Use ACID to make sense of your IDS logs.
Once you have set up Snort to log
information to your database
you may find it hard to cope with all the data that it generates.
Very busy and high-profile sites can generate a huge number of Snort
warnings that eventually need to be tracked down. One way to
alleviate the problem is to install
, otherwise known as
the Analysis Console for Intrusion Databases,
is a web-based frontend
to databases that contain alerts from intrusion detection systems. It
features the ability to search for alerts based on a variety of
criteria, such as alert signature, time of detection, source and
destination address and ports, as well as payload or flag values.
ACID can display the packets that triggered the
alerts, as well as decode their layer-3 and layer-4 information.
ACID also contains alert management features
that allow you to group alerts based on incident, delete acknowledged
or false positive alerts, email alerts, or archive them to another
ACID also provides many different
statistics on the alerts in your database based on time, the sensor
they were generated by, signature, and packet-related statistics such
as protocol, address, or port.
ACID, you’ll first
need a web server and a working installation of
PHP (e.g., Apache and
mod_php), as well as a Snort installation that has been configured to log to a database (e.g., MySQL). You will also need ...