The sensor component is called 'firestorm-nids', it sniffs traffic on your network, analyses it (usually using snort signatures) and spools the alerts in extended log (elog) format.
Firestorm can analyse state information on the network. Firesstorm can reassemble IP fragments, perform TCP connection tracking, TCP stream reassembly and application layer stateful analysis.
Firestorm has the capability to fully decode application layer protocols, at the moment HTTP is the only supported protocol but others will follow shortly.
Snort rule compatibility is fairly extensive. We aim to track the default signature set that ships with snort 1.9. As far as we know snort 1.8 rules should work also. More information can be found in the snort.compatibility document.
Firestorm features the ability to rate-limit alert output to protect itself from DoS attacks. This feature is rather unique. Built-in alerts (such as state tracking violations) are rate-limited by default and snort rules have two new keywords 'rate' and 'burst' for configuring on a rule-by-rule basis.
Firestorm has infrastructure for supporting anomaly detection modules, however at this time, no such modules have yet been written.
Extended logs (or elogs for short) are a new format for transporting alert data. They contain not only the packet data but also the alert information, decode information, state-tracking information, and any other packet meta-data. The advantage of using extended log format is the ability to keep all data in one file.
Firestorm can usually achieve full disk throughput when alerting. In fact, Firestorm can saturate many spindles simultaneously by balancing alerts between multiple spools.
Be aware that the elog format is not yet finalised (and won't be until version 1.0.0) and is likely to change at any point in time. The files are versioned so you shouldn't experience data corruption. If you would like to be able to convert from one version or the other, you can pay me to write a conversion tool ;)
Stormwall is as yet unfinished. Its purpose is to monitor alert spools and perform actions when new elog files appear. The Firestorm sensor notifies Stormwall of changes to the spool. This program will facilitate push-style remote logging. Both push and pull logging will be supported by version 1.0.0.
The console is started but is very early in development. It is a GNOME 2 application. By version 0.6.0 it will be fully usable and allow the analyst to search, sort, filter, correlate and extract data from his sensors.