Snort mailing list archives
Re: Fwd: Re: Snort Anomaly Detection
From: Bernhard Guillon <Bernhard.Guillon () opensimpad org>
Date: Fri, 17 Sep 2010 15:19:40 +0200
On 15.09.2010 03:31, Andres Carrera Rivera wrote:
I wonder how could I get snort working like an anomaly engine.You can port algorithms to snort as preprocessors. Snort has a nice pcap layer :)I've heard that, but how can I port those algorithms to my snort.? i've tried modifying some files and adding the .C and .H files on snort
Take a look at the snort documentation (doc/) there is also great template at templates/
I've heard about SPADE and PHAD, which provide anomaly detection but I really dont know how to install them in the latest version of Snort (Snort-2.8.6.X) So, If someone have done that before please coment.There is a old patch for SPADE at www.ossim.net. You should be able to port it to a newer version of snort. For PHAD you can use my patch [1]. I use this config: #snort.conf preprocessor phad: training_time 446400 The time is in seconds.how can I patch my snort? I'm Working on Ubuntu and CentOS
As you patch it like most other source code - use patch ;) Patching snort 2.8.6 with PHAD: mkdir foo && cd foo wget http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6.tar.gz (or get the release somewhere else) wget http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff wget http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad-Makefile.in.diff (only if you do not want to run autotools again) tar -xvzf snort-2.8.6.tar.gz cd snort-2.8.6 cat ../snort-2.8.6-spp_phad.diff | patch -p1 cat ../snort-2.8.6-spp_phad-Makefile.in.diff | patch -p1 (you can also run autotools instead) ./configure && make make install (if you like) Best regards Bernhard Guillon ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Snort Anomaly Detection Andres Carrera Rivera (Sep 13)
- Re: Snort Anomaly Detection Bernhard Guillon (Sep 13)
- Re: Snort Anomaly Detection Sandro guly Zaccarini (Sep 13)
- Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Snort Anomaly Detection Bernhard Guillon (Sep 22)
- Re: Snort Anomaly Detection Sandro guly Zaccarini (Sep 13)
- Re: Snort Anomaly Detection Bernhard Guillon (Sep 13)
- <Possible follow-ups>
- Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 14)
- Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 17)
- Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 17)
- Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres carrera (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Joel Ebrahimi (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Will Metcalf (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Joel Esler (Sep 21)