ACARM-ng (Alert Correlation, Assessment and Reaction Module - next generation) is an open source IDS/IPS system.

ACARM-ng is an alert correlation software which can significantly facilitate analyses of traffic in computer networks.

It is responsible for collection and correlation of alerts sent by network and host sensors, also referred to as NIDS and HIDS respectively.

Correlation process aims to reduce the total number of messages that need to be viewed by a system administrator to as few as possible by merging similar events into groups representing logical pieces of malicious activity.

The rest of the package are plug-ins, separated into following classes: Built-in software watchdog provides up-to-date information on system status.

It is often required to limit the amount of incoming data (for example: remove alerts raised periodically by cron scripts).

It allows to define a chain of accept-if-match and reject-if-match rules to accept or reject incoming alerts before they enter the correlation engine.

Typical use is real-time reporting of suspicious events to administrators (for example via e-mail) and automatic reaction to the detected thread (for example blocking malicious host on a firewall).