Analysis Console for Incident Databases (ACID) v0.9.0

By Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>

This plugin was developed at the CERT Coordination Center as a part 
of the AIRCERT project.

See http://www.cert.org/kb/acid for the most up to date 
information and documentation about this application.

Mirrored: http://www.andrew.cmu.edu/~rdanyliw/snort/


-------------------------------------------------------------------------------
** Copyright (C) 2000 Carnegie Mellon University
**
** Authors: Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-------------------------------------------------------------------------------

I. ABOUT
========

ACID is a PHP-based analysis engine to search and process a database of 
security incidents generated by the NDIS Snort.  The features currently
include:

 - Search interface for finding alerts matching practically any criteria.
   This includes arrival time, signature time, source/dest address/port,
   flags, payload, etc.  Furthermore, these queries can be made arbitrarily
   complex to satsify almost any parameters.

 - Statistics:
     - % of traffic for each protocol
     - Alerts: # of src/dst IP, last/first arrival time
     - Graph # of arrived alert over a period of time
     - last x-number of alerts by protocol

 - All features are provided in real-time 

Credits:

  = Jed Pickel <jed@pickel.net>
      - Author of the Snort database plugin
      - All sorts of ideas for the ACID design

  = The previous work of Yen-Ming Chen <yenming.chen@foundstone.com>
    and Silicon Defence <www.silicondefence.com> (SnortSnarf) in the
    domain of Snort log analysis needs to be acknowledged.

II. PREREQUISITES
=================

 - MySQL as the database used by Snort to store the alert information.

 - PHP enabled Apache web server.
     = PHP must be compiled with MySQL support (--with-mysql) 
  
     = It need not be PHP 4; PHP 3 should (read: totally untested) probably 
       work.  However since the extension of all the ACID files is .php the 
       Apache MimeType for PHP3 must be expanded to also include not only .php3 
       but also .php.  See the Apache documentation for the specifics of 
       modifying httpd.conf.  If a .php page is loaded and a dialog box
       is returned asking for you to save the file, then the server Mime types
       are not configured correctly. 

 - A development version of Snort after v.1.6.3.  Upgrading to a newer version
   of the database plugin has significant logging advatanges.  See Jed's 
   documentation in spo_log_database.c of the Snort source code.

III. INSTALLATION
=================

 0. At this point it is assumed that PHP is working and that Snort is 
    successfully logging to a MySQL database.

    If not, check the following sites for configuration help:
      = Apache: www.apache.org
      = PHP: www.php.net
      = Snort: www.snort.org
      = Snort DB-plugin: www.incident.org

 1. Copy the ACID distribution into a directory viewable/served by 
    the PHP server.

      e.g.  % cp php_acid.0.9.2.tar.gz /home/httpd/html

 2. Extract and uncompress the ACID distribution.

       eg. tar xvfz php_acid.0.9.2.tar.gz 


IV. CONFIGURATION
=================

 3. The file 'acid_conf.php' controls the configuration of ACID.  

    This file is PHP code which will be included in each ACID page 
    request.  Since 'acid.conf' is PHP, it is imperative that the openning 
    '<?php' and closing '?>' tags not be removed from the file. 
    Furthermore as a PHP file, all conventions of the PHP language (i.e. 
    comments) apply.

    The general format of each configuration entry is:

       $<variable name> = <value>;
   
    The only variables which need to be changed from their default 
    configuration is the database connection information.  These variables
    are as follows

       = $alert_dbname   : MySQL database name where the alerts are stored 
       = $alert_host     : host where the database is stored
       = $alert_port     : port where the database is stored
       = $alert_user     : username into the database
       = $alert_password : password for the username

    All this information can be extracted from the Snort database plugin
    configuration.

  4. Read the security notes about deploying ACID.


V. SECURITY
===========

  - ACID is currently _alpha_.  No real work has been done in validating
    any input.  Therefore, exercise extreme caution in deploying this
    application to a public area.

  - The Snort database passwords configured in ACID are only as secure
    as any other PHP "code".
  
