Tips and Tricks: Troubleshooting Snort

Whether you’re tuning an existing Snort instance or just finished a new installation, there’s a common question that may soon follow: “Why I aren’t I seeing any events?

If this is the case with your Snort instance, there are a few basics to check.

Starting Snort
In many cases Snort is started with a script as opposed to a manual command that includes “-D” to start it in daemon mode, but such scripts don’t help in the troubleshooting process. 

1. Check if Snort is running or if the script has been executed with a simple grep command:

ps aux | grep snort

2. If Snort is running, take note of the command displayed that was either executed manually or by a script, and then stop or kill the process.

3. Enter that long-hand command to start Snort (snort -c /etc/snort/snort.conf -i eth1, for example) in the foreground or continuous mode, making sure to omit the -D so the process is not started in daemon mode.

If there are any issues with Snort, they will be specifically noted and generally Snort will fail to start because of a fatal error. 

If Snort successfully starts, you’ll see its final line stating “Commencing packet processing (pid=xxxxxxx).” If this is the case, kill the process and move on to Log Files. If you get an error, resolve it and start Snort again in the same manner until there are no errors. Errors generally revolve around signatures (bad or incompatible signatures that kill Snort), missing file or rules directories, or something related to the snort.conf. Once your error is resolved and Snort starts successfully, kill the process and move on to Log Files.

Log Files
Every time Snort starts it will or should create a new log file. These files are generally named merged.log or snort.alert, and are located in /var/log/snort, but of course precise names and locations will differ depending on your setup.

You can confirm Snort successfully created its log file when you just started it in the last step, and also check for previous log files and their sizes with a simple list command:

ls -la /var/log/snort

You should see at least one log file, and more than likely its size (or at least the most recent log file) will be zero, and that’s fine since Snort only ran for a few moments. But checking this directory with that command is very helpful in first ensuring log files are being created, and secondly determining if those log files are growing in size. 

If log files are being created and not growing in size after Snort has been running in daemon mode for some time, there could be issues with the configuration file, the signatures, or the traffic feed.

Configuration File
While Snort can be a complex tool, we aim to keep things simple. With a new installation of Snort, we make the following changes to its configuration file:

Provide the paths to the rules:

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules

var BLACK_LIST_PATH /etc/snort/rules

2. Uncomment the “output unified2” line and remove “nostamp”:

output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types

3. In “Step #7” of the configuration file you’ll find a listing of rule categories that will be enabled when Snort starts:

###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################

# site specific rules

include $RULE_PATH/app-detect.rules
include $RULE_PATH/local.rules
include $RULE_PATH/browser-chrome.rules
include $RULE_PATH/browser-other.rules

These categories may be missing or commented out, in which case when Snort starts it will run with few or no signatures, resulting in few to no events and small to zero log file sizes. Make and save any necessary changes to the configuration file, and move on to Signatures.

Signatures
Being a signature-based IDS tool, Snort will require enabled and current signatures to generate events. While too few signatures may result in few to no events, too many signatures enabled can result in not only too many events but an overloaded Snort sensor, an overcrowded Aanval dashboard—consisting of largely informational/nuisance events—and perhaps overworked database and/or hardware running the sensor.

Investigate the various rule categories in your /rules directory and make sure standard and especially critical signatures are enabled. For testing purposes, you can enable the signatures found in the protocol-icmp.rules directory, start Snort in daemon mode, and then ping the Snort box from an alternate IP. Keep in mind that these ICMP signatures aren’t generally kept enabled in active or production environments, and once tests are concluded it’s recommended to disable these signatures.

Traffic Feed
It’s lastly critical that the interface Snort is monitoring is actually generating real traffic. Snort commonly monitors the span/mirror port of a switch. Confirming the interface to be monitored from the long-hand command to start Snort (snort -c /etc/snort/snort.conf -i eth1, for example) and that the interface is active (ifconfig), you can use tcpdump to scan the interface for traffic with a basic command:

tcpdump -nn -i eth1 (or the interface to be scanned)

If you aren’t seeing anything or simply ARP or basic traffic, you may need to check the feed and interface. But once confirmed that there is more happening than basics and ARP, the interface Snort is to monitor should be solid.

Having completed this list of basic steps and checks, and making any necessary changes, you should be good to start your Snort instance(s) in daemon mode and begin to see log files created and growing, and events flowing into Aanval.

Aanval Mini Appliance: FREE with License Purchase

FREE Aanval Mini Appliance Promotion in August

Now through the end of August, receive a FREE Aanval Mini appliance with the purchase of an Aanval SAS or Aanval SAS Enterprise  license package. Purchase an Aanval SMB package and receive 50% off an Aanval Mini appliance.

Aanval Appliance

What is an Appliance?

We have brought the industry’s leading Snort and Syslog intrusion detection and correlation console together with the world’s most stable and advanced operating system and hardware combination.

The Aanval Mini appliance is a Mac mini-based all-in-one IDS and SIEM solution. Preconfigured with Snort and Aanval, this box comes drop-in ready for complete monitoring and management. 

Screen Shot 2014 08 21 at 10 48 32 PM

Each appliance comes with one standard Ethernet interface designed for Snort monitoring. With a supplied Thunderbolt-to-Ethernet cable, a second management interface is added.

Already have an Aanval server?

Not a problem. The Mini appliance can be configured as a sensor-only device, designed to monitor and report to a local or remote Aanval server for logging, correlation, reporting, and management. 

Multiple Mini appliances can be deployed at remote sites. The Mini appliance is also rack mountable.

Aanval’s Enhanced Sensor and Appliance Management Features

Every appliance comes configured with Aanval’s Sensor Management Tools that allow the remote management of a sensor’s Snort signatures. Manually enable and disable signatures, and automatically receive daily signature updates on every active sensor.

Apple and Mac OS X

Elegant, reliable, and stable are just a few of the words that describe the world’s most advanced operating system combined with the industry’s highest quality hardware. Apple’s operating system and hardware were chosen for Aanval Appliances for its core Unix foundation and overall superior quality. Mac OS X is an Open Brand Unix 03 Registered Product.

AanvalOnSensorAndDisplayx350

Configured for Your Environment

All appliances may be custom configured with specific destination network details (IP, DNS, etc), ensuring the installation is as simple as plugging in and powering on the Appliance. Appliances may further be installed with a selection of security tools including tcpdump (packet sniffing), Nmap (port scanning), nessus (vulnerability scanning), and more.

Get Your FREE Appliance!

Purchases can be made securely online at https://www.aanval.com/purchase and through the friendly and knowledgable sales staff at Tactical FLEX!

Learn more about Aanval at https://www.aanval.com/aanval 

6 Reasons Why It’s Worth Paying for a Snort or Suricata Front-End Commercial Solution

According to SANS Organization, “Information security is the biggest challenge for network and security administrators. The security of a given network highly depends on the software used and the administrative practices followed for intrusion detection. Security has become an important aspect and an integral part of all phases of any software development. The trustworthiness of any software, either free or commercial, depends on product design and development. These include the expertise and dedication of the developers to develop a security product, quality of tools used in development, the level of testing carried out before releasing the product, and the matured practices followed throughout the development cycle.”

There is a myriad of security solutions categorized as front-end GUIs for Snort and Suricata IDS, both free and commercial, available to monitor an organization’s network for intrusions and provide a visual representation of intrusion data. If you’re using a Snort or Suricata front-end for your enterprise, here are 6 reasons why it’s worth paying for a commercial solution.

1. Enterprise-Grade Support

Support should also be a point of any concern when it comes to information security for your enterprise. If your enterprise is using a free solution in critical areas of the network then you’ll need an expert to provide support when the software doesn’t work as expected. With a free solution, you may have to rely on the help and support of the their community online forums or newsgroups. That help may arrive or not. Community support comes with no service-level guarantee and a 24×7 telephone support is not provided to get you back up and running without experiencing any downtime.

2. Input Into New Features and Future Plans

Free communities aren’t always so nimble or creative or helpful when asking for product improvements. Another benefit of paying for a commercial solution is that it could provide you a voice in the product’s roadmap especially if you have specific features that you would like for the product vendor to incorporate. This is not possible if you simply download and the run the free solution. Being able to evaluate the security of a software relies heavily on having some insight into their future plans for the software.

3. Tested and Proven Products with Predictable Product Life Cycles

It is erroneous to believe that only paid commercial products need a thorough security evaluation and testing and not free solutions. Have you really evaluated a free solution for security? It’s often worth paying for a product that is guaranteed to work and have a reliable system on fixing bugs and releasing patches. Commercial products carry out testing, tuning, bug fixes, product enhancements and troubleshooting across their software and hardware in order to make their product stable, reliable, and more technologically advanced. It requires corporate resources, systems, processes, and infrastructure in order to make it happen.

4. Additional Features and Functionality

It makes sense to pay for a commercial product that has additional features that the free solution lacks. For example, If you are looking to effectively deploy and monitor multiple sensors across the network environment or need a scalable product without any limitations on event processing, these features are usually not free.

5. Scalability – Hardware Requirements and Storage Space

Free solutions are not always free or scalable. They vary in hardware cost, bandwidth requirements, and storage space. Because full packet capture will increase storage size considerably, you would need a security solution that can automatically scale to meet the needs of its environment.

6. Low-Cost Alternatives

Your organization may be lucky enough to afford an expensive IDS or SIEM that supports Snort and Suricata IDS; however, don’t associate the hefty price tag with better performance. There are effective and proven low-cost commercial alternatives to capture Snort and Suricata packets and observe them. If you’re on a budget then you may need some low-cost commercial product alternatives.

For example, Aanval was then publicly released in 2004 and is considered the longest running Snort interface under continuous development on the market today and the industry’s leading web-based GUI for Snort, Suricata, and Syslog intrusion detection, prevention, and correlation. The Aanval console system is specifically designed to scale from small single-sensor installations to global enterprise deployments. Since Aanval’s release in 2004, Aanval has evolved to address the world’s growing network security intrusion detection needs and demands. Over time, there has been an increasing need to keep up with the complexity of security issues, introduction of new security technologies, evolving cyber threats, and the requirements to comply with mandatory regulatory mandates. Equally increasing is the drive for security managers to find a capable Snort front-end GUI that can deliver effective threat management, event correlation, and advanced data analysis reporting. Aanval SAS (Situational Awareness System), the latest version released by Tactical FLEX, Inc. is designed with a unique Situational Awareness engine that provides an in-depth event and architecture analysis of the host network, thus providing crucial network visibility and security intelligence. Aanval SAS is also equipped with a False Positive Protection event validation engine, real-time Live GeoLocation-based displays, and powerful offensive tools utilizing Nmap that help shore up defenses and strengthen overall security posture. Aanval SAS is available for download as a free Community edition for testing and evaluation at http://www.aanval.com/download.

Debunking Common Myths Regarding Security Information and Event Management (SIEM)

In a recent study conducted by Infosecurity Europe, it was revealed that 93% of large organizations have experienced at least one security breach in the previous year. The study also reported that the number of breaches is growing at an alarming rate as organizations experienced, on average, 50% more breaches in the previous year. While security threats continue to escalate, many organizations have deployed or have considered security information and event management (SIEM) solutions in order to obtain a holistic view of their information technology security. The beauty of a SIEM is that it takes all the information gathered from events across the network and tailors it to inform IT departments exactly what is happening and when. SIEM technology is also essential for helping security analysts detect internal and external threats and to perform crucial network forensic analysis. According to Gartner, the demand for SIEM technology is growing at an annual rate of 21% and is the fastest growing areas of the security sector.

Although research shows that SIEM product visibility in the U.S. has improved with higher adoption, proper understanding of the technology is still lacking. Frost & Sullivan, an industry research firm, reported that there is a low level of awareness associated with SIEM solutions and further stated that “it is imperative for SIEM vendors to reach out to enterprise end users to enhance their technological awareness and correct any underlying misconceptions or assumptions which may exist toward the technology.” In this blog, we will review some common myths surrounding SIEM technology to help IT Security Professionals separate truth from fiction.

Myth #1: SIEM Solutions are Resource-Intensive and Require Substantial Financial Investment to Deploy

Answer: In light of the benefits of capitalizing in SIEM technology, the high costs of investing in some SIEM platforms have been holding small- and mid-market enterprises back. It is true that most SIEM solutions require a significant investment up front to get it started and also require an ongoing investment in humans to keep it running. This is what can put some SIEM solutions beyond the reach of SMBs or under-funded enterprises. However, not all SIEM solutions come with hefty price tag. If you’re an SMB or an enterprise-class organization with limited budgets, enterprise-grade SIEM platforms that are affordable and easy to use do exist in the marketplace. These are the hidden gems in the seemingly crowded SIEM market category. However, selecting the right SIEM product is almost entirely based on the use cases an organization is trying to fulfill. For example, if you’re an SMB with a shortage of security analysts, your needs and cost sensitivity will vary widely from that of a large organization. You will most likely require a healthy amount of automated functionality while heavy customization is probably not on the agenda.

Myth #2: SIEM Solutions are Equal in Features and Benefits

Answer: Today’s SIEM should be a powerhouse of data capture, correlation analysis, and reporting. Although SIEMs are pre-packaged with a set of security features, it is important to note that the advanced feature sets vary from vendor to vendor as SIEM vendors specifically market to potential and existing clients based on specific-use cases. In order to fully understand SIEM technology, the common core functions and advanced features sets must be explored. To view the essential features and capabilities of a SIEM technology, please read http://wiki.aanval.com/wiki/Library:The_Essential_Features_and_Capabilities_of_a_SIEM_Technology. As SIEM products mature in the marketplace, vendors will introduce new and advanced features to bring to the table for product differentiation as well as market it for specific use cases to solve a particular security need. Overall, it is important to understand that SIEM vendors are not all equal in capabilities and the product features are only valuable if it meets your business and security needs. For example, Tactical FLEX, Inc. is among SIEM-leading suppliers that provides a very strong focus on intrusion detection for effective threat management. Aanval SIEM commercial solution comes tightly integrated with effective Snort and Suricata open source security tools and can also support any device with syslog capabilities to deliver complete data management. Aanval should be considered by organizations that want a scalable commercially supported SIEM solution utilizing the most widely deployed and trusted intrusion detection system on the market for enhanced security and improved situational awareness and protection. If automation and network visibility are key factors for your network organization, you will benefit immensely with an Aanval SIEM solution. In today’s rapidly changing security environment where network environments are growing ever more distributed and complex to manage, IT departments truly need a flexible SIEM that is designed to scale. To view our SIEM comparison table, please read the following article: How to Find the Right SIEM Solution. A Step-by-Step Guide and SIEM Features Comparison.

Myth #3: SIEM Technology is Only Useful for Log Reporting and Compliance

Answer: Over the years, SIEM has almost become synonymous with log reporting and compliance management. Yet, SIEM technology has far more advanced capabilities than simply helping organizations make sense of log data to meet security and audit regulations. Dr. Anton Chuvakin, a security expert on SIEM technology, finds that “too often, organizations purchase SIEM and log management solutions to check a compliance checkbox. These organizations miss a huge opportunity to improve security.” Fortunately, many organizations are increasingly realizing the value and benefits of SIEM in improving their security posture.

According a recent RSA Survey, these are additional widely used functions and tools of SIEM solutions:
1. Alert anomalies
2. Identify threats and potential high-risk incidents
3. Monitor network traffic
4. Streamline remediation efforts
5. Advance other security operations functions in general

About Tactical FLEX, Inc.
For nearly a decade, Tactical FLEX, Inc. has taken great pride in providing best-of-breed security solutions to every type of organization around the world. Our wide spectrum of customers demonstrates our sincere commitment to an industry that remains at the forefront of the digital evolution of the world. Information security is our business, and our customers are our greatest asset. Tactical FLEX, Inc. is a trusted security vendor protecting more than 6,000 organizations within every industry in more than 100 countries. Our product Aanval® is the industry’s most comprehensive end-to-end Snort and syslog intrusion detection, correlation, and threat management solution, built with a unique Situational Awareness engine, distinct false-positive protection technology, and a fully-integrated event management and attack data correlation engine. Learn more about Aanval SAS™ by visiting http://www.aanval.com

Aanval® is also available for download as a free Community edition for testing and evaluation at http://www.aanval.com/download. Let Aanval SAS™ turn your security event data into actionable and comprehensive insights.

Need to Monitor All Aspects of Your Network Environment without Breaking the Bank? Explore Tactical FLEX, Inc.’s Unlimited Sensor Pricing Model for Aanval SAS

“Aanval has been designed to correlate event data and logs from hundreds of vendor products and solutions. Every event, every sensor, every device. Not a problem.”

A recent study of 600 IT professionals revealed that most IT managers wanted “greater security visibility and context” to reduce cyber threats but were operating with a limited budget for information security. Although most respondents were planning to invest in these tools, half of them were spending 20 percent or less of their IT budget on security. 20 percent of respondents also said that they lacked the visibility into their networks. Survey showed that the “difficult to detect attacks” took about a full week to detect and were caused by poor visibility or not collecting the right operation and security data to identify the threat.

Tactical FLEX, Inc. understands your security challenges and we believe in a responsible but open and flexible approach to security. We use an unlimited sensor-monitoring pricing model for Snort, Suricata, and Syslog and offer affordable commercial license packages that are easy to deploy and leverage in any network size and environment. With annual unlimited sensor capacity, IT departments are no longer limited by sensor cost and can now monitor activity on every device and aspect of their network environment including BYOD. Investing in Aanval SAS provides you with an expanded level of security intelligence, situational awareness, and offensive tools to help you shore up defenses and reduce your security risk.

Aanval SAS: $2,995 (Network Size Less Than 250 Unique IP Addresses)
https://www.aanval.com/purchase

Aanval SAS Enterprise: $5,995 (Network Size More Than 250 Unique IP Addresses)
https://www.aanval.com/purchase

What does the Aanval SAS annual subscription offer you?

* An annual unlimited sensor-capacity license for Snort and/or Suricata, and Syslog
* Telephone and remote support
* Console maintenance: bug fixes, minor and major upgrades
* An enterprise-grade SIEM and IDS solution at a fraction of the cost of other providers

Aanval SAS annual package includes the following features and tools

* Situational Awareness™
* Offensive Reconnaissance™ and Rogue Host Detection
* Network Host Scanning
* False Positive Protection
* Live GeoLocation Display
* Event Correlation
* Billions of Events and More

Need assistance determining the right license package and services for your environment or an estimate for a purchase order? Contact us at 800-921-2584 or email at sales.group [at] tacticalflex.com

Explore our Product Comparison page: https://www.aanval.com/aanval

Download and install Aanval for free: https://www.aanval.com/download

Attend a live demo or schedule a personalized demo: https://www.aanval.com/demo

Purchase Aanval products and services: https://www.aanval.com/purchase

About Tactical FLEX, Inc.
Tactical FLEX, Inc. is a privately owned software development firm based in Seattle, specializing in information security research, engineering, technology design, and production. With the technological development of Aanval®, Tactical FLEX, Inc. has become a global provider of information security vulnerability and risk management software solutions that protect businesses of all sizes. Aanval® is the industry’s leading Snort, Suricata, and Syslog Intrusion Detection, Correlation, and Threat Management console on the market. Aanval® currently has over 6,000 customers worldwide including government security, defense organizations, technology corporations, financial services organizations, energy companies, educational institutions, healthcare organizations, biotechnology manufacturers, pharmaceutical companies, law firms, utility providers, and many others. Learn more about Aanval® by visiting http://www.aanval.com. Aanval® may be downloaded for testing and evaluation at http://www.aanval.com/download. Follow Aanval® on Twitter @Aanval

Tactical FLEX, Inc. to Host Webinar: “SIEM-Based Intrusion Detection: Advantages of Using Open-Source Snort and Suricata IDS with Aanval SAS”

“Utilizing Snort and Suricata to Capture Real-Time Security Events and Deliver Effective Threat Management.”

Date/Time: Wednesday, September 4, 2013 at 2:00pm EDT » Click for registration
Date/Time: Thursday, September 5, 2013 at 3:00pm CEST (Central European Standard Time) » Click for registration

SEATTLE, August 19, 2013– Tactical FLEX, Inc., a global provider of information security, vulnerability, and risk management software solutions, today announced a new webinar entitled “SIEM-Based Intrusion Detection: Advantages of Using Open-Source Snort and Suricata IDS with Aanval SAS.”

According to a recent RSA survey, 89% of mid-size organizations surveyed are using SIEM solution for security operations compared to just 54% that cited compliance, and 68% that cited IT and network operations. When respondents were asked to cite one thing they would like to change about their current SIEM solution besides cost, the top issue identified was to improve alerting for security incidents. In addition, a frequent problem respondents face with those already using a log management or SIEM solution are incident response limitations. Security experts believe that SIEM solutions that interface with a successful Intrusion Detection System (IDS) are most suited to monitor network traffic, deliver real-time alerts, and provide effective threat management that can result in a greater security posture. Tactical FLEX, Inc. is among SIEM-leading suppliers that provides a strong focus on intrusion detection for successful threat management. Aanval SAS (Situational Awareness System), a proven commercial enterprise solution, comes tightly integrated with effective Snort and/or Suricata open source security tools and can also support any device with syslog capabilities to deliver complete data management. Aanval’s threat management technology that provides greater intelligence and network visibility can quickly respond to high-risk security events by accelerating the detection and alerting of possible attacks.

Join this complimentary webinar:

» To understand how Aanval’s intrusion detection approach to security threat management helps organizations proactively seek out potential problems before they actualize, instead of operating in a reactive mode after attacks have occurred.

» To explore the capabilities and advantages of Snort and Suricata IDS. Why are these two IDS engines so successful in monitoring network traffic and providing alerts?

» If you are searching for an affordable and powerful security and network operations solution with a strong focus on intrusion detection, coupled with robust log management and SIEM capabilities to help mitigate security risks as well as improve your organization’s security posture and threat management detection and prevention capabilities.

About Tactical FLEX, Inc.
Tactical FLEX, Inc. is a privately owned software development firm based in Seattle, specializing in information security research, engineering, technology design, and production. With the technological development of Aanval®, Tactical FLEX, Inc. has become a global provider of information security vulnerability and risk management software solutions that protect businesses of all sizes. Aanval® is the industry’s leading Snort, Suricata, and Syslog Intrusion Detection, Correlation, and Threat Management console on the market. Aanval® currently has over 6,000 customers worldwide including government security, defense organizations, technology corporations, financial services organizations, energy companies, educational institutions, healthcare organizations, biotechnology manufacturers, pharmaceutical companies, law firms, utility providers, and many others. Learn more about Aanval® by visiting http://www.aanval.com. Aanval® may be downloaded for testing and evaluation at http://www.aanval.com/download. Follow Aanval® on Twitter @Aanval.

Tactical FLEX, Inc. Announces July Aanval SAS Webinar Schedule

SEATTLE, July 5, 2013 –Tactical FLEX, Inc., a global provider of information security, vulnerability, and risk management software solutions, today announced the July Aanval SAS (Situational Awareness System) webinar schedule. The webinar series will cover live demonstrations, product tours, program overviews, and also feature industry expert Byron Rashed, Global Marketing and Product Management Director of Emerging Threats. 

Visit our Webinar page to view upcoming educational webinars or past webcasts and our Demo page to view live demo schedules and product tours.

July 2013 Event Schedule

Educational Webinar: Selecting the Best IDS/IPS Solution and Most Comprehensive Ruleset for Enhanced Visibility and Threat Protection. Choosing and Utilizing Threat Intelligence to Minimize the Business Risk by Emerging Threats and Product Tour of Aanval SAS

Date/Time: Wednesday, July 31 at 2:00pm EDT » Click for Registration
Featured Guest: Byron Rashed, Global Marketing and Product Management Director of Emerging Threats

Join Tactical FLEX, Inc. in this complimentary educational webinar where Byron Rashed, Global Marketing and Product Management Director of Emerging Threats, will share valuable research data concerning trends in malware attacks and techniques seen in enterprise networks today. The business risks associated with malware attacks and malware protection will be explored. In this joint presentation, Tactical FLEX, Inc. will also introduce Aanval SAS (Situational Awareness System), the industry’s leading Suricata, Snort, and Syslog Intrusion Detection, Correlation, and Threat Management console designed to deliver end-to-end network visibility. A product tour of Aanval’s threat management features, systems, and technologies will be provided. Learn why Aanval is the solution for IT security professionals demanding a proven security and network operations tool with a strong focus on intrusion detection, coupled with robust log management and SIEM capabilities.

Reseller Webinar: Join Tactical FLEX, Inc. and Grow Your Security Practice: Aanval Reseller Program Overview

Date/Time: Thursday, July 25 at 2:00pm EDT » Click for Registration
Presenter: Kenneth Bitz, Strategic Alliance Director at Tactical FLEX, Inc.

Join us for a live, interactive 20-minute webinar where Kenneth Bitz, Strategic Alliance Director at Tactical FLEX, Inc., will provide an introduction to Tactical FLEX, Inc.‘s Reseller Program. Becoming an authorized Reseller is free and there are numerous business benefits and advantages to capitalizing in Aanval SAS (Situational Awareness System). Aanval the industry’s leading Suricata, Snort, and Syslog Intrusion Detection, Correlation, and Threat Management console designed to deliver end-to-end network visibility. Currently there are over 6,000 organizations worldwide in various industries that rely upon Aanval as part of their security infrastructure. Aanval is the solution for IT security professionals demanding a proven security and network operations tool with a strong focus on intrusion detection, coupled with robust log management and SIEM capabilities. Tactical FLEX, Inc. enables small- and mid-market enterprises to quickly deploy, easily implement, and operate a cost-effective intrusion detection solutions at a fraction of the cost of other platforms. 

Live Demo Series: Aanval SAS Event Log Management Technology and Threat Management Features Simplified

Date/Time: Wednesday, July 10 at 1:00pm EDT » Click for Registration

Date/Time: Wednesday, July 17 at 1:00pm EDT » Click for Registration
Date/Time: Visit our Demo page to view entire global schedule and time-zones

Aanval SAS (Situational Awareness System) is the solution for IT security professionals demanding a proven security and network operations tool with a strong focus on intrusion detection, coupled with robust log management and SIEM capabilities. Join us for a live, interactive 30-minute demo of Aanval’s event log management technology and popular threat management features. Learn how you can obtain full visibility of your IT environment with Aanval SAS.

Event Log Management Technology: See why Aanval’s real-time log management solution delivers an unmatched competitive edge over other vendor solutions. Supporting Suricata and Snort (the world’s most widely used intrusion detection engine), as well as any device capable of outputting log information, Aanval imports, normalizes, and correlates event information for powerful, fast, and scalable analyses. More importantly, Aanval’s advanced search engine allows users to access, search, monitor, correlate, and report colossal amounts of real-time and historic event log data. Searching for raw and historical data for forensic analysis, as well as tracking the attacks and locations of IP addresses area straightforward and has never been quicker.

Popular Threat Management Features: Aanval helps IT departments focus and get back to protecting their network by automating security and building systems that allow security professionals to make determinations quickly while being well-informed. Explore the advanced threat management features of Aanval SAS including Situational Awareness, False Positive Protection, Event Correlation, and Live GeoLocation. Discover why Aanval is the industry’s most comprehensive Suricata, Snort, and Syslog Intrusion Detection, Correlation, and Threat Management console on the market. 

Live Tutorial: How to Use and Optimize Your Aanval Console for Real-Time Threat Management

Date/Time: Wednesday, July 24 at 1:00pm EDT » Click for Registration

This complimentary live demo is designed for prospective Aanval SAS users and investigators. During our first “Getting Started with Aanval SAS” live demo series, our Support Department will show you how to use and optimize your Aanval console for real-time threat management. Aanval SAS is simple to use and loaded with robust and powerful security features, and we want you to make the most of them to ensure your networks are secured. If you have yet to experience Aanval, download Aanval SAS in your own environment today for free and join thousands of IT security professionals and security researchers who are fighting to achieve greater situational awareness and network visibility using this remarkable tool.

About Emerging Threats

Emerging Threats is a world-leading provider of open source and commercial threat and malware intelligence. Founded in 2003 as a cyber security research community, Emerging Threats has become the de facto standard in network-based malware threat detection. The company’s ETOpen Ruleset, ETPro™ Ruleset, and IQRisk™ suite of threat intelligence are platform agnostic for easy integration with Suricata, SNORT®, and other network intrusion protection and detection systems. With ETPro Ruleset, organizations can achieve the highest standards of malicious threat detection with world-class support and research for extended vulnerability coverage. ETPro Ruleset is ideal for enterprises, government agencies, financial institutions, SMBs, higher education, and service providers. Learn more about Emerging Threats by visiting: http://www.emergingthreats.net

About Tactical FLEX, Inc.

Tactical FLEX, Inc. is a privately owned software development firm based in Seattle, specializing in information security research, engineering, technology design, and production. With the technological development of Aanval®, Tactical FLEX, Inc. has become a global provider of information security vulnerability and risk management software solutions that protect businesses of all sizes. Aanval® currently has over 6,000 customers worldwide including government security, defense organizations, technology corporations, financial services organizations, energy companies, educational institutions, healthcare organizations, biotechnology manufacturers, pharmaceutical companies, law firms, utility providers, and many others. Learn more about Aanval by visiting http://www.aanval.com. Aanval may be downloaded for testing and evaluation at http://www.aanval.com/download. Follow Aanval on Twitter @Aanval.

Live Tutorials This Week: How to Use and Optimize Your Aanval Console for Real-Time Threat Management

Date/Time: Wednesday, June 19 at 1:00pm EDT (USA) » Click for Registration
Date/Time: Thursday, June 20 at 3:00pm CEST (Europe) » Click for Registration
Date/Time: Thursday, June 27 1:00pm EST (Australia Eastern Time) » Click for Registration

During our first “Getting Started with Aanval SAS” tutorial series, our Support Dept. will show you how to use and optimize your Aanval console for real-time threat management. Aanval SAS is simple to use and loaded with robust and powerful security features, and we want you to make the most of them to ensure your networks are secured. View Product Details.

This complimentary tutorial is designed for new Aanval SAS community version users and customers. If you have yet to experience Aanval, download Aanval SAS in your own environment today and join thousands of IT security professionals and security researchers who are fighting to achieve greater situational awareness and network visibility using this remarkable tool. 

Aanval SAS Certification and Training Classes

Maximize the potential of Aanval SAS. Give your security teams the knowledge and insight they need to get the most out of Tactical FLEX, Inc. products and services. Our highly experienced and industry-certified experts have decades of experience in the information security and technology sectors. We provide both on-site and remote training for individual analysts and security teams as well as executive management and specific departmental needs. Contact our Support Dept. for details at 800-921-2584 or email: support.group@tacticalflex.com

Upcoming Live Demos and Webinar Schedule

Aanval protects and monitors over 6,000 organizations in various industries worldwide. See who’s using Aanval. Learn why Aanval is the industry’s leading Suricata, Snort, and Syslog Intrusion Detection, Correlation, and Threat Management console on the market.

Live Demo Details: 15-Minute Live Product Demo of Aanval SAS
Date/Time: Tuesday, June 18 at 1:00pm EDT (USA) » Click for Registration
Date/Time: Wednesday, June 19 at 3:00pm CEST (Europe) » Click for Registration
Date/Time: Thursday, June 27 at 12:00pm EST (Australia Eastern Time) » Click for Registration

Webinar Details: Improving Threat Visibility and Management: Introduction to Suricata Open-Source IDS Engine, Emerging Threats ETPro™ Ruleset, and Aanval SAS
Guest Speaker: Matt Jonkman, President of the OISF and CTO of Emerging Threats
Date/Time: Wednesday, June 26 at 2:00pm EDT » Click for Registration

Visit http://www.aanval.com to learn more about Aanval.

 

Intrusion Detection FAQ: What are the Different Types of Front-end GUIs for Snort Intrusion Detection Systems? An Overview of Some Alternative Front-Ends.

There is a myriad of security technology, both open-source and commercial, available for monitoring an organization’s network for intrusions. An important part of an organization’s defense strategy is the ability to detect suspicious activities in order to prevent both internal and external threats as well as identify malicious attacks. Snort is a popular, successful, and the most widely deployed monitoring tool. Snort is a Network Intrusion Prevention System (NIPS) and Network Intrusion Detection System (NIDS) capable of performing packet logging and real-time traffic analyses on IP networks. Snort is also valuable because it can detect attackers and malware as they move through the network. When coupled with a database and a web front-end, users can obtain insights into their network and apply the information to detect attacks and fortify their networks. Snort can be combined with other software to provide a visual representation of intrusion data.

Are you currently researching the different types of front-end GUIs for Snort IDS or looking for an alternative GUI for Snort? In this blog, we will introduce several popular Snort front-end GUIs. 

An Overview of GUIs for Snort IDS

Introduction to ACID
According to Dr. Nikolai Bezroukov, a well-known Senior Internet Security Analyst at BASF Corporation, “The Analysis Console for Intrusion Databases (ACID) is a rather slow PHP-based analysis engine to search and process the database of security events generated by Snort. It is mostly useful as a generic event viewing tool. ACID was written by Roman Danyliw in early 2000 as part of an abandoned in 2003 AIRCERT project at the CERT Coordination Center.” The features of ACID includes alert management, chart and statistics generation, packet viewer and query-builder, and search interface. ACID’s biggest limitation, however, is that it is not scalable beyond several thousand alerts and often produces numerous amounts of false positives. ACID is also very helpful in the analysis of traffic if only used on small- to medium-streams of alerts. As reported by Dr. Bezroukov, these important shortcomings does diminish ACID’s technology value.

Introduction to BASE
BASE is the Basic Analysis and Security Engine that is supported by a group of volunteers. It is an extremely simple web-based Snort console derived from the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a Snort IDS. BASE searches and processes databases containing security events logged by assorted network monitoring tools such as firewalls and IDS programs. It is written in the PHP programming language and displays information from a database as user-friendly web front-end. According to Snort.org, there were plans for a redesign of BASE, including the database format from which it reads, but Kevin Johnson, the original BASE project manager, has since left the project and turned the project over to new management.

Introduction to Snorby
Snorby is an open source network security monitoring interface scripted in Ruby on Rails. It is a front-end web application for any application that logs events in the Unified2 binary output format. Snorby now supports OpenFPC and integrates with intrusion detection systems like Snort, Suricata, and Sagan. The basic fundamental concept behind Snorby is simplicity. The project goal is to create a free, open source.

Introduction to SGUIL
The Analyst Console for Network Security Monitoring – Sguil is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to real-time events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

Introduction to Aanval
OpenAanval was originally a very simple web front-end to monitor and browse Snort event data. It was the stand-alone free limited-version of the commercial Aanval console before it was finally integrated in 2005 and is the alternative to ACID as the front-end. Aanval was then publicly released in 2004 and is considered the longest running Snort interface under continuous development on the market today and the industry’s leading web-based GUI for Snort, Suricata, and Syslog intrusion detection, prevention, and correlation. The Aanval console system is specifically designed to scale from small single-sensor installations to global enterprise deployments. Since Aanval’s release in 2004, Aanval has evolved to address the world’s growing network security intrusion detection needs and demands. Over time, there has been an increasing need to keep up with the complexity of security issues, introduction of new security technologies, evolving cyber threats, and the requirements to comply with mandatory regulatory mandates. Equally increasing is the drive for security managers to find a capable Snort front-end GUI that can deliver effective threat management, event correlation, and advanced data analysis reporting. Aanval SAS (Situational Awareness System), the latest version released by Tactical FLEX, Inc. is designed with a unique Situational Awareness engine that provides an in-depth event and architecture analysis of the host network, thus providing crucial network visibility and security intelligence. Aanval SAS is also equipped with a False Positive Protection event validation engine, real-time Live GeoLocation-based displays and powerful offensive tools utilizing Nmap that help shore up defenses and strengthen overall security posture. In addition to commercial Aanval, Aanval also continues to support the Snort community by providing users with a free community version of Aanval that allows full functionality of a single Snort and syslog sensor. Aanval SAS is available for download as a free Community edition for testing and evaluation at http://www.aanval.com/download.

About Tactical FLEX, Inc.
For nearly a decade, Tactical FLEX, Inc. has taken great pride in providing best-of-breed security solutions to every type of organization around the world. Our wide spectrum of customers demonstrates our sincere commitment to an industry that remains at the forefront of the digital evolution of the world. Information security is our business, and our customers are our greatest asset. Tactical FLEX, Inc. is a trusted security vendor protecting more than 6,000 organizations within every industry in more than 100 countries. Our product Aanval® is the industry’s most comprehensive Snort and Syslog Intrusion Detection, Correlation, and Threat Management console on the market. Learn more about Aanval SAS (Situational Awareness System) by visiting http://www.aanval.com.

Ten Things You May Not Know About Aanval IDS Console

#1 Aanval was publicly released in 2004 and is considered the longest running Snort interface under continuous development on the market today and the industry’s leading Snort, Suricata, and Syslog Intrusion Detection, Correlation, and Threat Management console. There are three key contributing factors to Aanval’s popularity and global success: situational awareness, false-positive reducing event validation, and multiple source event collection, correlation, and archiving. Learn more about Aanval at http://www.aanval.com.

#2 Aanval currently protects more than 6,000 customers within every industry worldwide including government security, defense organizations, technology corporations, financial services organizations, educational institutions, healthcare providers, biotechnology manufacturers, energy companies, law firms, and many others. View who’s using Aanval at http://www.aanval.com/customers.

#3 Aanval is an enterprise grade IDS solution created for all business sizes and has the unique technological capability to automatically scale to meet the needs of its environment. Aanval is built to scale from small single-sensor installations to global enterprise deployments.

#4 A major focus of Aanval is performance and scalability. Aanval is built with an accelerated real-time event processing system that handles as many as 1,500 events per second and scales beautifully with hardware to process as many as 5,000 events per second. Supporting millions and billions of Snort, Suricata, and Syslog events is fully automated and continues as long as storage space is available. Aanval is further designed to correlate event data and logs from hundreds of vendor products and solutions including Snort, Suricata, Cisco, Barracuda Networks, Sourcefire, and Apple.

#5 Aanval is uniquely and completely written in standard HTML and Javascript, and more importantly void of Adobe Flash. The completely re-written codebase enables Aanval to work in every browser and across every mobile platform.

#6 While many organizations continue to struggle to achieve network visibility, Aanval SAS (Situational Awareness System), the latest version of Aanval, is armed with a one-of-a-kind situational awareness engine that provides an in-depth event and architecture analysis of the host network. Aanval can quickly build detailed summaries of the network’s security posture and current risks as well as provide Security Analysts with the resources they need to identify actual risks and make critical decisions. Delivering actionable security intelligence from an organization’s circumstances and conditions is the pure essence of Aanval’s true situational awareness.

#7 Aanval SAS is also the combination of the most advanced IDS features coupled with powerful offensive tools to shore up defenses such as Network Host Scanner, Rogue Host Detection, and Offensive Reconnaissance that take full advantage of Nmap, the industry’s most well-known and accomplished port scanning utility to perform both automated and on-request network reconnaissance. View product screenshots and details at http://www.aanval.com/aanval.

#8 Aanval continues to support both the information security and open source Snort and Suricata communities by providing users with a free non-commercial version of Aanval that allows full functionality of a single-sensor device. Aanval is designed to work with all versions of Snort and Suricata. Aanval may be downloaded for testing and evaluation at http://www.aanval.com/download.

#9 Commercial Aanval is unlimited for the number of sensors (Snort, Suricata, or Syslog sensors) and also includes telephone and remote support for the product, and console maintenance. With annual unlimited sensor capacity, organizations of all network sizes are no longer limited by sensor cost and can now monitor every aspect of their environment. Explore Aanval SAS Product Comparison Matrix by visiting http://www.aanval.com/aanval.

#10 Aanval Appliances are pre-configured, turn-key deployments of Aanval designed for organizations that need a drop-in solution or possibly have little or no IDS/IPS experience. Aanval Appliances can be configured in an array of configuration options that include Aanval, Snort, Suricata, Nessus, Nmap, Metasploit, and just about any other popular security tool and system. Learn more about Aanval Appliances at http://www.aanval.com/appliances.