Snort has always been, and still is my favorite IDS (Intrusion Detection System) although I manage many UTM (Unified Threat Management) Firewalls with built in IPS/IDS (Intrusion Detection/Prevention) now. The commercial UTM Firewalls with IPS/IDS are easy to use and configure but they come with a high price tag and aren’t easy to customize. Even though snort is not that easy to install, configure and manage it still is the most popular IDS/IPS today because of the fact that it is open source, free, easily customizable, easy to create rules, signatures are always kept up-to-date by its community and plenty of excellent documentation, guides and books.
Snort captures enormous amount of data from the network and generates alert based on the rules and signatures. There’re currently 3 excellent and relatively user friendly ways to manage and analyze the snort data:
1. ACID (Analysis Console for Intrusion Databases)
The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools.
2. BASE (Basic Analysis and Security Engine).
It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.
3. Sguil (Snort GUI for LamerZ)
Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures.
If you’re asking what’s the difference between them, then here’s five reasons why Sguil is different from ACID, BASE, and similar products.
Currently I’m trying Sguil to see how good it is. I’ve installed Sguil Server and Sensor in CentOS 4.x and Sguil-Client in my Mac OS X. The server installation was not that easy but once installed, it runs smoothly. I must say that there are many good features in Sguil, among them I like: alerts in near real-time, escalation and accountability features, collection of session data using SANCP and summaries of conversations.