Snort: Intrusion Detection/Prevention Management
Snort has always been, and still is my favorite IDS (Intrusion Detection System) although I manage many UTM (Unified Threat Management) Firewalls with built in IPS/IDS (Intrusion Detection/Prevention) now. The commercial UTM Firewalls with IPS/IDS are easy to use and configure but they come with a high price tag and aren’t easy to customize. Even though snort is not that easy to install, configure and manage it still is the most popular IDS/IPS today because of the fact that it is open source, free, easily customizable, easy to create rules, signatures are always kept up-to-date by its community and plenty of excellent documentation, guides and books.
Snort captures enormous amount of data from the network and generates alert based on the rules and signatures. There’re currently 3 excellent and relatively user friendly ways to manage and analyze the snort data:
1. ACID (Analysis Console for Intrusion Databases)
The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools.
ACID: Installation and Configuration
2. BASE (Basic Analysis and Security Engine).
It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.
Snort, Apache, SSL, PHP, MySQL, and BASE Install on CentOS 4, RHEL 4 or Fedora Core (pdf)
3. Sguil (Snort GUI for LamerZ)
Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures.
If you’re asking what’s the difference between them, then here’s five reasons why Sguil is different from ACID, BASE, and similar products.
Currently I’m trying Sguil to see how good it is. I’ve installed Sguil Server and Sensor in CentOS 4.x and Sguil-Client in my Mac OS X. The server installation was not that easy but once installed, it runs smoothly. I must say that there are many good features in Sguil, among them I like: alerts in near real-time, escalation and accountability features, collection of session data using SANCP and summaries of conversations.
I wouldn’t really recommend ACID to anyone these days. The project has been dead for quite some time, but the BASE folks forked it and have been making a lot of great improvements.
Also, thanks for the kind words about Sguil. I’m the author of the Sguil HOWTO you mentioned, and I’d like to point out that anyone interested in learning more can find a lot of information on our wiki (NSMWiki) at http://wiki.sguil.net.
Hi David,
thanks for the comment. I agree with you about the ACID’s current status. It used to be the best some years ago but now BASE has taken over.
I’m really loving Sguil and thanks for the excellent Sguil HOWTO.
Good work here.