to perform tasks and alerts with Action Management, from email alerts to tasks like tagging and executing shell commands.

Secured and Filtered

Import alerts and logs from multiple customers and locations. And while it’s being aggregated and managed on one console, it’s also secured and easily filtered to individual customers for viewing, alerts, and reporting.

Customer Logins

While many customers of MSPs like the hands-off approach, many like to see for themselves what’s happening. Easily create individual customer accounts that provide access to view only their sensors and data.


We understand that this may be a new venture for both the MSP and the customer. Not a problem. The Tactical FLEX team behind Aanval has years of experience and can help you get things running and optimized. From remotely installing a Snort sensor, to configuring a plug-and-play Aanval appliance, to writing custom regex for a syslog device, we’re here to get the job done quickly and correctly.


Whether you’re managing Aanval at your own data center, at individual customer locations, or a mix of both, you’re getting the biggest bang for your buck with Aanval SAS Enterprise. In addition to monitoring every customer and every sensor and device, you’ll receive 24/7 console support. Also included is console maintenance, allowing you access to every fix, feature, and even major release.

Oh yes, there’s more!

Want to take Aanval for a test drive? Want us to show you the ropes? Not a problem.

Create a free Aanval account and download the console now: https://www.aanval.com/account/request

Request a demo from our support department, where we can answer questions and showcase Aanval’s features for you live: https://www.aanval.com/demo

Learn more at https://www.aanval.com/aanval

Aanval Mini Appliance: FREE with License Purchase

FREE Aanval Mini Appliance Promotion in August

Now through the end of August, receive a FREE Aanval Mini appliance with the purchase of an Aanval SAS or Aanval SAS Enterprise  license package. Purchase an Aanval SMB package and receive 50% off an Aanval Mini appliance.

Aanval Appliance

What is an Appliance?

We have brought the industry’s leading Snort and Syslog intrusion detection and correlation console together with the world’s most stable and advanced operating system and hardware combination.

The Aanval Mini appliance is a Mac mini-based all-in-one IDS and SIEM solution. Preconfigured with Snort and Aanval, this box comes drop-in ready for complete monitoring and management. 

Screen Shot 2014 08 21 at 10 48 32 PM

Each appliance comes with one standard Ethernet interface designed for Snort monitoring. With a supplied Thunderbolt-to-Ethernet cable, a second management interface is added.

Already have an Aanval server?

Not a problem. The Mini appliance can be configured as a sensor-only device, designed to monitor and report to a local or remote Aanval server for logging, correlation, reporting, and management. 

Multiple Mini appliances can be deployed at remote sites. The Mini appliance is also rack mountable.

Aanval’s Enhanced Sensor and Appliance Management Features

Every appliance comes configured with Aanval’s Sensor Management Tools that allow the remote management of a sensor’s Snort signatures. Manually enable and disable signatures, and automatically receive daily signature updates on every active sensor.

Apple and Mac OS X

Elegant, reliable, and stable are just a few of the words that describe the world’s most advanced operating system combined with the industry’s highest quality hardware. Apple’s operating system and hardware were chosen for Aanval Appliances for its core Unix foundation and overall superior quality. Mac OS X is an Open Brand Unix 03 Registered Product.


Configured for Your Environment

All appliances may be custom configured with specific destination network details (IP, DNS, etc), ensuring the installation is as simple as plugging in and powering on the Appliance. Appliances may further be installed with a selection of security tools including tcpdump (packet sniffing), Nmap (port scanning), nessus (vulnerability scanning), and more.

Get Your FREE Appliance!

Purchases can be made securely online at https://www.aanval.com/purchase and through the friendly and knowledgable sales staff at Tactical FLEX!

Learn more about Aanval at https://www.aanval.com/aanval 

Aanval SAS: Syslog Aggregation, Management, and Archiving

Snort and Syslog

Aanval is the longest running Snort front-end. While many users target and use Aanval for its IDS capabilities and tools, many are finding Aanval’s syslog options invaluable and only use them, especially as we’re seeing users with all-in-one firewall or syslog solutions that host an IDS like Snort and multiple device log feeds.

Syslog Setup and Options

Aanval is capable of importing, storing, managing, and even archiving syslog events from any device capable of external logging. Done in one of two ways, Aanval can fetch syslog events from a log file or have them directly exported to the console over port 514.

Using a universally known and used logging format like syslog, Aanval can be fed events from hundreds and hundreds of devices. Aanval then uses the universally known and used parsing language of Regular Expressions (regex). With regex, users can completely customize each individual syslog feed (sensor) to format and display the details necessary.

Exclusive and Enhanced Syslog Management Tools

On top of using such universal and valuable tools for syslog importing and customization, Aanval adds additional enhanced features to parse deeply wedged data where basic regex might fail or the regex itself be too complex. Using a double tilda (~~), users can link two separate regex to act as one expression recognized by Aanval, allowing the console to make an initial search and find in a syslog string, and then continue its search to find the exact value needed within the now smaller string.

Data archiving is simple with Aanval’s Syslog Mirroring tool, providing users the ability to export all Aanval-imported events in a user-defined format to another device.

Syslog Event Management

With syslog data imported, customized, and normalized to environment specs, users can then take advantage of Aanval’s event management tools like Live Correlation and GeoLocation, Automated Actions and Alerts, Situational Awareness, and Advanced Reporting that includes detailed on-demand and scheduled and emailed reports.

Benefits of Aanval SAS with Syslog

With Aanval SAS, users receive the capability to import and manage an unlimited number of syslog feeds (sensors). Additionally, there are no data caps. We encourage the community to send Aanval anything and everything, to enhance network visibility. Users also receive telephone and remote support, and console maintenance, so that they’ll always have access to the latest fixes, features, and even major revisions.

See Also

Visit our support wiki for more details on setting up and using Aanval’s advanced syslog tools:

Syslog Setup

Syslog Mirroring

Contact our sales team for more information on how you can use syslog management with Aanval in your environment:

(800) 921-2584

sales.group [at] tacticalflex.com

Aanval v7 Upgrades: That was easy!

Aanval v7 upgrades are easy and performed right inside the console. 

Console messages are displayed when updates are available and provide a direct link to the Version Management page. You can also navigate from the Console Configuration menu.

If you’re experiencing an issue with the current version, from that same Version Management menu, clicking Force Update will download and install the current version. 

Once a new version is downloaded, you’ll be shown the EULA and following its acceptance be guided through a brief re-installation which consists of version and module checking, ensuring the new version is good to go. 

The last prompt of an upgrade is to Stop and Start the BPUs (Background Processing Units). We strongly recommend performing this step. Updates to the console may contain changes or advancements to the BPUs, and failure to restart them when prompted may cause issues with the console’s operability and require further steps that may include manually downloading and installing the console again.

Check the following website to see details of a console upgrade: https://www.aanval.com/download/notes

Use Nmap to Increase Host Visibility Automatically with Aanval SAS

The biggest question you need to answer as a network security analyst is “What’s happening on my network?” Aanval helps deliver.

While knowing the specific events being generated by Snort are important, as well as keeping that signature recipe finely tuned and updated, we believe it’s more important to know who’s behind those events (just as it’s more important to know and capture the bank robber instead of spending too much time at the scene of the crime).

Aanval has amazing features that will detail the activity and behavior of not only those events but the hosts that either cause those events or act as the victim. With a single click, users can get a map of their host that includes a visually striking Timeline Browser readout of the host’s frequency in generating events and also their threat levels, so you immediately know how harmful a host may be. In addition to that, users get a full readout of what signatures that host has triggered, as both a host and possibly a victim. Quickly search those results for more details and create and email reports based on those results. All of those features are built-in and automatically work in the background and are available as you feed Aanval network alerts.

To get even more from your Aanval console, use Nmap to routinely scan the network or multiple networks for currently and newly connected hosts. All on an automated basis, Aanval will find those hosts and perform a scan to obtain their OS fingerprint or vendor, IP, and up/down status. But Aanval doesn’t stop there; it then imports those records to its Device Management readout, where users can then add more details about a given host (services, additional interfaces, etc.) and find its current state. Once those records are received, more Aanval features become automatically unlocked and fed, like Situational Awareness and Event Validation. 

With Situational Awareness, users can get an instant bird’s eye view of the connected hosts and their activity. Quickly determine harmful attackers and weak links. Views can be changed from a current view or even those in the past.

Event Validation allows users to quickly determine if generated events come from known hosts and if they may possibly be false positives, one of the top reasons for failed IDS deployments, as they can quickly choke a system and view.

Check out the links below to get these features up and running on your Aanval console, and increase your host visibility and situational awareness.

Nmap: Getting Started

Network Host Scanning

Situational Awareness

Event Validation

6 Reasons Why It’s Worth Paying for a Snort or Suricata Front-End Commercial Solution

According to SANS Organization, “Information security is the biggest challenge for network and security administrators. The security of a given network highly depends on the software used and the administrative practices followed for intrusion detection. Security has become an important aspect and an integral part of all phases of any software development. The trustworthiness of any software, either free or commercial, depends on product design and development. These include the expertise and dedication of the developers to develop a security product, quality of tools used in development, the level of testing carried out before releasing the product, and the matured practices followed throughout the development cycle.”

There is a myriad of security solutions categorized as front-end GUIs for Snort and Suricata IDS, both free and commercial, available to monitor an organization’s network for intrusions and provide a visual representation of intrusion data. If you’re using a Snort or Suricata front-end for your enterprise, here are 6 reasons why it’s worth paying for a commercial solution.

1. Enterprise-Grade Support

Support should also be a point of any concern when it comes to information security for your enterprise. If your enterprise is using a free solution in critical areas of the network then you’ll need an expert to provide support when the software doesn’t work as expected. With a free solution, you may have to rely on the help and support of the their community online forums or newsgroups. That help may arrive or not. Community support comes with no service-level guarantee and a 24×7 telephone support is not provided to get you back up and running without experiencing any downtime.

2. Input Into New Features and Future Plans

Free communities aren’t always so nimble or creative or helpful when asking for product improvements. Another benefit of paying for a commercial solution is that it could provide you a voice in the product’s roadmap especially if you have specific features that you would like for the product vendor to incorporate. This is not possible if you simply download and the run the free solution. Being able to evaluate the security of a software relies heavily on having some insight into their future plans for the software.

3. Tested and Proven Products with Predictable Product Life Cycles

It is erroneous to believe that only paid commercial products need a thorough security evaluation and testing and not free solutions. Have you really evaluated a free solution for security? It’s often worth paying for a product that is guaranteed to work and have a reliable system on fixing bugs and releasing patches. Commercial products carry out testing, tuning, bug fixes, product enhancements and troubleshooting across their software and hardware in order to make their product stable, reliable, and more technologically advanced. It requires corporate resources, systems, processes, and infrastructure in order to make it happen.

4. Additional Features and Functionality

It makes sense to pay for a commercial product that has additional features that the free solution lacks. For example, If you are looking to effectively deploy and monitor multiple sensors across the network environment or need a scalable product without any limitations on event processing, these features are usually not free.

5. Scalability – Hardware Requirements and Storage Space

Free solutions are not always free or scalable. They vary in hardware cost, bandwidth requirements, and storage space. Because full packet capture will increase storage size considerably, you would need a security solution that can automatically scale to meet the needs of its environment.

6. Low-Cost Alternatives

Your organization may be lucky enough to afford an expensive IDS or SIEM that supports Snort and Suricata IDS; however, don’t associate the hefty price tag with better performance. There are effective and proven low-cost commercial alternatives to capture Snort and Suricata packets and observe them. If you’re on a budget then you may need some low-cost commercial product alternatives.

For example, Aanval was then publicly released in 2004 and is considered the longest running Snort interface under continuous development on the market today and the industry’s leading web-based GUI for Snort, Suricata, and Syslog intrusion detection, prevention, and correlation. The Aanval console system is specifically designed to scale from small single-sensor installations to global enterprise deployments. Since Aanval’s release in 2004, Aanval has evolved to address the world’s growing network security intrusion detection needs and demands. Over time, there has been an increasing need to keep up with the complexity of security issues, introduction of new security technologies, evolving cyber threats, and the requirements to comply with mandatory regulatory mandates. Equally increasing is the drive for security managers to find a capable Snort front-end GUI that can deliver effective threat management, event correlation, and advanced data analysis reporting. Aanval SAS (Situational Awareness System), the latest version released by Tactical FLEX, Inc. is designed with a unique Situational Awareness engine that provides an in-depth event and architecture analysis of the host network, thus providing crucial network visibility and security intelligence. Aanval SAS is also equipped with a False Positive Protection event validation engine, real-time Live GeoLocation-based displays, and powerful offensive tools utilizing Nmap that help shore up defenses and strengthen overall security posture. Aanval SAS is available for download as a free Community edition for testing and evaluation at http://www.aanval.com/download.