Nariz is a distributed alert correlation system. It performs alert correlation in two phases - locally preprocessing and distributed postprocessing - by splitting the correlation system amongst several computers. Features include:
- Correlates IDS (Intrusion Detection System) alerts.
- Distributed alert correlation mechanism.
- Correlates Snort alerts. It is also possible to include new plugins for correlating alerts from others IDS's.
- The sources are available to public domain under the GPL terms.
- Reduces the number of alerts and false positives for its administrator.
- Alert correlation can be configurable by configuring the attack type.
- The distributed correlation starts with a trigger that is configurable by its user.
- It can run using low end machines than would be necessary in a centralized correlation system.
- Uses an embedded database (SQLite) that implements most of SQL92 and supports databases up to 2 terabytes in size.
Nariz distributed alert correlation system is under development by its crew to make its first release available to the public.