Use ACID to make sense of your IDS logs.

Once you have set up Snort to log information to your database [Hack #82] ), you may find it hard to cope with all the data that it generates. Very busy and high-profile sites can generate a huge number of Snort warnings that eventually need to be tracked down. One way to alleviate the problem is to install ACID (http://acidlab.sourceforge.net).

ACID , otherwise known as the Analysis Console for Intrusion Databases, is a web-based frontend to databases that contain alerts from intrusion detection systems. It features the ability to search for alerts based on a variety of criteria, such as alert signature, time of detection, source and destination address and ports, as well as payload or flag values. ACID can display the packets that triggered the alerts, as well as decode their layer-3 and layer-4 information. ACID also contains alert management features that allow you to group alerts based on incident, delete acknowledged or false positive alerts, email alerts, or archive them to another database. ACID also provides many different statistics on the alerts in your database based on time, the sensor they were generated by, signature, and packet-related statistics such as protocol, address, or port.

To install ACID, you’ll first need a web server and a working installation of PHP (e.g., Apache and mod_php), as well as a Snort installation that has been configured to log to a database (e.g., MySQL). You will also need ...