Snort mailing list archives
[RFC] Packet Header Anomaly Detection (PHAD) preprocessor
From: Bernhard Guillon <Bernhard.Guillon () opensimpad org>
Date: Mon, 31 May 2010 16:13:56 +0200
Hello, for my bachelor thesis I am currently porting the Packet Header Anomaly Detection (PHAD)[1] algorithm from [2] as preprocessor to snort. This was done by M. Ali Aydın et al. [3] before to use snort as a hybrid of misuse and anomaly detection systems. Unfortunately I was not able to get the source from them so I decided to port the algorithm myself and share it with the community. I want to ask about if it is general possible to add anomaly detection algorithms as preprocessors in mainline. SPADE got removed and I do not know if it was because of maintenance or anomaly based detection. If it is possible to add anomaly detection algorithms to mainline I want to ask you to review my patch [4]. I based it on the template example and the original source (GPL) [5]. Also I added a lot of FIXME to the patch for questions like "Ask about how to issue an alert with non const char in a save way". Therefore please do not see this patch as complete. I am also not sure about coding style at some places I just compared it with other sources but some things are in different styles in different files. I am also unsure about using enums but I hope it is OK. I am looking forward to any comment :) Best regards Bernhard Guillon 1 http://cs.fit.edu/~mmahoney/paper3.pdf 2 http://cs.fit.edu/~mmahoney/dist/ 3 M. Ali Aydın et al. A hybrid intrusion detection system design for computer network security http://www.short-link.de/17938 4 http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff (I hope it is OK to link it I did not know if attaching patches to the mailing list is ok) 5 http://cs.fit.edu/~mmahoney/dist/phad.cpp ------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- [RFC] Packet Header Anomaly Detection (PHAD) preprocessor Bernhard Guillon (May 31)