Applying Machine Learning to create DoS detection rules for Snort.
This software is a part of capstone project of Information Assurance department of FPT University.
This program applies Machine Learning's algorithm to detects DoS attack in Bro IDS's logs. Then generates DoS detection rule for Snort.
- Get logs from Bro's log directory, preprocessing logs to the form of KDDCup99 dataset format.
- Fetch logs to ML's model to label connections to 'attack' or 'normal'.
- Generates a
threshold
by calculating average of 'count' attribute's values with 'normal' label. - Generates rule in Sort's .rules file format. Rule format:
alert tcp any any -> $(HOME_NET) any (msg:"TCP SYN flood attack detected"; flags:S; threshold: type threshold, track by_dst, count 0 , seconds 2; sid: 5000001; rev:1;)
- Store new rule in directory pointed by
rule_dir
variable ingetdosrule.cfg
- Python 2.7
- scikit-learn library
- GNU/Make
- GNU/gcc
- libconfig
- Bro IDS
Program use libconfig library to parse and run configuration file.
Modify two variables in src/getdosrule.cfg
to point to Snort's rule directory and Bro's log directory.
# getdosrule.cfg
log_dir = "/Bro/log/dir/"
rule_dir = "/Snort/rule/dir/"
$ make
$ ./getdosrule
$ make clean