[Snort-devel] Fwd: Re: Snort Anomaly Detection
Bernhard.Guillon at ...3094...
Fri Sep 17 09:19:40 EDT 2010
On 15.09.2010 03:31, Andres Carrera Rivera wrote:
>>> I wonder how could I get snort working like an anomaly engine.
>> You can port algorithms to snort as preprocessors. Snort has a nice pcap
>> layer :)
> I've heard that, but how can I port those algorithms to my snort.?
> i've tried modifying some files and adding the .C and .H files on snort
Take a look at the snort documentation (doc/) there is also great
template at templates/
>>> I've heard about SPADE and PHAD, which provide anomaly detection
>>> but I really dont know how to install them in the latest version of
>>> Snort (Snort-2.8.6.X)
>>> So, If someone have done that before please coment.
>> There is a old patch for SPADE at www.ossim.net. You should be able to
>> port it to a newer version of snort.
>> For PHAD you can use my patch .
>> I use this config:
>> preprocessor phad: training_time 446400
>> The time is in seconds.
> how can I patch my snort? I'm Working on Ubuntu and CentOS
As you patch it like most other source code - use patch ;)
Patching snort 2.8.6 with PHAD:
mkdir foo && cd foo
wget http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6.tar.gz (or
get the release somewhere else)
(only if you do not want to run autotools again)
tar -xvzf snort-2.8.6.tar.gz
cat ../snort-2.8.6-spp_phad.diff | patch -p1
cat ../snort-2.8.6-spp_phad-Makefile.in.diff | patch -p1 (you can
also run autotools instead)
./configure && make
make install (if you like)
More information about the Snort-devel