OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: samsonmcnulty on August 05, 2018, 06:58:52 pm

Title: Aanval and OPNSense
Post by: samsonmcnulty on August 05, 2018, 06:58:52 pm

Has anyone here had any experience with Aanval? I'm running OPNSense on a small desktop and since it already has suricata, I figured I would just need barnyard on the OPNSense box to feed into a SQL server which Aanval on my RasPi could then pull data from. That, of course, seems too simple and I know I'm missing some key points here.
I've looked into building aanval as a plugin for OPNSense but I'm still relatively new to all of this so there are some milestones I think I need to achieve before I try something at that level.
Thanks in advance for any help offered!

Title: Re: Aanval and OPNSense
Post by: samsonmcnulty on August 06, 2018, 05:45:51 am

So I've managed to determine that OPNSense already has the majority of what is needed to run aanval.
When I unzip aanval into the /www/html/ directory and run the prereq check I get this output.

Code: [Select]

Fix the following mandatory requirements
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 * iconv() must be available
   > Install and enable the iconv extension.

 * token_get_all() must be available
   > Install and enable the Tokenizer extension.

Optional recommendations to improve your setup
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 * posix_isatty() should be available
   > Install and enable the php_posix extension (used to colorize the
   > CLI output).

 * intl extension should be available
   > Install and enable the intl extension (used for validators).

 * PDO should have some drivers installed (currently available: none)
   > Install PDO drivers (mandatory for Doctrine).


Note  The command console could use a different php.ini file
~~~~  than the one used with your web server. To be on the
      safe side, please check the requirements from your web
      server using the web/config.php script.



I'm not so concerned with the optional stuff quite yet. I was able to determine a method for adding the iconv extension and tokenizer without having to completely rebuild php so I'll be giving that a shot momentarily.

I'll keep plugging away at it and update this post as I accomplish things. I'm also not so sure this post is in the correct area of the forum now, should it be moved to dev?

Thanks

Title: Re: Aanval and OPNSense
Post by: jclendineng on August 06, 2018, 02:40:38 pm

Make sure your hardware supports it...no need to burden it if not.  Throw aanval in a vm/jail on another box.  That being said, I had aanval at one point, good stuff.  Next go around im going to be using elk stack though, if I can figure out how to pass suricata logs to a syslog server.