[Snort-devel] Fwd: Re: Snort Anomaly Detection

Bernhard Guillon Bernhard.Guillon at ...3094...
Fri Sep 17 09:43:47 EDT 2010


On 17.09.2010 15:31, Andres Carrera Rivera wrote:
>
>
> Excellent! I did Exactly what you said, patch it inside the 
> snort-2.8.6.X.
> Now my question is: how can I test if the PHAD Preprocessor is working?
> because, I don't see any configuration inside the snort.conf file.
>
> I run snort like: snort -dev -c ./snort.conf


You need to add the configuration for spp_phad to snort.conf which I 
wrote in my other mail:

#snort.conf
preprocessor phad: training_time 446400


The training time still is in seconds. For more information about the 
algorithm read the paper [1] of the original implementation.

Best regards
Bernhard Guillon

1http://cs.fit.edu/~mmahoney/paper3.pdf







More information about the Snort-devel mailing list