Chapter 10. Using ACID as a Snort IDS Management Console

Running Snort from the command line and using tail -f to watch the alert log file is fine when testing or experimenting. But when you want to use Snort to protect your network, you need better analysis and monitoring tools. ACID (the Analysis Console for Intrusion Detection) is an open source project developed by Roman Danyliw at the CERT coordination center, as part of the AIRCERT project. It uses a PHP-based web application that can act as the frontend for several tools—we will only discuss using ACID with Snort in this chapter. ACID interfaces with the database that Snort uses to log alerts.

ACID should be considered beta software and may be vulnerable to user input validation problems. Care should be taken to secure access to the ACID console (discussed further below). The current version is 0.9.6b23; it has not been updated since January of 2003. It still does an outstanding job in acting as a Snort alert console, but the recent changes in Snort (namely the move from the portscan2 and conversation preprocessors to flow-portscan) have exposed some problems. I still prefer ACID over almost any other open source solution (there are some commercial products that can act as a management console for Snort, too).

ACID was designed to help a security administrator manage the alerts generated by multiple IDS sensors. ACID can generate trending information and allow searches based upon time, address, alert, priority, classification, ...

Get Managing Security with Snort & IDS Tools now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.