[Snort-devel] Fwd: Re: Fwd: Re: Snort Anomaly Detection
Andres Carrera Rivera
protoss_black88 at ...445...
Mon Sep 20 22:28:15 EDT 2010
> I never tried my preprocessor in conjunction with other preprocessors
> because I only wanted to use anomaly detection algorithms. As far as I
> know snort rules and preprocessors are able to alter the packages.
> Because I do not have the snort rules right now (need to create an
> account first) I just tried without the rules (here is my config )
> and I got a lot of spp_phad alerts. But most of the output  is
> bogus. I need to find out why. I believe that the way I "misused" the
> output system (see patch  ~line 819-849) to support non const char
> might be insane and led to the bogus output.
> Otherwise the most weird part "Preprocessor: PHAD Training ends" is
> const and called before (see patch  ~line 407) the non const part.
maybe be when the PHAD is checking the system time, it takes the DARPA
Set time, in the instant the packet appear, so it will always be less
than the training time,
I suppose thats why appear many times "Preprocessor: PHAD Training ends"
> I need to read more documentation and source of the other
> preprocessors to know what they are doing and if they might influence
> the output as well. I truly would like to spend more time to get it
> fixed quickly but I currently have no time to do that. I have to get
> some paid work done first. And after that the next semester begins
> which is on a higher priority than my free time stuff ;)
> To cut a long story short I don't know if I find time to fix it. Don't
> bet on it - sorry.
> Best regards
> Bernhard Guillon
> 2 http://student.cosy.sbg.ac.at/~bguillon/snort.bogus.output.txt
> 3 http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff
after all, it works with other preprocessors, now I will check if it
will work with some rules set.
You told me, that you have done this for your Thesis, could you show me
your structure of how you build it, or your design or your doc, I'm
doing the same for my thesis.
but I don't have enough topics.
I also have installed SPADE which is another anomaly preprocessor for
snort(2.7.0). both spade and phad are kind of similar, both preprocessor
show anomalies alerts, but spade dont have training time, If you know
something about spade could you tell us..
Also, I've read in other papers, there are several anomalies algorithms,
Like NIDES, ALAD, NETAD, LERAD.. but I dont know who is the best for
just detecting new anomalies in a network .
Maybe you have installed one of those like a preproccesor for snort?
More information about the Snort-devel