Securing Your Environment: Part 2
SNORT looks for intrusions, while ACID can help you make sense of what’s happened after an intrusion.
Tuesday, March 15th, 2005
Last month’s article looked at iptables firewall management with Big Fish. This month, let’s will take a look at intrusion detection using SNORT, along with its LAMP-based analysis add-on, ACID, short for “Analysis Console for Intrusion Databases.”
SNORT, lovingly referred to as “the pig,” is an advanced packet sniffer and logger that analyzes traffic on your network. It can be setup for protocol analysis, regular expression string matching, and network attack detection, including buffer overflows, stealth port scans, SMB probes, and many more.
ACID is a PHP- based application that provides a graphical user interface for analysis of intrusion detection system (IDS) databases, including SNORT’s. ACID is a perfect partner for SNORT, as it’s interface allows you to review and examine alerts based on source/destination ports and addresses, layer-3 and layer-4 packet information, and dynamically generated graphs. The charts and graphs are based on alert type, time, sensor, signature, protocol, IP address and ports. ACID also provides an advanced alert management system that lets you group individual alerts to form incidents and give you flexible control over false positives. ACID can also analyze, report, and alert against firewall logs.
