[Snort-devel] [SNORT-devel] Snort with anomaly detection

Martin Holste mcholste at ...2499...
Mon Apr 11 12:39:57 EDT 2011

It looks like HelloWorld simply records packet header information to
the database.  Is that the case?  If so, then this is the wrong tool
for the job as there are much simpler ways to create that self-data
set (I hope I'm using that term correctly).  What are you trying to
actually do once the IP headers are in the database?

On Mon, Apr 11, 2011 at 9:35 AM, Nguyen Kien <kiennguyen1101 at ...2499...> wrote:
> Hi all,
> I'm currently working on a research on using Artificial Immune System (AIS)
> approach to intrusion detection with  Negative Selection Algorithm (NSA).
> The algorithm by Forrest et al [1] is as follow:
> 1, Define self-profile.
> 2, Generate random candidate detectors
> 3, Match candidate detectors with self-data. If match-> discarded; otherwise
> it is added to detector set. The detector set is used to detect anomalous
> traffics.
> I'm trying to port the algorithm into Snort, using a custom preprocessor (is
> it better to use dynamic preprocessor?). The self-data is collected from the
> IP packet headers and stored in the database to generate the detector set.
> I'm planning to use the DARPA data set for the self-data. I've written a
> helloworld preprocessor to collect header data from the DARPA data set.
> However, I'm having a few technical problems that i would like to ask.
> - Where should i put my code to generate the detector set in Snort
> preprocessor? At the exit function after data collect in helloworld
> preprocessor? At the initialize of a new preprocessor?
> - Is it ok to check each packet against around 100 detectors? Does it
> destroy the performance of Snort?
> Best Regards.
> 1. S. Forrest, A. Perelson, et al. Self Nonself Discrimination in a
> Computer, 1994.
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

More information about the Snort-devel mailing list