Aanval defines a sensor as an instance of Snort or Suricata which is configured to output alert details in unified2 format. Aanval requires a running instance of Snort or Suricata, and this is the responsibility of the end-user, outside of Aanval.
Snort or Suricata is most commonly configured to write alerts to a log directory, usually /var/log/snort.
Once you have a properly configured and running instance of either Snort or Suricata, that is writing unified2 logs, these logs will need to be ingested into Aanval.
Aanval ingests unified2 logs through the use of Aanval's SMTs (Sensor Management Tools). The SMTs are a small set of PHP scripts that are installed on the sensor system (system where Snort or Suricata is installed), and configured to send unified2 log information to the centralized Aanval installation.
Aanval is configured to allow the SMTs to send data to the system, utilizing an SMT ID that will match a Sensor device inside Aanval. Essentially, the SMT ID is what tells Aanval how to associate the incoming events.
Adding Sensors within Aanval
Creating sensors within Aanval is simple, navigate to the Snort & Suricata sensor display under Configuration -> Sensors.
Create a new sensor with the New button, and configure the name, engine type and proper user permissions for the new sensor. You will also want to ensure the SMT ID is configured to a unique alphanumeric combination that will match the configuration of your SMTs (Sensor Management Tools).
Enable the sensor and Update / Save the changes.
Lastly, ensure the Options for the newly created sensor are properly configured. Setting values for Unified2 file path, Engine configuration file, Class map file, Generator map file, Signature Map file and Rule file path are required, while Engine start / stop commands are option, but very useful for the automated functions of Aanval.
Sensor Management Tool Installation
Installing the Sensor Management Tools is relatively simple, and the instructions to do so can be found here: SMT (Sensor Management Tool) Installation
Once you have created a new Sensor within Aanval, and installed the Sensor Management Tools (SMTs), Aanval will immediately begin importing / ingesting event data and it should begin to appear in the console within moments.