[Snort-devel] Snort 3 - Python RNN Classifier plugin

Avogian Karlen avogian.karlen at hotmail.com
Fri Jun 21 03:35:11 EDT 2019


I want to develop a plugin for snort 3 that accesses packets features, feeds the values of these features to a recurrent neural network model, and based on the classification of the model it triggers allerts through code.

Regarding this, I have made a plan that I would like to present and get feedback if I got it right. Take into consideration, that its the first time I am attempting to create a plugin and I am still trying to get my head around it.

1) I have to create a custom inspector, that will decode the packets and help me extract the features I need.
      (Question) - Can I extract both features per packets and features per flows ?

2) I will have my  Python Neural Network model saved in the plugin directory, so after extracting the features I will a) load the model , b) feed the features, c) get the output
          (Notes) - I will need to execute some python commands in C++ ( evaluate the input, return the classifier output ). The model will be trained appriori and will be saved in some format to be loaded from other python scripts.

3) When the output is over a specific threshold for a type of attack I will log an alert
     (Question) - Can I log an alert through code or does it have to be hardcoded ? 

In case my logic is erroneous, please do let me know where am I getting it wrong and if there are any ideas to fix that. 

Also, I have accessed the dev_guide.html file and read some of the headers provided there. 
Which headers should I look into in more detail ? 

Thank you very much and any feedback is wholeheartedly welcome.

More information about the Snort-devel mailing list