Snort mailing list archives
Re: Rules to detect all the attacks listed in DARPA dataset ?
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 20 Aug 2013 20:24:19 -0400
Set your variables to "any" and see what you get. -- Joel Esler
On Aug 20, 2013, at 8:16 PM, dsigma <dsigma () 163 com> wrote: Hello, I'm working on running snort with DARPA dataset for 4 weeks but I gain little success to detection its attacks by snort. My test setup is as follow: I've two virtual machine with Ubuntu installed. On the first virtual machine I've Tcpreplay installed to replay network traffic stored in one day of DARPA testing dataset to network. On the other machine, I've set IP address manually to one of Victim's IP address in the dataset (eg. 172.16.112.50). Also, I've installed snort-2.9.3.1 to protect just this machine. (HOME_NET= 172.16.112.50 & External_NET= !$HOME_NET) I'm confused by the output alerts. After than four hours of running, snort generates about 17000 alerts that less than 1% of them has source or destination IP address same as my configured HOME_NET (172.16.112.50). My second problem is detection rate. It doesn't generate any true positive alert. And how could I detect all the attacks listed in DARPA, (http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/docs/attacks.html). Is there a set of rules that could detect all the attacks? Any help would be appreciated. Linbo Qiao ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rules to detect all the attacks listed in DARPA dataset ? dsigma (Aug 20)
- Re: Rules to detect all the attacks listed in DARPA dataset ? Joel Esler (Aug 20)
- Re: Rules to detect all the attacks listed in DARPA dataset ? lists () packetmail net (Aug 20)
- Re: Rules to detect all the attacks listed in DARPA dataset ? Jeff Kell (Aug 20)