Snort mailing list archives
Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection
From: Andres Carrera Rivera <protoss_black88 () hotmail com>
Date: Sun, 19 Sep 2010 17:23:13 -0500
On 9/19/2010 8:22 AM, Bernhard Guillon wrote:
On 19.09.2010 04:40, Andres Carrera Rivera wrote:What do you expect an anomaly detection algorithm to report in training mode?Thats great!! I follow your steps and configure PHAD without any ERRORS OK! Now I got installed PHAD as a Preprocessor on SNORT :-D Now my question is, I run snort as always like : snort -c ./snort.conf. And my PHAD is running in a training mode...
Mmm maybe not in training mode, but I want to see a quick report after scanning the PHAD in Snort.
But I want to see any report of PHAD, How I know if I had any anomalies on my network?... where are those anomalies alerts? on logs, or in a PHAD file, if it has?On screen and where ever you told snort to log the alerts (see documentation for default location). Please use the DARPA set (as I told you already) with the config I gave you to verify that the preprocessor is working as expected.Best regards Bernhard Guillon
OK, I follow your steps and use the DARPA. I ran my snort like:snort -r ../inside.tcpdump -c ./snort.conf , using the file that you gave me.
as a result I got about 710 new alerts! that log in my alert file.but checking my alerts file, I didn't find any anomaly alert, or something with PHAD.. I suppose there will be some kind of anomaly detection alerts, or something like that. I attach my alert file, and other file that show you the last part of snort( the mini analysis and results), there, I don't see any anomalies too
so I dont know if the PHAD is working, cause I dont see nothing with Packet Anomalies, Please could you check those files,
and tell me whats wrong, or if its working well.I want to see anomalies alerts, and a PHAD report like those files that you gave me.
Thanks, Andres Carrera
Attachment:
alert
Description:
Attachment:
Check it
Description:
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Re: Fwd: Re: Snort Anomaly Detection, (continued)
- Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 17)
- Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres carrera (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Joel Ebrahimi (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Will Metcalf (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Joel Esler (Sep 21)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 17)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 18)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 20)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 20)