[Snort-devel] [RFC] Packet Header Anomaly Detection (PHAD) preprocessor

Bernhard Guillon Bernhard.Guillon at ...3094...
Mon May 31 10:13:56 EDT 2010

for my bachelor thesis I am currently porting the Packet Header Anomaly 
Detection (PHAD)[1] algorithm from [2] as preprocessor to snort. This 
was done by M. Ali Aydın et al. [3] before to use snort as a hybrid of 
misuse and anomaly detection systems. Unfortunately I was not able to 
get the source from them so I decided to port the algorithm myself and 
share it with the community.

I want to ask about if it is general possible to add anomaly detection 
algorithms as preprocessors in mainline. SPADE got removed and I do not 
know if it was because of maintenance or anomaly based detection.

If it is possible to add anomaly detection algorithms to mainline I want 
to ask you to review my patch [4].
I based it on the template example and the original source (GPL) [5]. 
Also I added a lot of FIXME to the patch for questions like "Ask about 
how to issue an alert with non const char in a save way". Therefore 
please do not see this patch as complete. I am also not sure about 
coding style at some places I just compared it with other sources but 
some things are in different styles in different files. I am also unsure 
about using enums but I hope it is OK.

I am looking forward to any comment :)

Best regards
Bernhard Guillon

1 http://cs.fit.edu/~mmahoney/paper3.pdf
2 http://cs.fit.edu/~mmahoney/dist/
3 M. Ali Aydın et al. A hybrid intrusion detection system design for 
computer network security http://www.short-link.de/17938
4 http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff (I 
hope it is OK to link it I did not know if attaching patches to the 
mailing list is ok)
5 http://cs.fit.edu/~mmahoney/dist/phad.cpp

More information about the Snort-devel mailing list