[Snort-users] Anomaly-detection dynamic preprocessor

Андрей Меньков nothingelsematters7 at ...11827...
Fri Feb 22 16:44:32 EST 2013


Hello all.
I'm on the latest year of studying in my University and write my dyploma.
I choosen NIDS as theme and so now I try to implement dynamic preprocessor
for Snort which will be based on this dataset http://www.iscx.ca/dataset.
There are files in pcap format + excel files with labels for these packet
flows

First of all, I need to learn somehow my preprocessor. It will be done by
processing and analyzing these pcap files and maybe using labels attached
to them (but not necessary).

I have some questions. It would be great if someone would help me and maybe
give some good ideas :-)
1. I can give these pcap files as input to Snort - so I obtain all the
power of snort decoding network data. With this I can write preprocessor
for learning, that will obtain traffic from files and move analyzed data
somewhere. But there is a problem. It's no smart to detect anomalies using
only information about only single packet. It would be convenient to for
example reassemble them (e.g. in connection for TCP packets) for better
analyzing. And maybe there are another "tricks".
So the question is actually smth like "Can I use for example Stream5
preprocessor for learn my preprocessor?" It reassemles packets in
connections

2. What about existing implementations of such dynamic preprocessors?
3. Maybe It would be better to implement it not as dynamic preprocessor,
but dynamic engine?

Thanks in advance :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130223/f73b5cdb/attachment.html>


More information about the Snort-users mailing list