Snort mailing list archives

Re: Help

From: Nigel Houghton <nhoughton () sourcefire com>
Date: Mon, 11 May 2009 08:27:16 -0400

On Sun, May 10, 2009 at 3:23 PM, Mohammad Reza Hajari
<hajari () iaush ac ir> wrote:

I am in the middle of doing a research on

" Making Intelligent Snort Intrusion Detection System Using Machine
Learning", and I
need your help  do  this research. Would you please answer my questions?

1. what are the features of snort ?

2. Using the software of C4.5 I've gained some rules from Data set: KDD99
having 41 features. How can I convert the gained rules to snort rules?

3. In which part of the sourse have the snort features been defined?

2. How many features have from the available 41 fatures in  Dataset KDD99
been defined , and where can the undefined features be added in the snort?

4.I want to convert Rules such as :
Rule 146:
        service = http
        src_bytes > 971
        dst_bytes > 2686
        ->  class back  [99.9%]
or


Rule 142:

        service = ftp

        num_access_files > 0

        ->  class ftp_write  [50.0%]



could you please send to me the codes for adding these rules to snort.
5.What is snort's standard dataset?

6. How many features are there in this dataset ; and what are the
features'
characteristics?

7. How can we use this dataset as the snort's input?

I'll really appreciate your help and suggestions about it.


This list is not intended to help people with their college homework.
The answers you seek can be found with a modicum of work if you spend
the time to read the documentation.

 http://www.snort.org/docs/

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Help Mohammad Reza Hajari (May 10)
- Re: Help Nigel Houghton (May 11)
- <Possible follow-ups>
- Help Mohammad Reza Hajari (May 22)
  - Re: Help Joel Esler (May 23)
  - Re: Help Nigel Houghton (May 23)
- Help Mohammad Reza Hajari (May 31)
  - Re: Help Richard Bejtlich (Jun 01)