Re: Anomaly-detection dynamic preprocessor

[Stephen Reese <rsreese () gmail com>]

Might want to checkout http://anomalydetection.info/

On Mon, Feb 25, 2013 at 10:33 AM, Андрей Меньков
<nothingelsematters7 () gmail com> wrote:
> Could plz somebody tell that maybe there is something wrong in my future
> implementation?
> Or may be there already exists such dynamic preprocessors for Snort?
> I think that it cannot be implemented as part of Snort itself because of
> possible high false-positive rate.
> But for some special-purposed networks, in my opinion, - it can be extended
> with such anomaly detection preprocessor.
>
>
> On 23 February 2013 00:44, Андрей Меньков <nothingelsematters7 () gmail com>
> wrote:
> > Hello all.
> > I'm on the latest year of studying in my University and write my dyploma.
> > I choosen NIDS as theme and so now I try to implement dynamic preprocessor
> > for Snort which will be based on this dataset http://www.iscx.ca/dataset.
> > There are files in pcap format + excel files with labels for these packet
> > flows
> >
> > First of all, I need to learn somehow my preprocessor. It will be done by
> > processing and analyzing these pcap files and maybe using labels attached to
> > them (but not necessary).
> >
> > I have some questions. It would be great if someone would help me and
> > maybe give some good ideas :-)
> > 1. I can give these pcap files as input to Snort - so I obtain all the
> > power of snort decoding network data. With this I can write preprocessor for
> > learning, that will obtain traffic from files and move analyzed data
> > somewhere. But there is a problem. It's no smart to detect anomalies using
> > only information about only single packet. It would be convenient to for
> > example reassemble them (e.g. in connection for TCP packets) for better
> > analyzing. And maybe there are another "tricks".
> > So the question is actually smth like "Can I use for example Stream5
> > preprocessor for learn my preprocessor?" It reassemles packets in
> > connections
> >
> > 2. What about existing implementations of such dynamic preprocessors?
> > 3. Maybe It would be better to implement it not as dynamic preprocessor,
> > but dynamic engine?
> >
> > Thanks in advance :-)
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!