[Snort-devel] Fwd: Re: Snort Anomaly Detection

Bernhard Guillon Bernhard.Guillon at ...3094...
Fri Sep 17 09:19:40 EDT 2010

On 15.09.2010 03:31, Andres Carrera Rivera wrote:
>>>   I wonder how could I get snort working like an anomaly engine.
>>   You can port algorithms to snort as preprocessors. Snort has a nice pcap
>>   layer :)
> I've heard that, but how can I port those algorithms to my snort.?
> i've tried modifying some files and adding the .C and .H files on snort

Take a look at the snort documentation (doc/) there is also great 
template at templates/

>>>   I've heard about SPADE and PHAD, which provide anomaly detection
>>>   but I really dont know how to install them in the latest version of
>>>   Snort (Snort-2.8.6.X)
>>>   So, If someone have done that before please coment.
>>   There is a old patch for SPADE at www.ossim.net. You should be able to
>>   port it to a newer version of snort.
>>   For PHAD you can use my patch [1].
>>   I use this config:
>>   #snort.conf
>>   preprocessor phad: training_time 446400
>>   The time is in seconds.
> how can I patch my snort? I'm Working on Ubuntu and CentOS

As you patch it like most other source code - use patch ;)

Patching snort 2.8.6 with PHAD:

   mkdir foo && cd foo
   wget http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6.tar.gz (or 
get the release somewhere else)
   wget http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff
(only if you do not want to run autotools again)
   tar -xvzf snort-2.8.6.tar.gz
   cd snort-2.8.6
   cat ../snort-2.8.6-spp_phad.diff | patch -p1
   cat ../snort-2.8.6-spp_phad-Makefile.in.diff | patch -p1 (you can 
also run autotools instead)
   ./configure && make
   make install (if you like)

Best regards
Bernhard Guillon

More information about the Snort-devel mailing list