Re: Snort against DARPA 1999 Dataset

[John York <YorkJ () brcc edu>]

Why would anyone want to run against a 13+ year-old data set?

From: Zahra Hakimi [mailto:zhr.hakimi () gmail com]
Sent: Monday, November 05, 2012 11:41 PM
To: Joel Esler
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort against DARPA 1999 Dataset

Yes, it generated 17000 alerts but when I compared these alerts with DARPA dataset master identification file, I found 
that any of them is true positive alert.

Link to DARPA dataset truth file: http://www.ll.mit.edu/mission/communications/ist/files/master_identifications.list

Thanks & Regards,
Zahra Hakimi


On Mon, Nov 5, 2012 at 4:57 PM, Joel Esler <jesler () sourcefire com<mailto:jesler () sourcefire com>> wrote:
You said it generated 17,000 alerts, but then you say it didn't generate any alerts.  Which one is it?



--
Joel Esler
Sent from my iPad

On Nov 5, 2012, at 4:03 AM, Zahra Hakimi <zhr.hakimi () gmail com<mailto:zhr.hakimi () gmail com>> wrote:

> Hello,
>
> I'm working on running snort with DARPA dataset for 4 weeks but I gain any success to detection its attacks by snort.
>
> My test setup is as follow:
>
> I've two virtual machine with Ubuntu installed. On the first virtual machine I've Tcpreplay installed to replay 
> network traffic stored in one day of DARPA testing dataset to network. On the other machine, I've set IP address 
> manually to one of Victim's IP address in the dataset (eg. 172.16.112.50). Also, I've installed snort-2.9.3.1 to 
> protect just this machine. (HOME_NET= 172.16.112.50 & External_NET= !$HOME_NET)
>
> I'm confused by the output alerts. After than four hours of running, snort generates about 17000 alerts that less 
> than 1% of them has source or destination IP address same as my configured HOME_NET (172.16.112.50).
>
> My second problem is detection rate. It doesn't generate any true positive alert.
>
> Any help would be appreciated.
>
> Regards,
> Zahra Hakimi
>
>
> ------------------------------------------------------------------------------
> LogMeIn Central: Instant, anywhere, Remote PC access and management.
> Stay in control, update software, and manage PCs from one command center
> Diagnose problems and improve visibility into emerging IT issues
> Automate, monitor and manage. Do more in less time with Central
> http://p.sf.net/sfu/logmein12331_d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!