Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Anomaly-detection dynamic preprocessor

From: Андрей Меньков <nothingelsematters7 () gmail com>
Date: Sat, 23 Feb 2013 00:44:32 +0300
Hello all.
I'm on the latest year of studying in my University and write my dyploma.
I choosen NIDS as theme and so now I try to implement dynamic preprocessor
for Snort which will be based on this dataset http://www.iscx.ca/dataset.
There are files in pcap format + excel files with labels for these packet
flows

First of all, I need to learn somehow my preprocessor. It will be done by
processing and analyzing these pcap files and maybe using labels attached
to them (but not necessary).

I have some questions. It would be great if someone would help me and maybe
give some good ideas :-)
1. I can give these pcap files as input to Snort - so I obtain all the
power of snort decoding network data. With this I can write preprocessor
for learning, that will obtain traffic from files and move analyzed data
somewhere. But there is a problem. It's no smart to detect anomalies using
only information about only single packet. It would be convenient to for
example reassemble them (e.g. in connection for TCP packets) for better
analyzing. And maybe there are another "tricks".
So the question is actually smth like "Can I use for example Stream5
preprocessor for learn my preprocessor?" It reassemles packets in
connections

2. What about existing implementations of such dynamic preprocessors?
3. Maybe It would be better to implement it not as dynamic preprocessor,
but dynamic engine?

Thanks in advance :-)

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: