Snort mailing list archives
Re: Anomaly-detection dynamic preprocessor
From: Stephen Reese <rsreese () gmail com>
Date: Mon, 25 Feb 2013 10:54:56 -0500
Might want to checkout http://anomalydetection.info/ On Mon, Feb 25, 2013 at 10:33 AM, Андрей Меньков <nothingelsematters7 () gmail com> wrote:
Could plz somebody tell that maybe there is something wrong in my future implementation? Or may be there already exists such dynamic preprocessors for Snort? I think that it cannot be implemented as part of Snort itself because of possible high false-positive rate. But for some special-purposed networks, in my opinion, - it can be extended with such anomaly detection preprocessor. On 23 February 2013 00:44, Андрей Меньков <nothingelsematters7 () gmail com> wrote:Hello all. I'm on the latest year of studying in my University and write my dyploma. I choosen NIDS as theme and so now I try to implement dynamic preprocessor for Snort which will be based on this dataset http://www.iscx.ca/dataset. There are files in pcap format + excel files with labels for these packet flows First of all, I need to learn somehow my preprocessor. It will be done by processing and analyzing these pcap files and maybe using labels attached to them (but not necessary). I have some questions. It would be great if someone would help me and maybe give some good ideas :-) 1. I can give these pcap files as input to Snort - so I obtain all the power of snort decoding network data. With this I can write preprocessor for learning, that will obtain traffic from files and move analyzed data somewhere. But there is a problem. It's no smart to detect anomalies using only information about only single packet. It would be convenient to for example reassemble them (e.g. in connection for TCP packets) for better analyzing. And maybe there are another "tricks". So the question is actually smth like "Can I use for example Stream5 preprocessor for learn my preprocessor?" It reassemles packets in connections 2. What about existing implementations of such dynamic preprocessors? 3. Maybe It would be better to implement it not as dynamic preprocessor, but dynamic engine? Thanks in advance :-)------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Anomaly-detection dynamic preprocessor Андрей Меньков (Feb 22)
- Re: Anomaly-detection dynamic preprocessor Андрей Меньков (Feb 25)
- Re: Anomaly-detection dynamic preprocessor Stephen Reese (Feb 25)
- Re: Anomaly-detection dynamic preprocessor Андрей Меньков (Feb 25)