[Snort-users] Anomaly-detection dynamic preprocessor

Stephen Reese rsreese at ...11827...
Mon Feb 25 10:54:56 EST 2013


Might want to checkout http://anomalydetection.info/

On Mon, Feb 25, 2013 at 10:33 AM, Андрей Меньков
<nothingelsematters7 at ...11827...> wrote:
> Could plz somebody tell that maybe there is something wrong in my future
> implementation?
> Or may be there already exists such dynamic preprocessors for Snort?
> I think that it cannot be implemented as part of Snort itself because of
> possible high false-positive rate.
> But for some special-purposed networks, in my opinion, - it can be extended
> with such anomaly detection preprocessor.
>
>
> On 23 February 2013 00:44, Андрей Меньков <nothingelsematters7 at ...11827...>
> wrote:
>>
>> Hello all.
>> I'm on the latest year of studying in my University and write my dyploma.
>> I choosen NIDS as theme and so now I try to implement dynamic preprocessor
>> for Snort which will be based on this dataset http://www.iscx.ca/dataset.
>> There are files in pcap format + excel files with labels for these packet
>> flows
>>
>> First of all, I need to learn somehow my preprocessor. It will be done by
>> processing and analyzing these pcap files and maybe using labels attached to
>> them (but not necessary).
>>
>> I have some questions. It would be great if someone would help me and
>> maybe give some good ideas :-)
>> 1. I can give these pcap files as input to Snort - so I obtain all the
>> power of snort decoding network data. With this I can write preprocessor for
>> learning, that will obtain traffic from files and move analyzed data
>> somewhere. But there is a problem. It's no smart to detect anomalies using
>> only information about only single packet. It would be convenient to for
>> example reassemble them (e.g. in connection for TCP packets) for better
>> analyzing. And maybe there are another "tricks".
>> So the question is actually smth like "Can I use for example Stream5
>> preprocessor for learn my preprocessor?" It reassemles packets in
>> connections
>>
>> 2. What about existing implementations of such dynamic preprocessors?
>> 3. Maybe It would be better to implement it not as dynamic preprocessor,
>> but dynamic engine?
>>
>> Thanks in advance :-)
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list