[Snort-devel] Fwd: Re: Fwd: Re: Snort Anomaly Detection
Bernhard.Guillon at ...3094...
Mon Sep 20 18:48:36 EDT 2010
On 20.09.2010 03:09, Andres Carrera Rivera wrote:
> Yes I try it your configuration (your snort.conf)
> and I got the same Output that you, with the same number of alerts, I
> attached it.
> Also there's my snort.conf.
> I use almost every preprocessor, and use the snort rules, that I
> downloaded from snort.org/rules
> but for a reason I don't know, my snort.conf doesn't show the same
> alerts like yours (The PHAD alerts).
I never tried my preprocessor in conjunction with other preprocessors
because I only wanted to use anomaly detection algorithms. As far as I
know snort rules and preprocessors are able to alter the packages.
Because I do not have the snort rules right now (need to create an
account first) I just tried without the rules (here is my config )
and I got a lot of spp_phad alerts. But most of the output  is bogus.
I need to find out why. I believe that the way I "misused" the output
system (see patch  ~line 819-849) to support non const char might be
insane and led to the bogus output. Otherwise the most weird part
"Preprocessor: PHAD Training ends" is const and called before (see patch
 ~line 407) the non const part.
I need to read more documentation and source of the other preprocessors
to know what they are doing and if they might influence the output as
well. I truly would like to spend more time to get it fixed quickly but
I currently have no time to do that. I have to get some paid work done
first. And after that the next semester begins which is on a higher
priority than my free time stuff ;)
To cut a long story short I don't know if I find time to fix it. Don't
bet on it - sorry.
More information about the Snort-devel