[Snort-users] Anomaly-detection dynamic preprocessor

Андрей Меньков nothingelsematters7 at ...11827...
Mon Feb 25 10:33:23 EST 2013


Could plz somebody tell that maybe there is something wrong in my future
implementation?
Or may be there already exists such dynamic preprocessors for Snort?
I think that it cannot be implemented as part of Snort itself because of
possible high false-positive rate.
But for some special-purposed networks, in my opinion, - it can be extended
with such anomaly detection preprocessor.


On 23 February 2013 00:44, Андрей Меньков <nothingelsematters7 at ...11827...>wrote:

> Hello all.
> I'm on the latest year of studying in my University and write my dyploma.
> I choosen NIDS as theme and so now I try to implement dynamic preprocessor
> for Snort which will be based on this dataset http://www.iscx.ca/dataset.
> There are files in pcap format + excel files with labels for these packet
> flows
>
> First of all, I need to learn somehow my preprocessor. It will be done by
> processing and analyzing these pcap files and maybe using labels attached
> to them (but not necessary).
>
> I have some questions. It would be great if someone would help me and
> maybe give some good ideas :-)
> 1. I can give these pcap files as input to Snort - so I obtain all the
> power of snort decoding network data. With this I can write preprocessor
> for learning, that will obtain traffic from files and move analyzed data
> somewhere. But there is a problem. It's no smart to detect anomalies using
> only information about only single packet. It would be convenient to for
> example reassemble them (e.g. in connection for TCP packets) for better
> analyzing. And maybe there are another "tricks".
> So the question is actually smth like "Can I use for example Stream5
> preprocessor for learn my preprocessor?" It reassemles packets in
> connections
>
> 2. What about existing implementations of such dynamic preprocessors?
> 3. Maybe It would be better to implement it not as dynamic preprocessor,
> but dynamic engine?
>
> Thanks in advance :-)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130225/a0d8bd2f/attachment.html>


More information about the Snort-users mailing list