[Snort-devel] Snort Anomaly Detection

Bernhard Guillon Bernhard.Guillon at ...3094...
Tue Sep 14 01:35:30 EDT 2010

On 13.09.2010 14:49, Andres Carrera Rivera wrote:
>    Hi everybody,
> Does Someone work with snort like an Anomaly Detection?

I used Snort with PHAD for my bachelor thesis.

> I wonder how could I get snort working like an anomaly engine.

You can port algorithms to snort as preprocessors. Snort has a nice pcap 
layer :)

> I've heard about SPADE and PHAD, which provide anomaly detection
> but I really dont know how to install them in the latest version of
> Snort (Snort-2.8.6.X)
> So, If someone have done that before please coment.

There is a old patch for SPADE at www.ossim.net. You should be able to 
port it to a newer version of snort.

For PHAD you can use my patch [1].

I use this config:

preprocessor phad: training_time 446400

The time is in seconds.

Testing the PAHD preprocessor with the DARPA set shows the same result 
as the original PHAD implementation. I also have written an open source 
anomaly traffic generator to create a more up to date dataset and tested 
the implementation with it. I am currently cleaning it up for 
publishing. It uses Virtual Machines some simulation theorie and Python. 
It supports modules for "normal" traffic generation 
(Firefox,email,Skype,FTP) and anomaly traffic generation (metasploit, 
nmap, and arpspoof).

Do you have access to real traffic?

Best regards
Bernhard Guillon

1 http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff

More information about the Snort-devel mailing list