[Snort-devel] Snort Anomaly Detection 2

Andres Carrera Rivera protoss_black88 at ...445...
Thu Sep 16 07:23:38 EDT 2010

  On 9/14/2010 12:35 AM, Bernhard Guillon wrote:
>   On 13.09.2010 14:49, Andres Carrera Rivera wrote:
>>       Hi everybody,
>>   Does Someone work with snort like an Anomaly Detection?
>   Hi,
>   I used Snort with PHAD for my bachelor thesis.

Really? That's great..  I have to do the same for my Thesis, but I'm kind
of lost using preprocessors in snort.

>>   I wonder how could I get snort working like an anomaly engine.
>   You can port algorithms to snort as preprocessors. Snort has a nice pcap
>   layer :)

I've heard that, but how can I port those algorithms to my snort.?
i've tried modifying some files and adding the .C and .H files on snort

>>   I've heard about SPADE and PHAD, which provide anomaly detection
>>   but I really dont know how to install them in the latest version of
>>   Snort (Snort-2.8.6.X)
>>   So, If someone have done that before please coment.
>   There is a old patch for SPADE at www.ossim.net. You should be able to
>   port it to a newer version of snort.
>   For PHAD you can use my patch [1].
>   I use this config:
>   #snort.conf
>   preprocessor phad: training_time 446400
>   The time is in seconds.

how can I patch my snort? I'm Working on Ubuntu and CentOS

>   Testing the PAHD preprocessor with the DARPA set shows the same result
>   as the original PHAD implementation. I also have written an open source
>   anomaly traffic generator to create a more up to date dataset and tested
>   the implementation with it. I am currently cleaning it up for
>   publishing. It uses Virtual Machines some simulation theorie and Python.
>   It supports modules for "normal" traffic generation
>   (Firefox,email,Skype,FTP) and anomaly traffic generation (metasploit,
>   nmap, and arpspoof).

Awesome! hope you finish it completely and publish it. :-)

>   Do you have access to real traffic?

Actually, I use my Computer Science Lab of My college for checking the
traffic with snort
but I just check them with signatures, I want to check it with anomalies
and statistics too,
that's why I'm asking a lot for those things, hehe :-D

More information about the Snort-devel mailing list