[Snort-devel] Snort Anomaly Detection 2
Andres Carrera Rivera
protoss_black88 at ...445...
Thu Sep 16 07:23:38 EDT 2010
On 9/14/2010 12:35 AM, Bernhard Guillon wrote:
> On 13.09.2010 14:49, Andres Carrera Rivera wrote:
>> Hi everybody,
>> Does Someone work with snort like an Anomaly Detection?
> I used Snort with PHAD for my bachelor thesis.
Really? That's great.. I have to do the same for my Thesis, but I'm kind
of lost using preprocessors in snort.
>> I wonder how could I get snort working like an anomaly engine.
> You can port algorithms to snort as preprocessors. Snort has a nice pcap
> layer :)
I've heard that, but how can I port those algorithms to my snort.?
i've tried modifying some files and adding the .C and .H files on snort
>> I've heard about SPADE and PHAD, which provide anomaly detection
>> but I really dont know how to install them in the latest version of
>> Snort (Snort-2.8.6.X)
>> So, If someone have done that before please coment.
> There is a old patch for SPADE at www.ossim.net. You should be able to
> port it to a newer version of snort.
> For PHAD you can use my patch .
> I use this config:
> preprocessor phad: training_time 446400
> The time is in seconds.
how can I patch my snort? I'm Working on Ubuntu and CentOS
> Testing the PAHD preprocessor with the DARPA set shows the same result
> as the original PHAD implementation. I also have written an open source
> anomaly traffic generator to create a more up to date dataset and tested
> the implementation with it. I am currently cleaning it up for
> publishing. It uses Virtual Machines some simulation theorie and Python.
> It supports modules for "normal" traffic generation
> (Firefox,email,Skype,FTP) and anomaly traffic generation (metasploit,
> nmap, and arpspoof).
Awesome! hope you finish it completely and publish it. :-)
> Do you have access to real traffic?
Actually, I use my Computer Science Lab of My college for checking the
traffic with snort
but I just check them with signatures, I want to check it with anomalies
and statistics too,
that's why I'm asking a lot for those things, hehe :-D
More information about the Snort-devel