[Snort-devel] Fwd: Re: Snort Anomaly Detection

Andres Carrera Rivera protoss_black88 at ...445...
Tue Sep 14 21:31:06 EDT 2010



  On 9/14/2010 12:35 AM, Bernhard Guillon wrote:
>  On 13.09.2010 14:49, Andres Carrera Rivera wrote:
>>      Hi everybody,
>>  Does Someone work with snort like an Anomaly Detection?
>>
>  Hi,
>  I used Snort with PHAD for my bachelor thesis.

Really? That's great..  I have to do the same for my Thesis, but I'm kind
of lost using preprocessors in snort.

>>  I wonder how could I get snort working like an anomaly engine.
>>
>  You can port algorithms to snort as preprocessors. Snort has a nice pcap
>  layer :)

I've heard that, but how can I port those algorithms to my snort.?
i've tried modifying some files and adding the .C and .H files on snort

>>  I've heard about SPADE and PHAD, which provide anomaly detection
>>  but I really dont know how to install them in the latest version of
>>  Snort (Snort-2.8.6.X)
>>
>>  So, If someone have done that before please coment.
>>
>>
>  There is a old patch for SPADE at www.ossim.net. You should be able to
>  port it to a newer version of snort.
>
>  For PHAD you can use my patch [1].
>
>  I use this config:
>
>  #snort.conf
>  preprocessor phad: training_time 446400
>
>  The time is in seconds.

how can I patch my snort? I'm Working on Ubuntu and CentOS


>  Testing the PAHD preprocessor with the DARPA set shows the same result
>  as the original PHAD implementation. I also have written an open source
>  anomaly traffic generator to create a more up to date dataset and tested
>  the implementation with it. I am currently cleaning it up for
>  publishing. It uses Virtual Machines some simulation theorie and Python.
>  It supports modules for "normal" traffic generation
>  (Firefox,email,Skype,FTP) and anomaly traffic generation (metasploit,
>  nmap, and arpspoof).

Awesome! hope you finish it completely and publish it. :-)

>  Do you have access to real traffic?
>

Actually, I use my Computer Science Lab of My college for checking the
traffic with snort
but I just check them with signatures, I want to check it with anomalies
and statistics too,
that's why I'm asking a lot for those things, hehe :-D

Thanks Again, Hope you can help me again.
>  Best regards
>  Bernhard Guillon
>
>  1 http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff
>
>
>  ------------------------------------------------------------------------------
>  Start uncovering the many advantages of virtual appliances
>  and start using them to simplify application deployment and
>  accelerate your shift to cloud computing.
>  http://p.sf.net/sfu/novell-sfdev2dev
>  _______________________________________________
>  Snort-devel mailing list
>  Snort-devel at lists.sourceforge.net
>  https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>





More information about the Snort-devel mailing list