Snort mailing list archives
Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection
From: Bernhard Guillon <Bernhard.Guillon () opensimpad org>
Date: Tue, 21 Sep 2010 00:48:36 +0200
On 20.09.2010 03:09, Andres Carrera Rivera wrote:
Yes I try it your configuration (your snort.conf) and I got the same Output that you, with the same number of alerts, I attached it.
Ok, thanks!
Also there's my snort.conf. I use almost every preprocessor, and use the snort rules, that I downloaded from snort.org/rules but for a reason I don't know, my snort.conf doesn't show the same alerts like yours (The PHAD alerts).
I never tried my preprocessor in conjunction with other preprocessors because I only wanted to use anomaly detection algorithms. As far as I know snort rules and preprocessors are able to alter the packages. Because I do not have the snort rules right now (need to create an account first) I just tried without the rules (here is my config [1]) and I got a lot of spp_phad alerts. But most of the output [2] is bogus. I need to find out why. I believe that the way I "misused" the output system (see patch [3] ~line 819-849) to support non const char might be insane and led to the bogus output. Otherwise the most weird part "Preprocessor: PHAD Training ends" is const and called before (see patch [3] ~line 407) the non const part. I need to read more documentation and source of the other preprocessors to know what they are doing and if they might influence the output as well. I truly would like to spend more time to get it fixed quickly but I currently have no time to do that. I have to get some paid work done first. And after that the next semester begins which is on a higher priority than my free time stuff ;) To cut a long story short I don't know if I find time to fix it. Don't bet on it - sorry. Best regards Bernhard Guillon 1 http://student.cosy.sbg.ac.at/~bguillon/snort.with.some.preprocessors.conf 2 http://student.cosy.sbg.ac.at/~bguillon/snort.bogus.output.txt 3 http://student.cosy.sbg.ac.at/~bguillon/snort-2.8.6-spp_phad.diff ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection, (continued)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Joel Esler (Sep 21)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 18)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 19)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Bernhard Guillon (Sep 20)
- Re: Fwd: Re: Fwd: Re: Snort Anomaly Detection Andres Carrera Rivera (Sep 20)