[Snort-devel] Fwd: Re: Fwd: Re: Snort Anomaly Detection

Joel Ebrahimi joel.ebrahimi at ...2499...
Fri Sep 17 15:56:37 EDT 2010


He is referring to the DARPA pcaps for IDS testing. You can get more info here:

    http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/

Basically you are using the -r flag to specify you are reading from a
pcap file rather than an interface.

// Joel

On Fri, Sep 17, 2010 at 10:45 AM, Andres carrera
<protoss_black88 at ...445...> wrote:
>
>
>> Date: Fri, 17 Sep 2010 16:50:09 +0200
>> From: Bernhard.Guillon at ...3094...
>> To: protoss_black88 at ...445...
>> CC: snort-devel at lists.sourceforge.net
>> Subject: Re: [Snort-devel] Fwd: Re: Fwd: Re: Snort Anomaly Detection
>>
>> On 17.09.2010 16:01, Andres Carrera Rivera wrote:
>> > I put preprocessor phad:
>> > training_time 446400
>> >
>> >
>> > on the snort.conf file, but when running snort, I got this ERROR:
>> > Unknown preprocessor: "phad"
>> >
>> > snort, doesn't recognize PHAD?
>> > How can I solve this problem..
>> >
>> >
>>
>> Ah, I forgot to add plugbase.c to my patch. I just fixed it and uploaded
>> the patch to the old location :)
>
> ok so its the same file, in the same location, right?
>
> snort-2.8.6-spp_phad.diff, right?
> and patch it as always
>
>
>> Just redo the steps including the download.
>>
>> with
>>
>> preprocessor phad: training_time 14400
>>
>> and the DARPA set [1] (using -r switch) you will get some nice alerts :)
>>
>> Best regards
>> Bernhard Guillon
>>
>> 1
>>
>> http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1999/training/week1/monday/inside.tcpdump.gz
>>
>
> Mmm I havent Work with the DARPA, How can I use, It work with snort Too?
>
> thanks, Andres Carrera
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>




More information about the Snort-devel mailing list