[Snort-devel] Fwd: Re: Fwd: Re: Snort Anomaly Detection

Andres Carrera Rivera protoss_black88 at ...445...
Mon Sep 20 22:28:15 EDT 2010

> I never tried my preprocessor in conjunction with other preprocessors 
> because I only wanted to use anomaly detection algorithms. As far as I 
> know snort rules and preprocessors are able to alter the packages. 
> Because I do not have the snort rules right now (need to create an 
> account first) I just tried without the rules (here is my config [1]) 
> and I got a lot of spp_phad alerts. But most of the output [2] is 
> bogus. I need to find out why. I believe that the way I "misused" the 
> output system (see patch [3] ~line 819-849) to support non const char 
> might be insane and led to the bogus output. 

> Otherwise the most weird part "Preprocessor: PHAD Training ends" is 
> const and called before (see patch [3] ~line 407) the non const part.

maybe be when the PHAD is checking the system time, it takes the DARPA 
Set time, in the instant the packet appear, so it will always be less 
than the training time,
I suppose thats why appear many times  "Preprocessor: PHAD Training ends"

> I need to read more documentation and source of the other 
> preprocessors to know what they are doing and if they might influence 
> the output as well. I truly would like to spend more time to get it 
> fixed quickly but I currently have no time to do that. I have to get 
> some paid work done first. And after that the next semester begins 
> which is on a higher priority than my free time stuff ;)
> To cut a long story short I don't know if I find time to fix it. Don't 
> bet on it - sorry.
> Best regards
> Bernhard Guillon
> 1 
> http://student.cosy.sbg.ac.at/~bguillon/snort.with.some.preprocessors.conf
> 2 http://student.cosy.sbg.ac.at/~bguillon/snort.bogus.output.txt
> 3 http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff
after all, it works with other preprocessors, now I will check if it 
will work with some rules set.
You told me, that you have done this for your Thesis, could you show me 
your structure of how you build it, or your design or your doc, I'm 
doing the same for my thesis.
but I don't have enough topics.

I also have installed SPADE which is another anomaly preprocessor for 
snort(2.7.0). both spade and phad are kind of similar, both preprocessor 
show anomalies alerts, but spade dont have training time, If you know 
something about spade could you tell us..

Also, I've read in other papers, there are several anomalies algorithms, 
Like NIDES, ALAD, NETAD, LERAD.. but I dont know who is the best for 
just detecting new anomalies in a network .
Maybe you have installed one of those like a preproccesor for snort?


Andres Carrera.

More information about the Snort-devel mailing list