Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [SNORT-devel] Snort with anomaly detection

From: Martin Holste <mcholste () gmail com>
Date: Mon, 11 Apr 2011 11:39:57 -0500
It looks like HelloWorld simply records packet header information to
the database.  Is that the case?  If so, then this is the wrong tool
for the job as there are much simpler ways to create that self-data
set (I hope I'm using that term correctly).  What are you trying to
actually do once the IP headers are in the database?

On Mon, Apr 11, 2011 at 9:35 AM, Nguyen Kien <kiennguyen1101 () gmail com> wrote:

Hi all,

I'm currently working on a research on using Artificial Immune System (AIS)
approach to intrusion detection with  Negative Selection Algorithm (NSA).
The algorithm by Forrest et al [1] is as follow:
1, Define self-profile.
2, Generate random candidate detectors
3, Match candidate detectors with self-data. If match-> discarded; otherwise
it is added to detector set. The detector set is used to detect anomalous
traffics.

I'm trying to port the algorithm into Snort, using a custom preprocessor (is
it better to use dynamic preprocessor?). The self-data is collected from the
IP packet headers and stored in the database to generate the detector set.
I'm planning to use the DARPA data set for the self-data. I've written a
helloworld preprocessor to collect header data from the DARPA data set.
However, I'm having a few technical problems that i would like to ask.
- Where should i put my code to generate the detector set in Snort
preprocessor? At the exit function after data collect in helloworld
preprocessor? At the initialize of a new preprocessor?
- Is it ok to check each packet against around 100 detectors? Does it
destroy the performance of Snort?


Best Regards.


1. S. Forrest, A. Perelson, et al. Self Nonself Discrimination in a
Computer, 1994.


------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel




------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: