Snort mailing list archives
Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection
From: Andres Carrera Rivera <protoss_black88 () hotmail com>
Date: Mon, 20 Sep 2010 21:28:15 -0500
I never tried my preprocessor in conjunction with other preprocessors because I only wanted to use anomaly detection algorithms. As far as I know snort rules and preprocessors are able to alter the packages. Because I do not have the snort rules right now (need to create an account first) I just tried without the rules (here is my config [1]) and I got a lot of spp_phad alerts. But most of the output [2] is bogus. I need to find out why. I believe that the way I "misused" the output system (see patch [3] ~line 819-849) to support non const char might be insane and led to the bogus output.
Otherwise the most weird part "Preprocessor: PHAD Training ends" is const and called before (see patch [3] ~line 407) the non const part.
maybe be when the PHAD is checking the system time, it takes the DARPA Set time, in the instant the packet appear, so it will always be less than the training time, I suppose thats why appear many times "Preprocessor: PHAD Training ends"
I need to read more documentation and source of the other preprocessors to know what they are doing and if they might influence the output as well. I truly would like to spend more time to get it fixed quickly but I currently have no time to do that. I have to get some paid work done first. And after that the next semester begins which is on a higher priority than my free time stuff ;) To cut a long story short I don't know if I find time to fix it. Don't bet on it - sorry. Best regards Bernhard Guillon 1 http://student.cosy.sbg.ac.at/~bguillon/snort.with.some.preprocessors.conf 2 http://student.cosy.sbg.ac.at/~bguillon/snort.bogus.output.txt 3 http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff
after all, it works with other preprocessors, now I will check if it will work with some rules set. You told me, that you have done this for your Thesis, could you show me your structure of how you build it, or your design or your doc, I'm doing the same for my thesis. but I don't have enough topics. I also have installed SPADE which is another anomaly preprocessor for snort(2.7.0). both spade and phad are kind of similar, both preprocessor show anomalies alerts, but spade dont have training time, If you know something about spade could you tell us.. Also, I've read in other papers, there are several anomalies algorithms, Like NIDES, ALAD, NETAD, LERAD.. but I dont know who is the best for just detecting new anomalies in a network . Maybe you have installed one of those like a preproccesor for snort? thanks, Andres Carrera. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection, (continued)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 18)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 20)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 20)