Snort mailing list archives
Re: Snort against DARPA Dataset
From: Sravan Bhamidipati <bsravanin () gmail com>
Date: Thu, 5 Jul 2012 13:20:30 -0400
On Thu, Jul 5, 2012 at 12:51 PM, Patrick Mullen <pmullen () sourcefire com>wrote:
Excellent assistance, Sunny, Robert, and Waldo!
Yes. Thank you all very much. It adds a lot to my understanding.
There isn't much I can add to what they've already said, but I was curious if you could provide the list of attacks you are trying to detect. If you have it, both name and CVE(s) would be ideal.
Patrick, the data sets and the truth files can be found under the "Testing Data" section here: http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1998data.html. The truth files are simply white-space-separated lines of an ID, source IP, source port, destination IP, destination port, application level protocol (or just port number in some cases). The names and descriptions about the types of attacks are here: http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/docs/attacks.html. I couldn't find any CVEs. (My knowledge about what exactly to look for is very limited, mostly guided by the Snort manual and the DARPA set documentation in the sidebar.) I wasn't able to correlate between the types of attacks and the labeled attacks. For now I'm only using the info from the labeled attacks. In the Sourcefire VRT snort rule set, typically we will never delete a rule
unless it has serious performance and/or false positive issues. Generally speaking, if a rule is "old" or "not really seen in the wild anymore," we will only remove the rule from default policies but will keep them available for anyone who wishes to have that protection.
Thank you for this clarification.
Hope this helps, ~Patrick -- Patrick Mullen Research Manager Sourcefire VRT
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 02)
- Re: Snort against DARPA Dataset Sunny Fugate (Jul 02)
- Re: Snort against DARPA Dataset waldo kitty (Jul 02)
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 05)
- Re: Snort against DARPA Dataset Sunny Fugate (Jul 05)
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 05)
- Re: Snort against DARPA Dataset Patrick Mullen (Jul 05)
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 05)
- Re: Snort against DARPA Dataset Sunny Fugate (Jul 05)
- <Possible follow-ups>
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 13)
- Re: Snort against DARPA Dataset waldo kitty (Jul 14)
- Re: Snort against DARPA Dataset Joel Esler (Jul 14)
- Re: Snort against DARPA Dataset waldo kitty (Jul 16)
- Re: Snort against DARPA Dataset waldo kitty (Jul 14)