[Snort-devel] Fwd: Re: Fwd: Re: Snort Anomaly Detection

Andres Carrera Rivera protoss_black88 at ...445...
Sun Sep 19 18:23:13 EDT 2010

  On 9/19/2010 8:22 AM, Bernhard Guillon wrote:
> On 19.09.2010 04:40, Andres Carrera Rivera wrote:
>> Thats great!! I follow your steps and configure PHAD without any ERRORS
>> OK! Now I got installed PHAD as a Preprocessor on SNORT :-D
>> Now my question is, I run snort as always like : snort -c ./snort.conf.
>> And my PHAD is running in a training mode...
> What do you expect an anomaly detection algorithm to report in 
> training mode?

Mmm maybe not in training mode, but I want to see a quick report after 
scanning the PHAD in Snort.

>> But I want to see any report of PHAD, How I know if I had any anomalies
>> on my network?...
>> where are those anomalies alerts?
>> on logs, or in a PHAD file, if it has?
> On screen and where ever you told snort to log the alerts (see 
> documentation for default location). Please use the DARPA set (as I 
> told you already) with the config I gave you to verify that the 
> preprocessor is working as expected.
> Best regards
> Bernhard Guillon

OK, I follow your steps and use the DARPA.
I ran my snort like:

snort -r ../inside.tcpdump -c ./snort.conf , using the file that you 
gave me.

as a result I got about 710 new alerts! that log in my alert file.

but checking my alerts file, I didn't  find any anomaly alert, or 
something with PHAD..
I suppose there will be some kind of anomaly detection alerts, or 
something like that.
I attach my alert file, and other file that show you the last part of 
snort( the mini analysis and results), there, I don't see any anomalies too

so I dont know if the PHAD is working, cause I dont see nothing with 
Packet Anomalies, Please could you check those files,
and tell me whats wrong, or if its working well.
I want to see anomalies alerts, and a PHAD report like those files that 
you gave me.


Andres Carrera

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: alert
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100919/685a04a8/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Check it
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100919/685a04a8/attachment-0001.ksh>

More information about the Snort-devel mailing list