Snort mailing list archives
Re: [SNORT-devel] Snort with anomaly detection
From: Martin Holste <mcholste () gmail com>
Date: Mon, 11 Apr 2011 11:39:57 -0500
It looks like HelloWorld simply records packet header information to the database. Is that the case? If so, then this is the wrong tool for the job as there are much simpler ways to create that self-data set (I hope I'm using that term correctly). What are you trying to actually do once the IP headers are in the database? On Mon, Apr 11, 2011 at 9:35 AM, Nguyen Kien <kiennguyen1101 () gmail com> wrote:
Hi all, I'm currently working on a research on using Artificial Immune System (AIS) approach to intrusion detection with Negative Selection Algorithm (NSA). The algorithm by Forrest et al [1] is as follow: 1, Define self-profile. 2, Generate random candidate detectors 3, Match candidate detectors with self-data. If match-> discarded; otherwise it is added to detector set. The detector set is used to detect anomalous traffics. I'm trying to port the algorithm into Snort, using a custom preprocessor (is it better to use dynamic preprocessor?). The self-data is collected from the IP packet headers and stored in the database to generate the detector set. I'm planning to use the DARPA data set for the self-data. I've written a helloworld preprocessor to collect header data from the DARPA data set. However, I'm having a few technical problems that i would like to ask. - Where should i put my code to generate the detector set in Snort preprocessor? At the exit function after data collect in helloworld preprocessor? At the initialize of a new preprocessor? - Is it ok to check each packet against around 100 detectors? Does it destroy the performance of Snort? Best Regards. 1. S. Forrest, A. Perelson, et al. Self Nonself Discrimination in a Computer, 1994. ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- [SNORT-devel] Snort with anomaly detection Nguyen Kien (Apr 11)
- Re: [SNORT-devel] Snort with anomaly detection Martin Holste (Apr 11)