Re: Snort Anomaly Detection

[Bernhard Guillon <Bernhard.Guillon () opensimpad org>]

On 13.09.2010 14:49, Andres Carrera Rivera wrote:
>    Hi everybody,
> Does Someone work with snort like an Anomaly Detection?

Hi,
I used Snort with PHAD for my bachelor thesis.

> I wonder how could I get snort working like an anomaly engine.

You can port algorithms to snort as preprocessors. Snort has a nice pcap 
layer :)

> I've heard about SPADE and PHAD, which provide anomaly detection
> but I really dont know how to install them in the latest version of
> Snort (Snort-2.8.6.X)
>
> So, If someone have done that before please coment.

There is a old patch for SPADE at www.ossim.net. You should be able to 
port it to a newer version of snort.

For PHAD you can use my patch [1].

I use this config:

#snort.conf
preprocessor phad: training_time 446400

The time is in seconds.

Testing the PAHD preprocessor with the DARPA set shows the same result 
as the original PHAD implementation. I also have written an open source 
anomaly traffic generator to create a more up to date dataset and tested 
the implementation with it. I am currently cleaning it up for 
publishing. It uses Virtual Machines some simulation theorie and Python. 
It supports modules for "normal" traffic generation 
(Firefox,email,Skype,FTP) and anomaly traffic generation (metasploit, 
nmap, and arpspoof).

Do you have access to real traffic?

Best regards
Bernhard Guillon

1 http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel