9.5. ACID

Previous page
Table of content
Next page
 < Day Day Up > 

Digging through Snort alerts, regardless of how they are stored, can be a real headache. Beyond merely being difficult to manage, it can be even harder to recognize patterns, perform queries, and gather statistics. There are a number of tools that help with NIDS log analysis. One of the most popular tools is the Analysis Console for Intrusion Databases (ACID), a PHP-based system for querying and analyzing NIDS alerts.

ACID is designed to be a general-purpose intrusion detection analysis system. It is not focused simply on Snort; ACID can pull in firewall logs and raw TCP dumps as well. Although there are more input methods planned, development of ACID seems to have stalled. The last release as of the time of this writing was January 2003. Nevertheless, even with a slightly antiquated code base, ACID is still a valuable tool.

9.5.1. Installing ACID

FreeBSD administrators may install ACID from ports/acid or download ACID from the main ACID site, available at: http://www.andrew.cmu.edu/user/rdanyliw/snort/snortacid.html. OpenBSD administrators must fetch the compressed tarball and install by hand.

ACID has many dependencies including Apache, PHP, and MysSl. Given that normally you try to run your IDS sensors in a secure and locked-down configuration, it is advisable to run ACID on asystem other than your sensor host. ACID should be run on a backend host that has access to all your Snort logs. Ideally, you're using MySQL or some other database on a central server to store all the Snort alerts, and ACID can be pointed directly at this server, or even run on the same host.

9.5.2. Configuring ACID

Once ACID is installed, there are only a few small configuration changes left to make. The acid_conf.php file controls the behavior of ACID. In it, you can set the type of database ACID is running against and the specifics about how to access the database. In Example 9-1, ACID is running on the same host as the MySQL database server. Adjust the values in the acid_conf.php to match your environment.

Example 9-1. acid_conf.php
$dbtype           = "mysql"; $alert_dbname   = "snort"; $alert_host     = "localhost"; $alert_port     = ""; $alert_user     = "root"; $alert_password = "MySQLrootpass"; $archive_dbname   = "snort_archive"; $archive_host     = "localhost"; $archive_port     = ""; $archive_user     = "root"; $archive_password = "MySQLrootpass";

There may be other configuration options that need to change based on your local environment. Be sure to check the entire configuration file to see if anything needs to be modified.

ACID does not provide any native security. If users have IP level access to your web server and you have no security protecting ACID, they will be able to view your IDS logs. This is an advantage you don't want to give an attacker. At the time this book was witten, querying Google for "Analysis Console for Intrusion Databases" and "queried on" (two strings on the main ACID page) resulted in over 70 publicly accessible ACID installations.

Put your ACID installation behind your external firewall and make sure users on the Internet at large cannot reach it. Also, consider using HTTP authentication available under Apache to provide a user/password based protection mechanism. You will also want to use SSL to protect the authentication credentials and subsequent data in transit. Configuring Apache to provide SSL encrypted content and authentication is covered in Chapter 6.

9.5.3. Running ACID

The screenshot of ACID in Figure 9-9 speaks volumes about its ability to display information about alerts Snort has generated. Prior to running ACID, we had flat files and database tables to dig through. While all the information was there, it was hard to determine what was really going on. ACID provides one-click views into the types of attacks occuring, the most frequent source and destination IPs and ports, and overall traffic makeup. It also has a search page that allows you to dig down into the data to find exactly what you want. ACID is largely GUI driven, so it is relatively self-explanatory. The best way to learn how to use ACID is to get a sensor up and running and watch as the attacks roll in.

Figure 9-9. The main ACID screen


     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Mastering FreeBSD and OpenBSD Security
    Practical Guide to Software Quality Management (Artech House Computing Library)
    ISBN: 596006268
    EAN: 2147483647
    Year: 2003
    Pages: 142
    Authors: John W. Horch
    BUY ON AMAZON
    Java I/O
    Beginning Cryptography with Java
    Introduction to 80x86 Assembly Language and Computer Architecture
    GO! with Microsoft Office 2003 Brief (2nd Edition)
    .NET-A Complete Development Cycle
    FileMaker 8 Functions and Scripts Desk Reference
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy