[Bro] Current IDS and Data Mining research
ssm_as
ssm_as at yahoo.com
Mon May 30 12:40:35 PDT 2011
Hi,
Well, it depend on what are you trying to do?
For example, do you want to use data mining in IDS alerts analysis (e.g. alerts verification, alerts aggregation, alerts correlation)? In this case you will find a lot of research work submitted in that area.
Do you want to use data mining in building IDS to detect intrusions? Then you probably taking about anomaly detection based IDS? In my opinion data mining is not the best approach to do that. Probably, you will need to think about soft computing approaches (neural network, artificial immune system, swarm intelligence, etc).
The issue with your question is that you are using very abstract keywords "data mining" and "IDS" . you should be more specific.
Thanks,
Sherif Saad
Ph.D Candidate, University of Victoria
--- On Mon, 5/30/11, bro-request at bro-ids.org <bro-request at bro-ids.org> wrote:
From: bro-request at bro-ids.org <bro-request at bro-ids.org>
Subject: Bro Digest, Vol 61, Issue 16
To: bro at bro-ids.org
Received: Monday, May 30, 2011, 10:00 PM
Send Bro mailing list submissions to
bro at bro-ids.org
To subscribe or unsubscribe via the World Wide Web, visit
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
or, via email, send a message with subject or body 'help' to
bro-request at bro-ids.org
You can reach the person managing the list at
bro-owner at bro-ids.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bro digest..."
Today's Topics:
1. Current IDS and Data Mining research (Suman Nandi)
2. Re: handle out of order and retransmitted packets in offline
trace (Song Zhao)
----------------------------------------------------------------------
Message: 1
Date: Mon, 30 May 2011 11:53:57 +0530
From: Suman Nandi <suman.nandi at chitkara.edu.in>
Subject: [Bro] Current IDS and Data Mining research
To: bro at bro-ids.org
Message-ID: <BANLkTi=pfrxkgD6SzOmN5yrejS3G5MDJxg at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Dear Bro Developer and contributer
I have been working on IDS and Data Mining .I would like to know the current
research in this area that IDS using Data Mining and what are the current
reseach areas and objectives where Data Mining can provide solutions to IDS?
--
Regards
SUMAN KUMAR NANDI
HOD-Computer Applications
Chitkara University, Punjab
India
Mobile:+919501105658
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110530/8ae49156/attachment-0001.html
------------------------------
Message: 2
Date: Mon, 30 May 2011 03:22:08 -0400
From: Song Zhao <sxz135 at case.edu>
Subject: Re: [Bro] handle out of order and retransmitted packets in
offline trace
To: Vern Paxson <vern at icir.org>
Cc: bro at bro-ids.org, Ruoming Pang <rpang at cs.princeton.edu>
Message-ID: <BANLkTi=3WDaWZ2sT8TcPvOM=ifG8zJPC=w at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
In the 12G rewritten trace, the port numbers range widely. http-rewriter.bro
loads http-reply.bro,which loads http-request.bro,which loads http.bro. The
codes about filteration in these policy scripts are as follows:
In http-request.bro:
redef capture_filters += {
["http-request"] = "tcp dst port 80 or tcp dst port 8080 or tcp dst port
8000"
};
In http-reply.bro:
redef capture_filters += {
["http-reply"] = "tcp src port 80 or tcp src port 8080 or tcp src port
8000"
};
In http.bro:
# DPM configuration.
global http_ports = {
80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
8000/tcp, 8080/tcp, 8888/tcp,
};
redef dpd_config += { [ANALYZER_HTTP] = [$ports = http_ports] };
redef dpd_config += { [ANALYZER_HTTP_BINPAC] = [$ports = http_ports] };
Any of them sets DPD on? If not, why the port numbers in the rewritten trace
range so widely, which range much more widely than the range of global
http_ports?
I didn't load dpd.bro anywhere. After checking the payloads roughly, as far
as I found, they all contain HTTP requests or responses. I mean they are
really "HTTP streams" whatever the port number is.
Thanks
Song Zhao
On Fri, May 27, 2011 at 4:43 PM, Vern Paxson <vern at icir.org> wrote:
> > I also tried ./bro -r readfile -A writerfile http-rewriter.bro, whose
> > results seem to be the same as those of ./bro -r readfile
> http-rewriter.bro
> > -A writefile. And is there any difference of the resulting trace between
> > using -A and - w for http-rewriter.bro?
>
> If you specify both, then you get the untransformed trace in the -w file
> and the transformed one in -A. If you specify just one, then that's the
> transformed file.
>
> > Does http-rewriter.bro by default use DPD to find http streams intead of
> > port numbers?
>
> I don't know. But you can avoid this question by just wiring in the
> ports of interest into the initialization of capture_filters in
> http-reply.bro.
>
> > Interestingly, majority of
> > them are port 20480.
>
> Note, 20480 = 80 but little endian. This suggests either a bug in how
> you're viewing the port numbers, or in how Bro is displaying (or possibly
> processing them).
>
> Vern
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110530/005188f5/attachment-0001.html
------------------------------
_______________________________________________
Bro mailing list
Bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
End of Bro Digest, Vol 61, Issue 16
***********************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110530/a26140bc/attachment.html
More information about the Bro
mailing list