OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: samsonmcnulty on August 05, 2018, 06:58:52 pm
-
Has anyone here had any experience with Aanval? I'm running OPNSense on a small desktop and since it already has suricata, I figured I would just need barnyard on the OPNSense box to feed into a SQL server which Aanval on my RasPi could then pull data from. That, of course, seems too simple and I know I'm missing some key points here.
I've looked into building aanval as a plugin for OPNSense but I'm still relatively new to all of this so there are some milestones I think I need to achieve before I try something at that level.
Thanks in advance for any help offered!
-
So I've managed to determine that OPNSense already has the majority of what is needed to run aanval.
When I unzip aanval into the /www/html/ directory and run the prereq check I get this output.
Fix the following mandatory requirements
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* iconv() must be available
> Install and enable the iconv extension.
* token_get_all() must be available
> Install and enable the Tokenizer extension.
Optional recommendations to improve your setup
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* posix_isatty() should be available
> Install and enable the php_posix extension (used to colorize the
> CLI output).
* intl extension should be available
> Install and enable the intl extension (used for validators).
* PDO should have some drivers installed (currently available: none)
> Install PDO drivers (mandatory for Doctrine).
Note The command console could use a different php.ini file
~~~~ than the one used with your web server. To be on the
safe side, please check the requirements from your web
server using the web/config.php script.
I'm not so concerned with the optional stuff quite yet. I was able to determine a method for adding the iconv extension and tokenizer without having to completely rebuild php so I'll be giving that a shot momentarily.
I'll keep plugging away at it and update this post as I accomplish things. I'm also not so sure this post is in the correct area of the forum now, should it be moved to dev?
Thanks
-
Make sure your hardware supports it...no need to burden it if not. Throw aanval in a vm/jail on another box. That being said, I had aanval at one point, good stuff. Next go around im going to be using elk stack though, if I can figure out how to pass suricata logs to a syslog server.