Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection

From: Andres Carrera Rivera <protoss_black88 () hotmail com>
Date: Sat, 18 Sep 2010 21:40:24 -0500

  On 9/17/2010 9:50 AM, Bernhard Guillon wrote:

On 17.09.2010 16:01, Andres Carrera Rivera wrote:

I put preprocessor phad:
training_time 446400


on the snort.conf file, but when running snort, I got this ERROR:
Unknown preprocessor: "phad"

snort, doesn't recognize PHAD?
How can I solve this problem..



Ah, I forgot to add plugbase.c to my patch. I just fixed it and 
uploaded the patch to the old location :)
Just redo the steps including the download.

with

preprocessor phad: training_time 14400

and the DARPA set [1] (using -r switch) you will get some nice alerts :)

Best regards
Bernhard Guillon

1 
http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1999/training/week1/monday/inside.tcpdump.gz





Thats great!! I follow your steps and configure PHAD without any ERRORS
OK! Now I got installed PHAD as a Preprocessor on SNORT :-D
Now my question is, I run snort as always like : snort -c ./snort.conf.
And my PHAD is running in a training mode...

But I want to see any report of PHAD, How I know if I had any anomalies 
on my network?...
where are those anomalies alerts?
on logs, or in a PHAD file, if it has?

Thanks,

Andres Carrera




------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: