<div dir="ltr">Dear Victor,<div><br></div><div style>I would like to start this thread again, Since I am looking for Anomaly detection in Suricata. </div><div style>I read from your blogs and previous updates from suricata that, your team were also working on anomaly detection on suricata.</div>

<div style><br></div><div style>In particular my needs are, with some basic functions like, profile generation on a particular interface and trigger events in case of deviation from normal reference profile. <br></div><div style>

<br></div><div style>I found this preprocessor in snort. i.e an Anomaly Detector (<a href="http://anomalydetection.info/">http://anomalydetection.info/</a>) . It looks interesting.  </div><div style><br></div><div style>
Is there someway to integrate this existing plugin into suricata? </div>
<div style><br></div><div class="gmail_extra"><br clear="all"><div>--<br>Best Regards,<br>Prabhakaran Kasinathan<br>+39 3279720502<br></div>
<br><br><div class="gmail_quote">On Sat, Nov 24, 2012 at 6:00 PM,  <span dir="ltr"><<a href="mailto:oisf-devel-request@openinfosecfoundation.org" target="_blank">oisf-devel-request@openinfosecfoundation.org</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Oisf-devel mailing list submissions to<br>
        <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
        <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
or, via email, send a message with subject or body 'help' to<br>
        <a href="mailto:oisf-devel-request@openinfosecfoundation.org">oisf-devel-request@openinfosecfoundation.org</a><br>
<br>
You can reach the person managing the list at<br>
        <a href="mailto:oisf-devel-owner@openinfosecfoundation.org">oisf-devel-owner@openinfosecfoundation.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Oisf-devel digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
   1. Suricata Preprocessor (ayoub sabbar)<br>
   2. Re: Suricata Preprocessor (Victor Julien)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Fri, 23 Nov 2012 17:08:11 +0000<br>
From: ayoub sabbar <<a href="mailto:sabbarayoub@hotmail.fr">sabbarayoub@hotmail.fr</a>><br>
To: <<a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a>><br>
Subject: [Oisf-devel] Suricata Preprocessor<br>
Message-ID: <COL123-W4344834E4B358BEC8F0FB0DB5A0@phx.gbl><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
<br>
 hello,<br>
<br>
  I'm working on a project which is the integration of a preprocessor in suricata. So I want to know if it is possible to do that,<br>
  And if it is possible I want some help from you because i didn't find lot of informations using internet ?<br>
<br>
Best Regards<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121123/2f87d945/attachment-0001.html" target="_blank">http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121123/2f87d945/attachment-0001.html</a>><br>


<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Fri, 23 Nov 2012 18:20:15 +0100<br>
From: Victor Julien <<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>><br>
To: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-devel] Suricata Preprocessor<br>
Message-ID: <<a href="mailto:50AFB04F.1070201@inliniac.net">50AFB04F.1070201@inliniac.net</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
On 11/23/2012 06:08 PM, ayoub sabbar wrote:<br>
>  hello,<br>
><br>
>   I'm working on a project which is the integration of a preprocessor in suricata. So I want to know if it is possible to do that,<br>
>   And if it is possible I want some help from you because i didn't find lot of informations using internet ?<br>
<br>
I assume you're referring to a Snort preprocessor you want to port to<br>
Suricata?<br>
<br>
There are quite a few places to hook into Suricata. The right place<br>
depends on what the purpose of your module is. What are you trying to<br>
achieve?<br>
<br>
Cheers,<br>
Victor<br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
<br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Oisf-devel mailing list<br>
<a href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a><br>
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
<br>
End of Oisf-devel Digest, Vol 35, Issue 18<br>
******************************************<br>
</blockquote></div><br></div></div>