Aanval with Cisco Catalyst switch

[deeztek]

How would I integrate Aanval with a Cisco Catalyst 3550 switch? I have no idea how to even get started with Aanval concerning this so I would appreciate some help pointint me in the right direction.

 

Thanks

[SuperheroSmith]

Have you downloaded and installed Aanval yet? The 3550 has a GUI that can be used to configure logging. I would first download and install Aanval, and then configure the 3550 for logging to Aanval's syslog module. That's at least a start. Tactical FLEX even has installation guides for Aanval on their wiki site: http://wiki.aanval.com/wiki/Aanval:V7_Installation_Guide.

[deeztek]

I have Aanval up and running. We were actually interested in setting Aanval to monitor all the traffic off an already setup mirrored port off the catalyst switch. How would I go about doing that?

[SuperheroSmith]

What version of Aanval are you running?

[deeztek]

Version 7

[SuperheroSmith]

Good. I would reference the following wiki link for syslog sensor management: http://wiki.aanval.com/wiki/Aanval:Syslog_Sensor_Management

That would assist on the Aanval end. Have you configured the 3550 to send logs to Aanval or a database? This next link directs to the Cisco Network Assistant, the GUI for the 3550, which could prove helpful for switch management: http://www.cisco.com/en/US/products/ps5931/

[deeztek]

Unfortunately, we have no access to the catalyst switch to make any configuration changes. So, I was told that a long time ago a mirrored port was setup on the catalyst where all the switch traffic was mirrored and they have an old version of Aanval sniffing on the traffic on that particular port using an interface on the Aanval box that was set in promiscous mode.

[Loyal Moses]

Are you running snort for signature analysis?

Or want syslog only data (messages)?

If you are mirroring switch data, I'm assuming you want a network intrusion engine running.

Sent from my iPhone 4

--
You received this message because you are subscribed to the Google Groups "Aanval - Snort & Syslog SIEM (Correlation and Threat Management)" group.
To view this discussion on the web visit https://groups.google.com/d/msg/aanval/-/NEErCSWRO1cJ.
To post to this group, send email to aan...@googlegroups.com.
To unsubscribe from this group, send email to aanval+un...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/aanval?hl=en.

[SuperheroSmith]

I apologize, I misread your last comment. Yes, if you're mirroring switch data, it sounds like you're wanting an IDS engine to grab all network traffic and send it to Aanval. And if a long time ago there was such a system established, more than likely Snort was the IDS engine sniffing traffic. There's also a good chance Snort is still there, and with little modification, Snort and Aanval could be updated and configured to work seamlessly with the mirrored port on the 3550. 

[deeztek]

Pardon my ignorance. So, snort is not included with Aanval but Aanval includes a syslog module. So, if I want Aanval to grab all the network traffic from that mirrored port, I have to either find or setup an box with Snort and then configure Aanval to talk to the snort box to analyze the data. Is this correct?

[SuperheroSmith]

Aanval includes modules to monitor and manipulate syslog and Snort data. Snort is not included with Aanval, but can be downloaded for free and traffic pointed to Aanval. In the end, yes, you will need to find or set up a box with Snort and then point that traffic to Aanval for processing and correlation. However, that is just one option. Tactical FLEX also offers appliances based on Apple Mac Minis and Mac Pros that can be configured and optimized for any environment and are shipped for plug-and-play operation. Additionally, all appliances come with telephone and remote support. That may be the better option. 

[SuperheroSmith]

Additionally, if you already have Aanval up and running, you can install Snort on the same box.

On Wednesday, June 27, 2012 7:01:29 AM UTC-6, deeztek wrote:

[deeztek]

Okay so i have Snort up and running with Aanval on the same box. Now what? I'm looking at Aanval's Wiki and it's talking about SMT's and I have no idea where they are. I went under Configuration --> Snort Module Settings and I connected to the Snort database. I'm not sure where to go from there. The documentation on Aanval's website leaves a lot to be desired I think.

[SuperheroSmith]

If you visit Configuration > Snort Module > Sensor Configuration, can you see any sensors listed? If not, check your database credentials. If they check out, and you're listing localhost as the Hostname, try 127.0.0.1. If you do see sensors, enable the active sensor and select the Permissions for your user account, so you can see the events, and further configure the sensor with the correct timezone and sensor name. For SMT assistance, see the direct SMT wiki link: http://wiki.aanval.com/wiki/Aanval:Sensor_Management_Tool. The SMTs aren't necessary for the console to work with Snort, but they will add more functionality to modify the sensor's conf and send rules, and further enable you to restart, stop, and start Snort from the console.