Analysis Console for Intrusion Databases (ACID)

Analysis Console for Intrusion Databases

The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools. The features currently include:

Query-builder and search interface for finding alerts matching on alert meta information (e.g. signature, detection time) as well as the underlying network evidence (e.g. source/destination address, ports, payload, or flags).
Packet viewer (decoder) will graphically display the layer-3 and layer-4 packet information of logged alerts
Alert management by providing constructs to logically group alerts to create incidents (alert groups), deleting the handled alerts or false positives, exporting to email for collaboration, or archiving of alerts to transfer them between alert databases.
Chart and statistics generation based on time, sensor, signature, protocol, IP address, TCP/UDP ports, or classification

ACID has the ability to analyze a wide variety of events which are post-processed into its database. Tools exist for the following formats:

using Snort (www.snort.org)
- Snort alerts
- tcpdump binary logs
using logsnorter ( www.snort.org/downloads/logsnorter-0.2.tar.gz)
- ipchains
- iptables
- ipfw

This web page contains the latest information about the ACID application development status. It should be noted that ACID is the result of ongoing work at the CERT Coordination Center for the AIRCERT project. We encourage you to visit the AIRCERT website for more information on how you can benefit from participating in the prototype.

Documentation (applicable to v0.9.5 and later)

Installation and Configuration
FAQ
Configuration Parameters
Searching and Specifying Criteria
Alert Group
Managing Large Alert Databases (Deleting and Archiving)
Performance Tuning
Latest CHANGELOG
TODO
CREDITS

Screen Captures

DB ER Diagram: schema v0, v100-103
DB API
CVS Repository

anonymous CVS access
Browse CVS on web

Rough ACID performance comparison

Download

Version Date Description Download (MD5)

0.9.6b23 01/08/2003 RECOMMENDED: year 2003 fixes acid-0.9.6b23.tar.gz
d8c49614393fa05ac140de349f57e438

0.9.6b22 10/09/2002 new charts and alert action acid-0.9.6b22.tar.gz
3624a0d7272223386a5971ef55f947fd

0.9.6b21 03/03/2002 PostgreSQL 7.2 support, CSV export acid-0.9.6b21.tar.gz
a0e2ccfa072dc96832dc54cb3c834d82

older
versions

Dependencies: PHP; ADODB; PHPlot or JPGraph libraries

Please direct any feedback to the acidlab-users mailing list or you can contact the author directly.

Roman Danyliw < rdd@cert.org, roman@danyliw.com>