[Snort-devel] Snort Anomaly Detection
Bernhard.Guillon at ...3094...
Tue Sep 14 01:35:30 EDT 2010
On 13.09.2010 14:49, Andres Carrera Rivera wrote:
> Hi everybody,
> Does Someone work with snort like an Anomaly Detection?
I used Snort with PHAD for my bachelor thesis.
> I wonder how could I get snort working like an anomaly engine.
You can port algorithms to snort as preprocessors. Snort has a nice pcap
> I've heard about SPADE and PHAD, which provide anomaly detection
> but I really dont know how to install them in the latest version of
> Snort (Snort-2.8.6.X)
> So, If someone have done that before please coment.
There is a old patch for SPADE at www.ossim.net. You should be able to
port it to a newer version of snort.
For PHAD you can use my patch .
I use this config:
preprocessor phad: training_time 446400
The time is in seconds.
Testing the PAHD preprocessor with the DARPA set shows the same result
as the original PHAD implementation. I also have written an open source
anomaly traffic generator to create a more up to date dataset and tested
the implementation with it. I am currently cleaning it up for
publishing. It uses Virtual Machines some simulation theorie and Python.
It supports modules for "normal" traffic generation
(Firefox,email,Skype,FTP) and anomaly traffic generation (metasploit,
nmap, and arpspoof).
Do you have access to real traffic?
More information about the Snort-devel