Rules to detect all the attacks listed in DARPA dataset ?

[dsigma <dsigma () 163 com>]

Hello,

I'm working on running snort with DARPA dataset for 4 weeks but I gain little success to detection its attacks by snort.
My test setup is as follow:

I've two virtual machine with Ubuntu installed. On the first virtual machine I've Tcpreplay installed to replay 
network traffic stored in one day of DARPA testing dataset to network. On the other machine, I've set IP address 
manually to one of Victim's IP address in the dataset (eg. 172.16.112.50). Also, I've installed snort-2.9.3.1 to 
protect just this machine. (HOME_NET= 172.16.112.50 & External_NET= !$HOME_NET)
    
I'm confused by the output alerts. After than four hours of running, snort generates about 17000 alerts that less 
than 1% of them has source or destination IP address same as my configured HOME_NET (172.16.112.50).  My second problem 
is detection rate. It doesn't generate any true positive alert. 

And how could I detect all the attacks listed in DARPA, 
(http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/docs/attacks.html). Is there a set of rules that 
could detect all the attacks? 

Any help would be appreciated.
Linbo Qiao

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!