[Snort-devel] Some Questions
ragip_yahsieli at ...445...
Mon Jan 12 08:57:01 EST 2004
Hi I asked this question before Christmas and I am asking it again coz I guess you know something about it. I want to use Snort as misuse detector and anomaly detector. To use it both mode, I will log all packets to computer and then I will catch some intrusions which snort can catch, and I will send other undefined attacks, which snort doesn't catch and has not signature to catch, to SPADE to analyze these packets in anomaly detection mode. now I am asking is it good idea? if it is not what can I do to perform this task. Also, I am using snort on windows installed computer I don't know how SPADE will work on integrated into Snort on windows machine and I also know that SPADE can be used linux machine without causing problem but I have some suspicion because I read some paper that compare some anomaly detector SPADE, LERAD and CLAD which are being used as unsupervised learning techniques and CLAD and LERAD are superior than SPADE so is it possible use one of this system with snort.
by the way, I want to ask you about something. Recently, I have read an article that was written by minnesota university's professors. They made a system and its name is MINDS (Minnesota Intrusion Detection System) they are using snort like me. they log all packets to computer and then working all packets as offline. they are using net flow tools to extract some features from packets like ip addresses ip ports..., and then they are using a signature database to catch attack before anomaly analysis. then they drive these packets to anomaly detector. anomaly detector creates an anomaly score (I think these scores have to be inserted system before analysis to detect novel attacks) and some novel attacks can be catched by using this technique. this is very similar system what I want to carry out. now, I don't know is there anyone who knows or works SOM (Self Organizing Maps) but I am wondering about whether or not can I insert SOM to like a system integrated into Snort? in MINDS system anomaly detector are being used like SOM which is used as anomaly detector in many areas like ANN(Artificial Neural Networks) but there is a problem SOM can not create an anomaly score, I have to consider this bad feature.
thank you in advance. take care...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel