Snort mailing list archives
Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection
From: Andres Carrera Rivera <protoss_black88 () hotmail com>
Date: Sun, 19 Sep 2010 19:40:00 -0500
On 9/19/2010 7:34 PM, Bernhard Guillon wrote:
On 20.09.2010 00:23, Andres Carrera Rivera wrote:OK, I follow your steps and use the DARPA. I ran my snort like: snort -r ../inside.tcpdump -c ./snort.conf , using the file that you gave me. as a result I got about 710 new alerts! that log in my alert file. but checking my alerts file, I didn't find any anomaly alert, or something with PHAD.. I suppose there will be some kind of anomaly detection alerts, or something like that. I attach my alert file, and other file that show you the last part of snort( the mini analysis and results), there, I don't see any anomalies too so I dont know if the PHAD is working, cause I dont see nothing with Packet Anomalies, Please could you check those files, and tell me whats wrong, or if its working well. I want to see anomalies alerts, and a PHAD report like those files that you gave me.Hm, weird. Here is my snort.conf [1] my screen output [2] and my alert [3] log. Can you try it again with my config file [1] (without any other configuration) and the DARPA set [4]? Best regards Bernhard Guillon 1 http://student.cosy.sbg.ac.at/~bguillon/snort.conf 2 http://student.cosy.sbg.ac.at/~bguillon/snort.output.txt 3 http://student.cosy.sbg.ac.at/~bguillon/alert 4 http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1999/training/week1/monday/inside.tcpdump.gz
Mmm your snort.conf is just that line? you dont have any rules configurations or any other preprocessors?? ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Fwd: Re: Fwd: Re: Snort Anomaly Detection, (continued)
- Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres carrera (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Joel Ebrahimi (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Will Metcalf (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Joel Esler (Sep 21)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 18)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 20)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 20)