create signature rule with the results of machine learning methods

[blend ajazi via Snort-sigs <snort-sigs () lists snort org>]

Hello Snort Community,

I am a student who just started working with snort.

Below is a result of a decision tree (DT):
(The target of the DT is to determine whether a dataset is a cyber-attack or not.)

1       if (N_IN_Conn_P_DstIP > 99.5) and (N_IN_Conn_P_SrcIP <= 99.5) and (max > 0.213) and (srate <= 4.86) and (srate 
> 0.024) and (max > 2.163) and (srate <= 1.112) and (max <= 4.109) and (max <= 4.095) and (srate <= 0.805) then class: 
DDoS (proba: 100.0%) | based on 102,730 samples


Feature Selection       Description
N_IN_Conn_P_SrcIP       Number of inbound connections per source IP.
N_IN_Conn_P_DstIP       Number of inbound connections per destination IP.
Srate   Source-to-destination packets per second
Max     Maximum duration of aggregated records


How can I convert this DT-output in a signature rule in snort?

drop tcp any any -> any any (
msg: "DDoS attack"
if (N_IN_Conn_P_DstIP > 99.5)
and (N_IN_Conn_P_SrcIP <= 99.5)
and (max > 0.213) and (srate <= 4.86)
and (srate > 0.024) and (max > 2.163)
and (srate <= 1.112) and (max <= 4.109)
and (max <= 4.095) and (srate <= 0.805)
sid:100001
)

I would appreciate any direction of approach with this task.

Thank you for the support!


Mit freundlichen Grüßen
Best regards

Blend Ajazi

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!