Snort mailing list archives
Re: Snort against DARPA 1999 Dataset
From: Zahra Hakimi <zhr.hakimi () gmail com>
Date: Tue, 6 Nov 2012 18:54:13 +0330
I've used of DARPA data set because of two reasons: 1. Because of its good documentation about attacks. I couldn't find any data set that has documents same as DARPA data set. Its documentation helps me to calculate false positives and detection rate. 2. Because of its popularity. It is used by many papers and it helps me to compare my method with other methods. Do you know any newer dataset that can help me in this case? Regards, Hakimi On Tue, Nov 6, 2012 at 5:58 PM, John York <YorkJ () brcc edu> wrote:
Why would anyone want to run against a 13+ year-old data set? **** ** ** *From:* Zahra Hakimi [mailto:zhr.hakimi () gmail com] *Sent:* Monday, November 05, 2012 11:41 PM *To:* Joel Esler *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Snort against DARPA 1999 Dataset**** ** ** Yes, it generated 17000 alerts but when I compared these alerts with DARPA dataset master identification file, I found that any of them is true positive alert. Link to DARPA dataset truth file: http://www.ll.mit.edu/mission/communications/ist/files/master_identifications.list Thanks & Regards, Zahra Hakimi **** On Mon, Nov 5, 2012 at 4:57 PM, Joel Esler <jesler () sourcefire com> wrote:* *** You said it generated 17,000 alerts, but then you say it didn't generate any alerts. Which one is it? -- Joel Esler Sent from my iPad**** On Nov 5, 2012, at 4:03 AM, Zahra Hakimi <zhr.hakimi () gmail com> wrote:Hello, I'm working on running snort with DARPA dataset for 4 weeks but I gainany success to detection its attacks by snort.My test setup is as follow: I've two virtual machine with Ubuntu installed. On the first virtualmachine I've Tcpreplay installed to replay network traffic stored in one day of DARPA testing dataset to network. On the other machine, I've set IP address manually to one of Victim's IP address in the dataset (eg. 172.16.112.50). Also, I've installed snort-2.9.3.1 to protect just this machine. (HOME_NET= 172.16.112.50 & External_NET= !$HOME_NET)I'm confused by the output alerts. After than four hours of running,snort generates about 17000 alerts that less than 1% of them has source or destination IP address same as my configured HOME_NET (172.16.112.50).My second problem is detection rate. It doesn't generate any truepositive alert.Any help would be appreciated. Regards, Zahra Hakimi ****------------------------------------------------------------------------------LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news!**** ** ** ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort against DARPA 1999 Dataset Zahra Hakimi (Nov 05)
- Re: Snort against DARPA 1999 Dataset Joel Esler (Nov 05)
- Re: Snort against DARPA 1999 Dataset Zahra Hakimi (Nov 05)
- Re: Snort against DARPA 1999 Dataset John York (Nov 06)
- Re: Snort against DARPA 1999 Dataset Zahra Hakimi (Nov 06)
- Re: Snort against DARPA 1999 Dataset Joel Esler (Nov 06)
- Re: Snort against DARPA 1999 Dataset Zahra Hakimi (Nov 06)
- Re: Snort against DARPA 1999 Dataset waldo kitty (Nov 06)
- Re: Snort against DARPA 1999 Dataset Zahra Hakimi (Nov 05)
- Re: Snort against DARPA 1999 Dataset Joel Esler (Nov 05)