You are not logged in.

#1 2019-09-13 12:16:20

Strykar
Member
Registered: 2018-02-17
Posts: 50

[REQUEST] - Aanval (Snort/Suricata SIEM)

Aanval is a commercial SIEM product designed specifically for use with Snort, Suricata, and Syslog data. Aanval has been in active development since 2003 and remains one of the longest running Snort capable SIEM products in the industry. Aanval is Dutch for "attack".

I've tried to install this from source, seemed fairly simple, to enable PHP and drop into /var/http/snort at first but I cannot get it to work with the latest PHP version supplied with Arch. I contacted the developers and one of the suggestion was to downgrade PHP.
It also throws errors about the ICU version on Arch:

intl ICU version installed on your system (64.2) does not match the ICU data bundled with Symfony (59.1)

I was unable to downgrade to 59.1 and test as the PHP version still got in the way. So i'm far off from creating a PKGBUILD myself and could use some help.

System requirements: flex, bison, zlib, pcre, libdnet, kernel-headers, libpcap, libtool
PHP modules required: Curl, PDO, pdo_sqlite, sqlite3, SimpleXML, Phar, gd, json, pcre, xml, zip

Install doc: https://tacticalflex.zendesk.com/hc/en- … stallation
Docs: https://tacticalflex.zendesk.com/hc/en- … 993-Aanval

Please let me know if there's anything I've missed or any more info I can provide.

Last edited by Strykar (2019-09-13 12:21:06)

Offline

#2 2019-09-13 12:58:47

Swiggles
Member
Registered: 2014-08-02
Posts: 266

Re: [REQUEST] - Aanval (Snort/Suricata SIEM)

There are already packages in AUR for older versions. Have you tried them yet?

https://aur.archlinux.org/packages/php70/
https://aur.archlinux.org/packages/php71/
https://aur.archlinux.org/packages/php72/

Keep in mind 7.0 is almost out of support and won't receive any security updates.

Offline

#3 2019-09-13 14:55:46

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: [REQUEST] - Aanval (Snort/Suricata SIEM)

icu59 or updating the Symfony ICU data bundle to 64.2 might be other options.
Edit:

Strykar wrote:

I've tried to install this from source, seemed fairly simple, to enable PHP and drop into /var/http/snort at first but I cannot get it to work with the latest PHP version supplied with Arch.

What exactly does not work?  Is any output or log data produced?

Last edited by loqs (2019-09-13 18:54:59)

Offline

#4 2019-09-15 14:21:08

Strykar
Member
Registered: 2018-02-17
Posts: 50

Re: [REQUEST] - Aanval (Snort/Suricata SIEM)

Swiggles wrote:

There are already packages in AUR for older versions. Have you tried them yet?

https://aur.archlinux.org/packages/php70/
https://aur.archlinux.org/packages/php71/
https://aur.archlinux.org/packages/php72/

Keep in mind 7.0 is almost out of support and won't receive any security updates.

They suggested 7.2 or even 7.1 and I was told it was too old for Arch so I've been trying to get it to work with a more recent version.

Offline

#5 2019-09-15 14:21:55

Strykar
Member
Registered: 2018-02-17
Posts: 50

Re: [REQUEST] - Aanval (Snort/Suricata SIEM)

loqs wrote:

icu59 or updating the Symfony ICU data bundle to 64.2 might be other options.
Edit:

Strykar wrote:

I've tried to install this from source, seemed fairly simple, to enable PHP and drop into /var/http/snort at first but I cannot get it to work with the latest PHP version supplied with Arch.

What exactly does not work?  Is any output or log data produced?

Sadly, the first post has the full error posted by the program regarding ICU versions.

Offline

#6 2019-09-15 15:09:33

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: [REQUEST] - Aanval (Snort/Suricata SIEM)

What command was used to generate that output?  What is that commands exit status (run echo $? after the command to check)

Offline

Board footer

Powered by FluxBB