1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
Source: acidlab
Maintainer: Jeremy T. Bouse <jbouse@debian.org>
Section: web
Priority: extra
Standards-Version: 3.5.6
Build-Depends-Indep: grep-dctrl, yada (>= 0.9.9)
Package: acidlab
Architecture: all
Depends: php4 | php3 | php4-cgi | php3-cgi, php4-gd | php4-cgi-gd | php3-gd | php3-cgi-gd, apache | httpd, wwwconfig-common (>= 0.0.7), libphp-phplot, libphp-adodb, debconf
Suggests: snort-mysql | snort-pgsql
Description: Analysis Console for Intrusion Databases
The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis
engine to search and process a database of security events generated by
various IDSes, firewalls, and network monitoring tools. The features currently
include:
.
o Query-builder and search interface for finding alerts matching
on alert meta information (e.g. signature, detection time) as well as
the underlying network evidence (e.g. source/destination address, ports,
payload, or flags).
.
o Packet viewer (decoder) will graphically display the layer-3 and
layer-4 packet information of logged alerts
.
o Alert management by providing constructs to logically group alerts
to create incidents (alert groups), deleting the handled alerts or
false positives, exporting to email for collaboration, or archiving of
alerts to transfer them between alert databases.
.
o Chart and statistic generation based on time, sensor, signature, protocol,
IP address, TCP/UDP ports, or classification
.
ACID has the ability to analyze a wide variety of events which are
post-processed into its database. Tools exist for the following formats:
.
o using Snort (www.snort.org)
- Snort alerts
- tcpdump binary logs
.
o using logsnorter (www.snort.org/downloads/logsnorter-0.2.tar.gz)
- Cisco PIX
- ipchains
- iptables
- ipfw
|
