[Snort-devel] Fwd: Re: Fwd: Re: Snort Anomaly Detection

Andres Carrera Rivera protoss_black88 at ...445...
Fri Sep 17 10:01:28 EDT 2010



  On 9/17/2010 8:43 AM, Bernhard Guillon wrote:
>  On 17.09.2010 15:31, Andres Carrera Rivera wrote:
>>
>>
>>  Excellent! I did Exactly what you said, patch it inside the
>>  snort-2.8.6.X.
>>  Now my question is: how can I test if the PHAD Preprocessor is working?
>>  because, I don't see any configuration inside the snort.conf file.
>>
>>  I run snort like: snort -dev -c ./snort.conf
>
>
>  You need to add the configuration for spp_phad to snort.conf which I
>  wrote in my other mail:
>
>  #snort.conf
>  preprocessor phad: training_time 446400
>
>
>  The training time still is in seconds. For more information about the
>  algorithm read the paper [1] of the original implementation.
>
>  Best regards
>  Bernhard Guillon
>
>  1http://cs.fit.edu/~mmahoney/paper3.pdf
>
>
>
>
>

Ok. the time is in Seconds.
But when it finish the training mode, the PHAD will generate some
alerts?, when it find any anomalies?
thats what I dont know.


I put preprocessor phad:
training_time 446400


on the snort.conf file, but when running snort, I got this ERROR:
Unknown preprocessor: "phad"

snort, doesn't recognize PHAD?
How can I solve this problem..


Thanks,
Andres Carrera





More information about the Snort-devel mailing list