Analysis Console for Intrusion Databases
The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis
engine to search and process a database of security events generated by
various IDSes, firewalls, and network monitoring tools. The features currently
ACID has the ability to analyze a wide variety of events which are
post-processed into its database. Tools exist for the following formats:
- Query-builder and search interface for finding alerts matching
on alert meta information (e.g. signature, detection time) as well as
the underlying network evidence (e.g. source/destination address, ports,
payload, or flags).
- Packet viewer (decoder) will graphically display the layer-3 and
layer-4 packet information of logged alerts
- Alert management by providing constructs to logically group alerts
to create incidents (alert groups), deleting the handled alerts or
false positives, exporting to email for collaboration, or archiving of
alerts to transfer them between alert databases.
- Chart and statistics generation based on time, sensor, signature, protocol,
IP address, TCP/UDP ports, or classification
This web page contains the latest information about the ACID application
development status. It should be noted that ACID is the result of ongoing work
at the CERT Coordination Center
the AIRCERT project. We encourage
you to visit the AIRCERT website for more information on how you can
benefit from participating in the prototype.
Documentation (applicable to v0.9.5 and later)
||RECOMMENDED: year 2003 fixes
||new charts and alert action
||PostgreSQL 7.2 support, CSV export
Please direct any feedback to the acidlab-users
or you can
contact the author directly.