[Snort-devel] [RFC] Packet Header Anomaly Detection (PHAD) preprocessor
Bernhard.Guillon at ...3094...
Mon May 31 10:13:56 EDT 2010
for my bachelor thesis I am currently porting the Packet Header Anomaly
Detection (PHAD) algorithm from  as preprocessor to snort. This
was done by M. Ali Aydın et al.  before to use snort as a hybrid of
misuse and anomaly detection systems. Unfortunately I was not able to
get the source from them so I decided to port the algorithm myself and
share it with the community.
I want to ask about if it is general possible to add anomaly detection
algorithms as preprocessors in mainline. SPADE got removed and I do not
know if it was because of maintenance or anomaly based detection.
If it is possible to add anomaly detection algorithms to mainline I want
to ask you to review my patch .
I based it on the template example and the original source (GPL) .
Also I added a lot of FIXME to the patch for questions like "Ask about
how to issue an alert with non const char in a save way". Therefore
please do not see this patch as complete. I am also not sure about
coding style at some places I just compared it with other sources but
some things are in different styles in different files. I am also unsure
about using enums but I hope it is OK.
I am looking forward to any comment :)
3 M. Ali Aydın et al. A hybrid intrusion detection system design for
computer network security http://www.short-link.de/17938
4 http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff (I
hope it is OK to link it I did not know if attaching patches to the
mailing list is ok)
More information about the Snort-devel