July 14, 2011, 5:59 p.m.
posted by alexpi
Keep Track of Alerts
Use ACID to make sense of your IDS logs.
Once you have set up Snort to log information to your database [Hack #82] ), you may find it hard to cope with all the data that it generates. Very busy and high-profile sites can generate a huge number of Snort warnings that eventually need to be tracked down. One way to alleviate the problem is to install ACID (http://acidlab.sourceforge.net).
ACID , otherwise known as the Analysis Console for Intrusion Databases, is a web-based frontend to databases that contain alerts from intrusion detection systems. It features the ability to search for alerts based on a variety of criteria, such as alert signature, time of detection, source and destination address and ports, as well as payload or flag values. ACID can display the packets that triggered the alerts, as well as decode their layer-3 and layer-4 information. ACID also contains alert management features that allow you to group alerts based on incident, delete acknowledged or false positive alerts, email alerts, or archive them to another database. ACID also provides many different statistics on the alerts in your database based on time, the sensor they were generated by, signature, and packet-related statistics such as protocol, address, or port.
To install ACID, you'll first need a web server and a working installation of PHP (e.g., Apache and mod_php), as well as a Snort installation that has been configured to log to a database (e.g., MySQL). You will also need a couple of PHP code libraries: ADODB (http://php.weblogs.com/adodb) for database abstraction and either PHPlot (http://www.phplot.com) or JPGraph (http://www.aditus.nu/jpgraph) for graphics rendering.
After you have downloaded these packages, unpack them into a directory that can be used to execute PHP content on the web server. Next, change to the directory that was created by unpacking the ACID distribution (i.e., ./acid) and edit the acid_conf.php file. Here you will need to tell ACID where to find ADODB and JPGraph, as well as how to connect to your Snort database.
You can do this by changing these variables to similar values that fit your situation:
$Dblib_path = "../adodb"; $Dbtype = "mysql"; $alert_dbname = "SNORT"; $alert_host = "localhost"; $alert_port = ""; $alert_user="snort"; $alert_password = "snortpass";
This will tell ACID to look for the ADODB code in the adodb directory at the same directory level as the acid directory. In addition, it will tell ACID to connect to a MySQL database called SNORT that is running on the local machine, using the user snort with the password snortpass. Since it is connecting to a MySQL server on the local machine, there is no need to specify a port number. If you want to connect to a database running on another system, you should specify 3389, which is the default port used by MySQL.
Additionally, you can configure an archive database for ACID using variables that are similar to the ones used to configure the alert database. The following variables will need to be set to use ACID's archiving features:
$archive_dbname $archive_host $archive_port $archive_user $archive_password
To tell ACID where to find the graphing library that you want to use, you will need to set the $ChartLib_path variable. If you are using JPGraph 1.13 and have unpacked it from the same directory you unpacked the ACID distribution, you would enter something like this:
$ChartLib_path = "../jpgraph-1.13/src";
Congratulations! You're finished mucking about in configuration files for the time being. Now open a web browser and go to the URL that corresponds to the directory where you unpacked ACID. You should then be greeted with a database setup page as shown in Figure.
Before you can use ACID, it must create some database tables for its own use. To do this, click the Create ACID AG button. After this, you should see a screen confirming that the tables were created. In addition, you can have ACID create indexes for your events table if this was not done prior to setting up ACID. Indexes will greatly speed up queries as your events table grows, at the expense of using a little more disk space. Once you are done with the setup screen, you can click the Home link to go to the main ACID page, as seen in Figure.
ACID has a fairly intuitive user interface. The main table provides plenty of links to see many useful views of the database at a glance, such as the list of source or destination IP addresses associated with the alerts in your database, as well as the source and destination ports.