[Snort-devel] Fwd: Re: Fwd: Re: Snort Anomaly Detection

Andres Carrera Rivera protoss_black88 at ...445...
Sun Sep 19 20:40:00 EDT 2010


  On 9/19/2010 7:34 PM, Bernhard Guillon wrote:
> On 20.09.2010 00:23, Andres Carrera Rivera wrote:
>>
>>
>> OK, I follow your steps and use the DARPA.
>> I ran my snort like:
>>
>> snort -r ../inside.tcpdump -c ./snort.conf , using the file that you 
>> gave me.
>>
>> as a result I got about 710 new alerts! that log in my alert file.
>>
>> but checking my alerts file, I didn't  find any anomaly alert, or 
>> something with PHAD..
>> I suppose there will be some kind of anomaly detection alerts, or 
>> something like that.
>> I attach my alert file, and other file that show you the last part of 
>> snort( the mini analysis and results), there, I don't see any 
>> anomalies too
>>
>> so I dont know if the PHAD is working, cause I dont see nothing with 
>> Packet Anomalies, Please could you check those files,
>> and tell me whats wrong, or if its working well.
>> I want to see anomalies alerts, and a PHAD report like those files 
>> that you gave me.
>>
>
>
> Hm, weird. Here is my snort.conf [1] my screen output [2] and my alert 
> [3] log.
>
> Can you try it again with my config file [1] (without any other 
> configuration) and the DARPA set [4]?
>
> Best regards
> Bernhard Guillon
>
> 1 http://student.cosy.sbg.ac.at/~bguillon/snort.conf
> 2 http://student.cosy.sbg.ac.at/~bguillon/snort.output.txt
> 3 http://student.cosy.sbg.ac.at/~bguillon/alert
> 4 
> http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1999/training/week1/monday/inside.tcpdump.gz
>
>
>

Mmm your snort.conf is just that line?
you dont have any rules configurations or any other preprocessors??




More information about the Snort-devel mailing list