[Snort-devel] Fwd: Re: Fwd: Re: Snort Anomaly Detection
Andres Carrera Rivera
protoss_black88 at ...445...
Sun Sep 19 20:40:00 EDT 2010
On 9/19/2010 7:34 PM, Bernhard Guillon wrote:
> On 20.09.2010 00:23, Andres Carrera Rivera wrote:
>> OK, I follow your steps and use the DARPA.
>> I ran my snort like:
>> snort -r ../inside.tcpdump -c ./snort.conf , using the file that you
>> gave me.
>> as a result I got about 710 new alerts! that log in my alert file.
>> but checking my alerts file, I didn't find any anomaly alert, or
>> something with PHAD..
>> I suppose there will be some kind of anomaly detection alerts, or
>> something like that.
>> I attach my alert file, and other file that show you the last part of
>> snort( the mini analysis and results), there, I don't see any
>> anomalies too
>> so I dont know if the PHAD is working, cause I dont see nothing with
>> Packet Anomalies, Please could you check those files,
>> and tell me whats wrong, or if its working well.
>> I want to see anomalies alerts, and a PHAD report like those files
>> that you gave me.
> Hm, weird. Here is my snort.conf  my screen output  and my alert
>  log.
> Can you try it again with my config file  (without any other
> configuration) and the DARPA set ?
> Best regards
> Bernhard Guillon
> 1 http://student.cosy.sbg.ac.at/~bguillon/snort.conf
> 2 http://student.cosy.sbg.ac.at/~bguillon/snort.output.txt
> 3 http://student.cosy.sbg.ac.at/~bguillon/alert
Mmm your snort.conf is just that line?
you dont have any rules configurations or any other preprocessors??
More information about the Snort-devel