u2platform(原為 Aanval) 是在業界及市場上的能提供最全面的安全信息和事件管理("SIEM“)控制台。u2platform支援包含作為Snort和Suricata以及任何系統記錄的數據源,並專門設計規模單一的傳應器安裝到全球性的企業部署。u2platform創建於2003年,是目前市場上運行Snort的圖形用戶界面最久的工具並持續不斷地發展當中。
u2platform是一款在iPad裡基於Web圖形用戶介面的入侵檢測與日誌查看工具。適合網站維護人員和安全人員使用。u2platform是業界最全面的Snort和Syslog入侵檢測、相關性和管理控制台程式。u2platform是專為小規模單一傳感器裝置到大規模全球性企業部署所設計。
新版介紹
Tactical FLEX,Inc。繼續設立新的標準,並通過性能升級,增強的威脅檢測和新的自動化功能推進u2platform。市場上性能最佳的Snort,Suricata和Syslog入侵檢測,關聯和威脅管理控制台(GUI /接口)現在比以往任何時候都更好。
在提供完整的端到端網絡可視性的同時,u2platform擁有數十項新功能,包括HTML5,IPv6,Direct Unified2支持,威脅級別顯示,全球熱圖,Syslog增強功能,新自動化系統以及近乎完整的重寫功能。整個代碼庫使其成為我們最穩定和最先進的u2platform版本。
u2platform是IT安全專業人員的解決方案,需要經過驗證的安全和網絡運營工具,重點關注入侵檢測,以及強大的日誌管理和SIEM功能。
UNIFIED2 IMPORTING
Aanval 8 can import and manage IDS event data, including IPv6 addresses, directly from Snort or Suricata by way of Aanval’s new and advanced Sensor Management Tools (SMTs). Alternate use importing withBarnyard2 and a MySQL database are still supported but not required.
REMOTE IDS MANAGEMENT
Aanval 8’s Sensor Management Tools (SMTs) provides a direct,live, and secure link to IDS sensors. Users can remotely start or stop IDS engines; easily enable and disable signatures, update configuration files, and then send thoseupdates to any number of connected IDS sensors with one click. Aanval can then automatically download the latest signatures from Snort or Emerging Threats and apply updates to all active signatures.
AUTOMATED ALERTS AND ACTIONS
Quickly and easily create or modify any number of automated tasks. Match any number of criteria, from IP, sensor, risk level, and more; then execute one or multiple actions, like an email alert, a host scan, or run a shell command.
ON-DEMAND AND SCHEDULED REPORTS
Aanval's reporting system utilizes the same Advanced Search engine as the primary console. Creating reports on any search results has never been easier and more efficient. Reports may be displayed, scheduled, managed, and emailed all within a simple-to-use, yet powerful interface. Reports are available in PDF, HTML, XML, TEXT and native console formats.
LIVE EVENT CORRELATION
Aanval is a fully-integrated event management and attack data correlation engine. Aanval compares and correlates attacks in real-time and provides easy-on-the-eyes charts and visual representations of related attack data across Snort, Suricata, and syslog-sourced data.
Using every detail of a normalized event, Aanval compares events against one another as well as
groups of events to identify complex attack patterns or determine if a single attack may or may not be related to larger attacks happening within the same timeframe.
Correlation is performed in both real-time and on-demand, allowing analysts to select an event and see which events may be related.
Ranking is simple to understand. Aanval provides a percentage value for each correlated event, letting the analyst know how confident Aanval is in its decision.
GLOBAL HEAT MAPS
New to Aanval 8 are Global Heat Maps. These operate in real-time and identify hot spots based on
the country of the event’s origin. Easily identify areas of potential risk as colors darken with activity. Global Heat Maps, together with Aanval’s new and improved GeoLocation framework, allow users to visualize and plot in realtime the broad and precise locations of those sourcing
attacks and their targets. These global displays also feed data to other Aanval displays such
as Frequent Offenders and Frequent Targets, so users receive the full global spectrum of interactively determining where attacks are taking place and by whom.
NMAP-POWERED HOST SCANNING
With on-demand, scheduled, and even criteria-triggered host scans, users can use Nmap, the
industry's most well-known and accomplished port scanning utility, to identify new hosts and gather available port, services, and OS fingerprint data.
That data also feeds tools like Situational Awareness that then automatically build network host maps and displays current network event and host health.
False Positive Prevention also uses host data to tag and filter imported events by possible false
positives in real-time. Users can further use Aanval’s Automation tools to alert them when new hosts come online.
AUTOMATED ALERTS AND ACTIONS
Quickly and easily create or modify any number of automated tasks. Match any number of criteria, from IP, sensor, risk level, and more; then execute one or multiple actions, like an email alert, a host scan, or run a shell command. ON-DEMAND AND SCHEDULED REPORTS
Aanval's reporting system utilizes the same Advanced Search engine as the primary console. Creating reports on any search results has never been easier and more efficient.
Reports may be displayed, scheduled, managed, and emailed all within a simple-to-use, yet powerful interface. Reports are available in PDF, HTML, XML, TEXT and native console formats.
LIVE EVENT CORRELATION
Aanval is a fully-integrated event management and attack data correlation engine. Aanval compares and correlates attacks in real-time and provides easy-on-the-eyes charts and visual representations of related attack data across Snort, Suricata, and syslog-sourced data.
Using every detail of a normalized event, Aanval compares events against one another as well as
groups of events to identify complex attack patterns or determine if a single attack may or may not be related to larger attacks happening within the same timeframe.
Correlation is performed in both real-time and on-demand, allowing analysts to select an event and seewhich events may be related. Ranking is simple to understand. Aanval provides a percentage value for each correlated event, letting the analyst know how confident Aanval is in its decision.
SITUATIONAL AWARENESS
Aanval 8 includes our unique Situational Awareness engine that provides an in-depth event and
architecture analysis of the current network security state. Situational Awareness within Aanval allows analysts to quickly identify which specific devices, services, and approximate areas of the network are most at risk and which are more likely to be a problem in the future.
Analysts can configure networks, devices, IP addresses, services, and ports within Aanval that allow our Situational Awareness engine to quickly summarize network event information and provide analysts with the resources they need to identify actual risks and make critical decisions.
FALSE POSITIVE PROTECTION
Aanval 8 includes a powerful event validation engine that performs real-time analyses of events against customizable network, device, and service definitions, and further tags and filters events to help keep false positives from overpowering true risks.
GLOBAL HEAT MAPS
New to Aanval 8 are Global Heat Maps. These operate in real-time and identify hot spots based on the country of the event’s origin. Easily identify areas of potential risk as colors darken with activity. Global Heat Maps, together with Aanval’s new and improved GeoLocation framework, allow users to visualize and plot in realtime the broad and precise locations of those sourcing
attacks and their targets. These global displays also feed data to other Aanval displays such
as Frequent Offenders and Frequent Targets, so users receive the full global spectrum of interactively determining where attacks are taking place and by whom.
NMAP-POWERED HOST SCANNING
With on-demand, scheduled, and even criteria-triggered host scans, users can use Nmap, the
industry's most well-known and accomplished port scanning utility, to identify new hosts and gather available port, services, and OS fingerprint data.
That data also feeds tools like Situational Awareness that then automatically build network host maps and displays current network event and host health.
False Positive Prevention also uses host data to tag and filter imported events by possible false
positives in real-time. Users can further use Aanval’s Automation tools to alert them when new hosts come online.
SITUATIONAL AWARENESS
Aanval 8 includes our unique Situational Awareness engine that provides an in-depth event and
architecture analysis of the current network security state.
Situational Awareness within Aanval allows analysts to quickly identify which specific devices, services,and approximate areas of the network are most at risk and which are more likely to be a problem in the future. Analysts can configure networks, devices, IP addresses, services, and ports within Aanval that allow our Situational Awareness engine to quickly summarize network event information and provide analysts with the resources they need to identify actual risks and make critical decisions.
False positives are the number one reason intrusion analysis systems fail to provide accurate
and timely results. Even small numbers of false positives are costing organizations significant
amounts of time, resources, and allocated budgets to manage.
AANVAL MIRRORING AND STORAGE
Significant research and intense development of Aanval 8 brings about the ability to store nearly an unlimited number of events within the console. As long as disk space is available, event storage continues without affecting performance.
Deployed installations with more than 100 million, 500 million, and even 1+ billion events are not
uncommon. Archiving with Aanval never been simpler. Output and stream all imported data in a customized syslog format, and now also in CEF2.
CHARTS AND GRAPHS
Charts and graphs—static, interactive, and real-time animated views—are available in searches,
summaries, reports, and dedicated displays.
Our charting and graphing capabilities are based on industry standard Javascript technology, ensuring their displays are equally impressive on all desktop and mobile devices.
ADVANCED SEARCH
Search results and correlation displays, in addition to being extremely powerful, are quick, simple, and efficient.
Find targeted events using specific meta-data criteria as well as perform full clear text searches of all event fields including payload data for Snort, Suricata, and syslog.
Additionally, Aanval supports a wide range of custom search keywords to locate events based upon time periods, risk level, relation to one another, and more.
Features | Free Community | Personal | Commercial |
Snort & Suricata Support | V | V | V |
Offensive Reconnaissance | LIMITED | V | V |
Network / Host Scanning | LIMITED | V | V |
False Positive Validation | V | V | V |
Billions of Events | LIMITED | V | V |
Live / Real-time Displays | V | V | V |
Global Heat Map | V | V | V |
IP GeoLocation | V | V | V |
Automation / Triggers | V | V | V |
Sensor Management | V | V | V |
Signature Management | V | V | V |
Unlimited Snort & Suricata | LIMITED | V | V |
Unlimited Syslog | LIMITED | V | V |
8 to 5 Telephone Support | X | V | V |
Commercial Use | X | X | V |
Hardware Requirements
Below are the minimum hardware requirements for the most common deployments of Aanval.
Environment | Sensor Capacity | Memory | CPU Cores | Disk Space |
---|---|---|---|---|
Small Scale | 1-3 | 4GB | 2 | 100GB |
Large Scale | 8 or more | 8+GB | 4 or more | 500GB |
Network Requirements
The following ports will need to be opened for proper functionality.
Port | Direction |
---|---|
22 | SSH access will be needed to access the console and sensors for installation and necessary maintenance and troubleshooting |
80 / 443 | HTTP/HTTPS access will be needed to view the console as well as console to sensor communication will use 80 / 443 as well |
The console will occasionally contact the following locations for updates and maintenance.
URL | Reasoning |
---|---|
download.aanval.com | The console will download packages from this URL. |
update.aanval.com | The console will check for new versions and updates from this URL. |
Software Requirements
Each of the following requirements should be satisfied prior to starting your Aanval installation. Testing for any additional requirements will be performed during the installation process. Details and remediation instructions will be available as necessary.
Requirement | Reasoning | Reference |
---|---|---|
Operating System | Aanval will install on all major Linux and Unix distributions, including Mac OS X. | Linux: CentOS has been a popular choice as a Linux OS for Aanval users. The most current version of CentOS can be obtained from the following site: [1] Unix: BSD has been a popular choice as a Unix OS for Aanval users. Any variant of BSD will work with Aanval, and Free BSD can be obtained from the following site: [2] OS X: Mac OS X has also been a popular choice for Aanval users. Appliances are available in a variety of hardware and software combinations to fit every environment, and each is pre-configured and optimized for Aanval with Snort and/or Suricata intrusion detection and Syslogcorrelation. Appliances are installed with the most recent release of Mac OS X, along with the latest compatible versions of Apache, Perl, PHP, GD, and more. All appliances may be custom configured with specific destination network details (IP, DNS, etc.), ensuring the installation is as simple as plugging in and powering on the Appliance. From single-sensor deployments to large-scale enterprise intrusion arrays, Aanval Appliances are pre-configured for full intrusion detection and correlation functionality out-of-the-box. To find which appliance is right for your network, contact our friendly and knowledgable sales department at 800-921-2584 or sales.group [at] tacticalflex.com. |
PHP (at least version 7) |
Aanval will require PHP for server-side scripting. | The most current version of PHP can be obtained from the following site: [3] It is recommended when using the Unified2 Module for importing IDS events that the php.ini file be updated the following changes: upload_max_filesize = 256M After making changes, restart Apache. These changes allow Aanval to receive all necessary files from sensors, including event data and especially sid-msg.map and gen-msg.map files. |
PHP Modules | Specific PHP modules required for Aanval functionality | php-xml, php-pdo, php-dom |
PERL (any version) |
Aanval uses PERL to launch the PHP scripts in wrapper fashion. | The most current version of PERL can be obtained from the following site: [4] |
Web Server | Aanval will require an Apache web server capable of serving PHP scripting. | The most current version of Apache can be obtained from the following site: [5] |
IDS Engine | Aanval requires an Intrusion Detection System (IDS) for monitoring and retrieving (sometimes called "sniffing") network traffic and packets. | Snort and Suricata have been the most popular IDS engines used with Aanval. Snort: The most current version of Snort can be downloaded from the following link: [6] Suricata: The most current version of Suricata can be downloaded from the following link: [7] |