ASDIC

ASDIC is not ...



ASDIC is not a log repository

ASDIC is a tool used to monitor and analyze traffic information in your network. To achieve this, ASDIC process log data, change the format, and even throws things away after they are taken care of. Because of this, ASDIC is not suitable for neither centralized log data storage, nor forensics. In the case of forensics, it is important to keep the data in its original format, untouched. This conflicts with the goals of ASDIC. ASDIC will help you in forensics with the traffic analysis, but when you presents your case in the court of law, you'd better have kept the original log data.

If you are looking for a log repository, have a look at Splunk.

ASDIC is not an Intrusion Detection System (IDS)

ASDIC is a tool well suited to aid intrusion detection, but it is not a IDS in the conventional meaning. ASDIC do not look in contents. ASDIC do not judge. ASDIC analyzes and presents, letting/forcing you judge for yourself.

If you are looking for an IDS/IPS, have a look at Snort.

ASDIC is not a toy

ASDIC is an appliance system you integrate with you network infrastructure. Running a home network, you will probably not benefit of ASDIC more than of educational value. Learning ASDIC requires an investment of your time and installing it without neither being aware of the problems of traffic analysis or large traffic log files, nor taking the time studding the documentation, is probably just a waste of time.

ASDIC is not for accounting

It may look at first glance ASDIC is a good tool for traffic accounting. This might not be the best idea. ASDIC creates the measured groups (aggregates) by itself to reflect the actual traffic patterns. If you are interested in how much HTTP traffic from A to B, i.e.
A:* -> B:80, there is nothing forcing ASDIC to create this pattern at all, hence not measuring it.

For example, if A did a scan of B with port 6000 as origin, the pattern A:6000 -> B:* would be created and measured. This pattern will then collect and count even the packet A:6000 -> B:80. The result is that even although there exists traffic to B:80, it will not be accounted as HTTP traffic, since it is rightfully decided to belong to the scan.

If you are interested in accounting explicit defined traffic groups, have a look at ARGUS.

Ping Research

ASDIC

Android