[Snort-devel] Fwd: Re: Fwd: Re: Snort Anomaly Detection

Andres Carrera Rivera protoss_black88 at ...445...
Sat Sep 18 22:40:24 EDT 2010


  On 9/17/2010 9:50 AM, Bernhard Guillon wrote:
> On 17.09.2010 16:01, Andres Carrera Rivera wrote:
>> I put preprocessor phad:
>> training_time 446400
>>
>>
>> on the snort.conf file, but when running snort, I got this ERROR:
>> Unknown preprocessor: "phad"
>>
>> snort, doesn't recognize PHAD?
>> How can I solve this problem..
>>
>
> Ah, I forgot to add plugbase.c to my patch. I just fixed it and 
> uploaded the patch to the old location :)
> Just redo the steps including the download.
>
> with
>
> preprocessor phad: training_time 14400
>
> and the DARPA set [1] (using -r switch) you will get some nice alerts :)
>
> Best regards
> Bernhard Guillon
>
> 1 
> http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1999/training/week1/monday/inside.tcpdump.gz
>
>
>

Thats great!! I follow your steps and configure PHAD without any ERRORS
OK! Now I got installed PHAD as a Preprocessor on SNORT :-D
Now my question is, I run snort as always like : snort -c ./snort.conf.
And my PHAD is running in a training mode...

But I want to see any report of PHAD, How I know if I had any anomalies 
on my network?...
where are those anomalies alerts?
on logs, or in a PHAD file, if it has?

Thanks,

Andres Carrera







More information about the Snort-devel mailing list