Snort mailing list archives
Snort against DARPA Dataset
From: Sravan Bhamidipati <bsravanin () gmail com>
Date: Fri, 29 Jun 2012 11:22:53 -0400
Hi, I am a grad student trying to play around with Snort. I apologize in advance for the long mail. To figure out tuning, I am evaluating Snort (2.9.x) against the very old 1998 and 1999 DARPA datasets. In my configuration, I have turned on ALL rules, including those that are disabled (commented) by default. I have enabled the sfportscan preprocessor because port scans/sweeps are a major part of the attacks<http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/docs/attacks.html>. I have a few doubts regarding my methods and findings. 1. Portscan.log: The default Snort logs do not contain sfportscan alerts. Is this by design or can this behavior be changed? I am using the preprocessor's logfile option for portscan-related attacks. How reliable are the port ranges and open ports in this log? Do they identify all ports or only a few ports? 2. Detection rates: I am using the 3-tuple (date, source IP, destination IP) as matching criteria for portscan-related attacks (portscan.log), and the 5-tuple (date, source IP, source port, destination IP, destination port) as a matching criteria for all other alerts. I see more than 30% of the labeled attacks going unidentified by Snort. Is this matching criteria correct or in some way too liberal or stringent? 3. Ruleset: How different are the Snort subscriber's ruleset, Pulled Pork rules, and Emerging Threats ruleset? Would the detection rates improve if I used all rulesets together? (As I understand Snort ignores the older or duplicate rules.) In general are older signatures (from 1998/99) ever removed or only replaced by newer signatures in these rulesets? 4. Target-based IDS: Snort preprocessors, especially stream5 (understandably) don't seem to explicitly support very old operating systems. Are there any guidelines in configuring for such cases? I'm just using "old-linux". 5. Would you suggest any config changes for higher detection rates? Ideally I would like a 100% detection rate, and tune down from that point. 6. Is it fair to test any IDS against such old datasets? Are there any newer labeled datasets available to the public? What do, say, Snort developers use to test against regressions? Regards, Sravan
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort against DARPA Dataset Sravan Bhamidipati (Jun 29)
- Re: Snort against DARPA Dataset Robert Vineyard (Jun 29)