[Snort-devel] Fwd: Re: Snort Anomaly Detection

Andres Carrera Rivera protoss_black88 at ...445...
Fri Sep 17 09:31:41 EDT 2010

  On 9/17/2010 8:19 AM, Bernhard Guillon wrote:
> On 15.09.2010 03:31, Andres Carrera Rivera wrote:
>>>>   I wonder how could I get snort working like an anomaly engine.
>>>   You can port algorithms to snort as preprocessors. Snort has a 
>>> nice pcap
>>>   layer :)
>> I've heard that, but how can I port those algorithms to my snort.?
>> i've tried modifying some files and adding the .C and .H files on snort
> Take a look at the snort documentation (doc/) there is also great 
> template at templates/
>>>>   I've heard about SPADE and PHAD, which provide anomaly detection
>>>>   but I really dont know how to install them in the latest version of
>>>>   Snort (Snort-2.8.6.X)
>>>>   So, If someone have done that before please coment.
>>>   There is a old patch for SPADE at www.ossim.net. You should be 
>>> able to
>>>   port it to a newer version of snort.
>>>   For PHAD you can use my patch [1].
>>>   I use this config:
>>>   #snort.conf
>>>   preprocessor phad: training_time 446400
>>>   The time is in seconds.
>> how can I patch my snort? I'm Working on Ubuntu and CentOS
> As you patch it like most other source code - use patch ;)
> Patching snort 2.8.6 with PHAD:
>   mkdir foo && cd foo
>   wget http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6.tar.gz (or 
> get the release somewhere else)
>   wget http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff
>   wget 
> http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad-Makefile.in.diff 
> (only if you do not want to run autotools again)
>   tar -xvzf snort-2.8.6.tar.gz
>   cd snort-2.8.6
>   cat ../snort-2.8.6-spp_phad.diff | patch -p1
>   cat ../snort-2.8.6-spp_phad-Makefile.in.diff | patch -p1 (you can 
> also run autotools instead)
>   ./configure && make
>   make install (if you like)
> Best regards
> Bernhard Guillon

Excellent! I did Exactly what you said, patch it inside the snort-2.8.6.X.
Now my question is: how can I test if the PHAD Preprocessor is working?
because, I don't see any configuration inside the snort.conf file.

I run snort like: snort -dev -c ./snort.conf
but when I exit running it, i didn't see any stats about PHAD, just the 
same information that uses snort.
and in logs? i don't see any PHAD anomaly alarm...
So I don't know if the PHAD is really working on my snort.

Please could you help me, how to work with the PHAD preprocessor, now 
that I've installed it :-)

Thanks A lot,

Andres Carrera

More information about the Snort-devel mailing list