Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: Re: Fwd: Re: Snort Anomaly Detection

From: Andres Carrera Rivera <protoss_black88 () hotmail com>
Date: Fri, 17 Sep 2010 09:01:28 -0500


  On 9/17/2010 8:43 AM, Bernhard Guillon wrote:

 On 17.09.2010 15:31, Andres Carrera Rivera wrote:



 Excellent! I did Exactly what you said, patch it inside the
 snort-2.8.6.X.
 Now my question is: how can I test if the PHAD Preprocessor is working?
 because, I don't see any configuration inside the snort.conf file.

 I run snort like: snort -dev -c ./snort.conf



 You need to add the configuration for spp_phad to snort.conf which I
 wrote in my other mail:

 #snort.conf
 preprocessor phad: training_time 446400


 The training time still is in seconds. For more information about the
 algorithm read the paper [1] of the original implementation.

 Best regards
 Bernhard Guillon

 1http://cs.fit.edu/~mmahoney/paper3.pdf







Ok. the time is in Seconds.
But when it finish the training mode, the PHAD will generate some
alerts?, when it find any anomalies?
thats what I dont know.


I put preprocessor phad:
training_time 446400


on the snort.conf file, but when running snort, I got this ERROR:
Unknown preprocessor: "phad"

snort, doesn't recognize PHAD?
How can I solve this problem..


Thanks,
Andres Carrera


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: