[Snort-devel] Fwd: Re: Fwd: Re: Snort Anomaly Detection

Bernhard Guillon Bernhard.Guillon at ...3094...
Sun Sep 19 20:34:45 EDT 2010


On 20.09.2010 00:23, Andres Carrera Rivera wrote:
>
>
> OK, I follow your steps and use the DARPA.
> I ran my snort like:
>
> snort -r ../inside.tcpdump -c ./snort.conf , using the file that you 
> gave me.
>
> as a result I got about 710 new alerts! that log in my alert file.
>
> but checking my alerts file, I didn't  find any anomaly alert, or 
> something with PHAD..
> I suppose there will be some kind of anomaly detection alerts, or 
> something like that.
> I attach my alert file, and other file that show you the last part of 
> snort( the mini analysis and results), there, I don't see any 
> anomalies too
>
> so I dont know if the PHAD is working, cause I dont see nothing with 
> Packet Anomalies, Please could you check those files,
> and tell me whats wrong, or if its working well.
> I want to see anomalies alerts, and a PHAD report like those files 
> that you gave me.
>


Hm, weird. Here is my snort.conf [1] my screen output [2] and my alert 
[3] log.

Can you try it again with my config file [1] (without any other 
configuration) and the DARPA set [4]?

Best regards
Bernhard Guillon

1 http://student.cosy.sbg.ac.at/~bguillon/snort.conf
2 http://student.cosy.sbg.ac.at/~bguillon/snort.output.txt
3 http://student.cosy.sbg.ac.at/~bguillon/alert
4 
http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1999/training/week1/monday/inside.tcpdump.gz





More information about the Snort-devel mailing list