Chapter 10. Using ACID as a Snort IDS Management Console

Running Snort from the command line and using tail -f to watch the alert log file is fine when testing or experimenting. But when you want to use Snort to protect your network, you need better analysis and monitoring tools. ACID (the Analysis Console for Intrusion Detection) is an open source project developed by Roman Danyliw at the CERT coordination center, as part of the AIRCERT project. It uses a PHP-based web application that can act as the frontend for several tools—we will only discuss using ACID with Snort in this chapter. ACID interfaces with the database that Snort uses to log alerts.

ACID should be considered beta software and may be vulnerable to user input validation problems. Care should be taken to secure access to the ACID console (discussed further below). The current version is 0.9.6b23; it has not been updated since January of 2003. It still does an outstanding job in acting as a Snort alert console, but the recent changes in Snort (namely the move from the portscan2 and conversation preprocessors to flow-portscan) have exposed some problems. I still prefer ACID over almost any other open source solution (there are some commercial products that can act as a management console for Snort, too).

ACID was designed to help a security administrator manage the alerts generated by multiple IDS sensors. ACID can generate trending information and allow searches based upon time, address, alert, priority, classification, or sensor. The alert display includes all information about the rule that generated the alert, as well as all the configuration information (including payload) of the packet that generated the alert. It is an invaluable tool for Snort administrators.

This chapter discusses the installation of ACID with Apache on Unix-based systems, primarily because most of the components that ACID requires were developed using this setup and you will have a more reliable experience using the native configuration. We will use MySQL as the database backend. If you would like to install ACID on a Windows system, there are several tutorials available on the Internet.