[Snort-devel] Fwd: Re: Snort Anomaly Detection
Andres Carrera Rivera
protoss_black88 at ...445...
Fri Sep 17 09:31:41 EDT 2010
On 9/17/2010 8:19 AM, Bernhard Guillon wrote:
> On 15.09.2010 03:31, Andres Carrera Rivera wrote:
>>>> I wonder how could I get snort working like an anomaly engine.
>>> You can port algorithms to snort as preprocessors. Snort has a
>>> nice pcap
>>> layer :)
>> I've heard that, but how can I port those algorithms to my snort.?
>> i've tried modifying some files and adding the .C and .H files on snort
> Take a look at the snort documentation (doc/) there is also great
> template at templates/
>>>> I've heard about SPADE and PHAD, which provide anomaly detection
>>>> but I really dont know how to install them in the latest version of
>>>> Snort (Snort-2.8.6.X)
>>>> So, If someone have done that before please coment.
>>> There is a old patch for SPADE at www.ossim.net. You should be
>>> able to
>>> port it to a newer version of snort.
>>> For PHAD you can use my patch .
>>> I use this config:
>>> preprocessor phad: training_time 446400
>>> The time is in seconds.
>> how can I patch my snort? I'm Working on Ubuntu and CentOS
> As you patch it like most other source code - use patch ;)
> Patching snort 2.8.6 with PHAD:
> mkdir foo && cd foo
> wget http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6.tar.gz (or
> get the release somewhere else)
> wget http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff
> (only if you do not want to run autotools again)
> tar -xvzf snort-2.8.6.tar.gz
> cd snort-2.8.6
> cat ../snort-2.8.6-spp_phad.diff | patch -p1
> cat ../snort-2.8.6-spp_phad-Makefile.in.diff | patch -p1 (you can
> also run autotools instead)
> ./configure && make
> make install (if you like)
> Best regards
> Bernhard Guillon
Excellent! I did Exactly what you said, patch it inside the snort-2.8.6.X.
Now my question is: how can I test if the PHAD Preprocessor is working?
because, I don't see any configuration inside the snort.conf file.
I run snort like: snort -dev -c ./snort.conf
but when I exit running it, i didn't see any stats about PHAD, just the
same information that uses snort.
and in logs? i don't see any PHAD anomaly alarm...
So I don't know if the PHAD is really working on my snort.
Please could you help me, how to work with the PHAD preprocessor, now
that I've installed it :-)
Thanks A lot,
More information about the Snort-devel