178


Chapter 6     Using ACID and SnortSnarf with Snort


6.1 What is ACID?


ACID consists of many Pretty Home Page (PHP) scripts and configuration files that


work together to collect and analyze information from a database and present it through


a web interface. A user will use a web browser to interact with ACID. You have to have


a web server, database server, PHP and some other tools installed on your system to


make it work. For the sake of this book, I am using a RedHat Linux 7.1 machine. I have


installed Apache web server, PHP, and MySQL, which are part of the RedHat distribu 


tion. The database is configured to work with Snort as explained in Chapter 5. The lat 


est version of ACID is available from http://www.cert.org/kb/acid/.


ACID offers many features: 


1.


Searching can be done on a large number of criteria like source and destination


addresses, time, ports and so on,  as shown in Figure 6 7.


2.


Packet viewing is used to view different parts of packet. You can view different


header parts as well as the payload. Refer to Figure 6 6 for an example of


ICMP packet.


3.


Alerts can be managed by creating alert classes, exporting and deleting and


sending them to an e mail address.


4.


Graphical representation includes charts based upon time, protocol, IP


addresses, port numbers and classifications.


5.


Snapshots can be taken of the alerts database. As an example, you can view


alerts for the last 24 hours, unique alerts, frequent alerts and so on. Refer to Fig 


ure 6 7 for detail on snapshots.


6.


You can go to different whois databases on the Internet to find out who owns a


particular IP address that is attacking your network. You can then contact the


responsible person to stop it. The whois database contains information about


owners of domain names and IP addresses.


All of these facilities are available through the web browser. You point the web


browser to a URL to access ACID screens. For example, I can use http://www.confor 


mix.com/acid/ on my intranet site to view logs. The web pages are written in PHP. Sup 


port packages like GD library and PHPLOT are used to print graphs on the web pages.


PHP connects to the backend MySQL database to get and update data. For this purpose,


you have to provide the database user name and password.


The big picture of the whole system including Snort, MySQL, Web server, PHP


and web browser is shown in Figure 1 1 in Chapter 1. The following is a brief, step by 


step description of what happens when an intruder attempts to get into your network. 








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved