ACARM

GettingStarted

ACARM-ng is able to gather data from multiple sensors ascribed to two main categories called HIDS (Host-based Intrusion Detection System) and NIDS (Network-based Intrusion Detection system). When HIDS can provide such information as failed logins, installation of packages, system updates and virtually everything that goes to system logs NIDS is quite the other way round, it can monitor network traffic in search of malicious activity and is not installed on monitored hosts. The number of NIDSs deployed in a network depends on its topology as well as size.

Since ACARM-ng has a modular structure you are free to implement user-specific input module to collect alerts from any possible sensor. Out of the box ACARM-ng is equipped with InputPrelude module and is able to collect alerts from Prelude-Manager which is supported by lots of sensors and can act as an alert concentrator.


Fig. 1 Simple network of sensors with 2 Prelude-Managers as hubs.

To take the full advantage of using ACARM-ng you have not only to set up a network of sensors but also triggers that are to inform you about the possible break-in attempts. ACARM-ng ships with such triggers as:

  • GG
  • Mail
  • Jabber
  • File
  • External application

which allows you to get notifications via Gadu-Gadu, e-mail or Jabber along with writing something to files or calling external script or application to analyze the output alert.

Example applications:

  • Using NIDS

Fig. 2 Computer with the Snort connected to a switch.

You can connect a network sensor like Snort to a switch configured to copy all the traffic to a specified port (all modern switches are capable of it) where a computer with Snort installed is plugged in. Then you have to set its network interface to promiscuous mode and you are done. All the network traffic is now examined in terms of attacks.

  • Using HIDS

Fig. 3 One computer acting as a log-host for a cluster.

In this case you are manging a cluster of computers and you want to search their logs for some potentially dangerous messages. You can install a HIDS on each and every machine but it would be tiresome and hard to manage. Instead, you can install HIDS on only one node called usually log host, and set syslog on each host to relay messages to the log host. In this case you will still be able to distinguish which host is the alert coming from.

It could be very handy to install Prelude-Manager on so-called hub nodes. The reason for this is to improve fault tolerance of the system as a whole because Prelude-Manager is able to collect alerts and keep them in case of network failure. Cached alerts will be passed to ACARM-ng as soon as the network connectivity is recovered.