Snort mailing list archives
Re: Fwd: Re: Snort Anomaly Detection
From: Andres Carrera Rivera <protoss_black88 () hotmail com>
Date: Fri, 17 Sep 2010 08:31:41 -0500
On 9/17/2010 8:19 AM, Bernhard Guillon wrote:
On 15.09.2010 03:31, Andres Carrera Rivera wrote:I wonder how could I get snort working like an anomaly engine.You can port algorithms to snort as preprocessors. Snort has a nice pcap layer :)I've heard that, but how can I port those algorithms to my snort.? i've tried modifying some files and adding the .C and .H files on snortTake a look at the snort documentation (doc/) there is also great template at templates/I've heard about SPADE and PHAD, which provide anomaly detection but I really dont know how to install them in the latest version of Snort (Snort-2.8.6.X) So, If someone have done that before please coment.There is a old patch for SPADE at www.ossim.net. You should be able to port it to a newer version of snort. For PHAD you can use my patch [1]. I use this config: #snort.conf preprocessor phad: training_time 446400 The time is in seconds.how can I patch my snort? I'm Working on Ubuntu and CentOSAs you patch it like most other source code - use patch ;) Patching snort 2.8.6 with PHAD: mkdir foo && cd foo wget http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6.tar.gz (or get the release somewhere else) wget http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff wget http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad-Makefile.in.diff (only if you do not want to run autotools again) tar -xvzf snort-2.8.6.tar.gz cd snort-2.8.6 cat ../snort-2.8.6-spp_phad.diff | patch -p1 cat ../snort-2.8.6-spp_phad-Makefile.in.diff | patch -p1 (you can also run autotools instead) ./configure && make make install (if you like) Best regards Bernhard Guillon
Excellent! I did Exactly what you said, patch it inside the snort-2.8.6.X. Now my question is: how can I test if the PHAD Preprocessor is working? because, I don't see any configuration inside the snort.conf file. I run snort like: snort -dev -c ./snort.conf but when I exit running it, i didn't see any stats about PHAD, just the same information that uses snort. and in logs? i don't see any PHAD anomaly alarm... So I don't know if the PHAD is really working on my snort. Please could you help me, how to work with the PHAD preprocessor, now that I've installed it :-) Thanks A lot, Andres Carrera ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Snort Anomaly Detection Andres Carrera Rivera (Sep 13)
- Re: Snort Anomaly Detection Bernhard Guillon (Sep 13)
- Re: Snort Anomaly Detection Sandro guly Zaccarini (Sep 13)
- Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Snort Anomaly Detection Bernhard Guillon (Sep 22)
- Re: Snort Anomaly Detection Sandro guly Zaccarini (Sep 13)
- Re: Snort Anomaly Detection Bernhard Guillon (Sep 13)
- <Possible follow-ups>
- Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 14)
- Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 17)
- Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 17)
- Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres carrera (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Joel Ebrahimi (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Will Metcalf (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Joel Esler (Sep 21)