Snort mailing list archives
create signature rule with the results of machine learning methods
From: blend ajazi via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 10 Aug 2022 12:41:21 +0000
Hello Snort Community, I am a student who just started working with snort. Below is a result of a decision tree (DT): (The target of the DT is to determine whether a dataset is a cyber-attack or not.) 1 if (N_IN_Conn_P_DstIP > 99.5) and (N_IN_Conn_P_SrcIP <= 99.5) and (max > 0.213) and (srate <= 4.86) and (srate
0.024) and (max > 2.163) and (srate <= 1.112) and (max <= 4.109) and (max <= 4.095) and (srate <= 0.805) then class:
DDoS (proba: 100.0%) | based on 102,730 samples Feature Selection Description N_IN_Conn_P_SrcIP Number of inbound connections per source IP. N_IN_Conn_P_DstIP Number of inbound connections per destination IP. Srate Source-to-destination packets per second Max Maximum duration of aggregated records How can I convert this DT-output in a signature rule in snort? drop tcp any any -> any any ( msg: "DDoS attack" if (N_IN_Conn_P_DstIP > 99.5) and (N_IN_Conn_P_SrcIP <= 99.5) and (max > 0.213) and (srate <= 4.86) and (srate > 0.024) and (max > 2.163) and (srate <= 1.112) and (max <= 4.109) and (max <= 4.095) and (srate <= 0.805) sid:100001 ) I would appreciate any direction of approach with this task. Thank you for the support! Mit freundlichen Grüßen Best regards Blend Ajazi
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- create signature rule with the results of machine learning methods blend ajazi via Snort-sigs (Aug 11)