Snort mailing list archives
Re: Rules to detect all the attacks listed in DARPA dataset ?
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 20 Aug 2013 20:24:19 -0400
Set your variables to "any" and see what you get. -- Joel Esler
On Aug 20, 2013, at 8:16 PM, dsigma <dsigma () 163 com> wrote:
Hello,
I'm working on running snort with DARPA dataset for 4 weeks but I gain little success to detection its attacks by
snort.
My test setup is as follow:
I've two virtual machine with Ubuntu installed. On the first virtual machine I've Tcpreplay installed to replay
network traffic stored in one day of DARPA testing dataset to network. On the other machine, I've set IP address
manually to one of Victim's IP address in the dataset (eg. 172.16.112.50). Also, I've installed snort-2.9.3.1 to
protect just this machine. (HOME_NET= 172.16.112.50 & External_NET= !$HOME_NET)
I'm confused by the output alerts. After than four hours of running, snort generates about 17000 alerts that less
than 1% of them has source or destination IP address same as my configured HOME_NET (172.16.112.50). My second
problem is detection rate. It doesn't generate any true positive alert.
And how could I detect all the attacks listed in DARPA,
(http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/docs/attacks.html). Is there a set of rules
that could detect all the attacks?
Any help would be appreciated.
Linbo Qiao
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rules to detect all the attacks listed in DARPA dataset ? dsigma (Aug 20)
- Re: Rules to detect all the attacks listed in DARPA dataset ? Joel Esler (Aug 20)
- Re: Rules to detect all the attacks listed in DARPA dataset ? lists () packetmail net (Aug 20)
- Re: Rules to detect all the attacks listed in DARPA dataset ? Jeff Kell (Aug 20)