[Snort-users] Question about Artificial Neural Networks, Preprocessors and Snort

Marcin Dulak marcin.dulak at ...11827...
Wed Apr 12 17:35:41 EDT 2017


On Wed, Apr 12, 2017 at 10:15 PM, Luan Utimura <lnutimura at ...17826...>
wrote:

> Hello Russ, thank you for replying!
>
> I've heard of Snort++ and you're the second to recommend it for someone
> who wants to develop custom preprocessors, so I'm definitely looking for it.
> I'm not sure how I would feed my ANN, but I'm probably using a known
> dataset, for example, the KDD Cup 1999 Data, so I'm assuming they are raw
> packets? (Feel free to correct me).
>
> Any other thing I should look up to if I'm going to write a Preprocessor?



> I've been reading a lot of articles about people who integrated IA into
> Snort through modules, plug-ins, but it's hard to find a good source that
> can be used as a "tutorial".
>

Look at https://github.com/BlackLight/Snort_AIPreproc and the corresponding
master thesis https://www.fabiomanganiello.com/#research
Despite the fact that the project has been open sourced and documented it
died anyway.
The thesis will give you an overview what's possible and useful - maybe
having some AI would be more useful outside of snort, in a modern
alert management tool like https://github.com/jasonish/evebox . See some
discussion here https://github.com/jasonish/py-idstools/issues/44


>
> I found a paper from SANS Institute called "Developing a Snort Dynamic
> Preprocessor", but now that you suggested Snort++, I have no idea on how
> different things are going to be now.
>

check out directly at https://github.com/snortadmin/snort3

Marcin


>
> Again, thanks!
>
> ________________________________
> From: Russ <rucombs at ...589...>
> Sent: terça-feira, 11 de abril de 2017 14:58
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Question about Artificial Neural Networks,
> Preprocessors and Snort
>
> First recommendation is to use Snort++.  You will have an easier time
> getting something running and it will be easier to tweak if necessary to
> support your needs.  This is a wide open question, so it would help to
> know what kind of data you want to feed your ANN (raw packets or PDUs,
> etc.).
>
> On 4/10/17 12:53 PM, Luan Utimura wrote:
> > Hello everybody,
> >
> > For a college final project, I'm thinking about creating a system where
> I can use ANN to classify what type of attacks my network could be
> suffering based on it's packets informations. At the moment, considering
> I'm a complete newbie w/ Snort, the methodology would consist of developing
> a Snort Preprocessor, with a ANN implemented in it.
> >
> > Is it the best way to approach this problem? Or is it even possible to
> do the way I just described to you guys?
> > Feel free to leave your suggestions.
> >
> > Thanks in advance,
> > Nthg.
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
>
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



More information about the Snort-users mailing list