[Snort-devel] Fwd: Re: Snort Anomaly Detection

Andres Carrera Rivera protoss_black88 at ...445...
Fri Sep 17 09:56:02 EDT 2010


  On 9/17/2010 8:43 AM, Bernhard Guillon wrote:
> On 17.09.2010 15:31, Andres Carrera Rivera wrote:
>>
>>
>> Excellent! I did Exactly what you said, patch it inside the 
>> snort-2.8.6.X.
>> Now my question is: how can I test if the PHAD Preprocessor is working?
>> because, I don't see any configuration inside the snort.conf file.
>>
>> I run snort like: snort -dev -c ./snort.conf
>
>
> You need to add the configuration for spp_phad to snort.conf which I 
> wrote in my other mail:
>
> #snort.conf
> preprocessor phad: training_time 446400
>
>
> The training time still is in seconds. For more information about the 
> algorithm read the paper [1] of the original implementation.
>
> Best regards
> Bernhard Guillon
>
> 1http://cs.fit.edu/~mmahoney/paper3.pdf
>
>
>
>
>

Ok. the time is in Seconds.
But when it finish the training mode, the PHAD will generate some 
alerts?, when it find any anomalies?
thats what I dont know.

Thanks,
Andres Carrera




More information about the Snort-devel mailing list