GetDoSRule

Applying Machine Learning to create DoS detection rules for Snort.

About

This software is a part of capstone project of Information Assurance department of FPT University.

How it work.

This program applies Machine Learning's algorithm to detects DoS attack in Bro IDS's logs. Then generates DoS detection rule for Snort.

Get logs from Bro's log directory, preprocessing logs to the form of KDDCup99 dataset format.
Fetch logs to ML's model to label connections to 'attack' or 'normal'.
Generates a threshold by calculating average of 'count' attribute's values with 'normal' label.
Generates rule in Sort's .rules file format. Rule format:

alert tcp any any -> $(HOME_NET) any (msg:"TCP SYN flood attack detected"; flags:S; threshold: type threshold, track by_dst, count 0 , seconds 2; sid: 5000001; rev:1;)

Store new rule in directory pointed by rule_dir variable in getdosrule.cfg

Installation

Prequisites

Python 2.7
- scikit-learn library
GNU/Make
GNU/gcc
libconfig
Bro IDS

Configuration

Program use libconfig library to parse and run configuration file. Modify two variables in src/getdosrule.cfg to point to Snort's rule directory and Bro's log directory.

# getdosrule.cfg

log_dir  = "/Bro/log/dir/"
rule_dir = "/Snort/rule/dir/"

Compile & Run

$ make
$ ./getdosrule

Clean

$ make clean

Name		Name	Last commit message	Last commit date
Latest commit History 78 Commits
.circleci		.circleci
model		model
obj		obj
src		src
test		test
.travis.yml		.travis.yml
README.md		README.md
_config.yml		_config.yml
describe.xml		describe.xml
getdosrule		getdosrule
makefile		makefile
requirements.txt		requirements.txt

fonger900/Capstone-software

Folders and files

Latest commit

History

Repository files navigation

GetDoSRule

About

How it work.

Installation

Prequisites

Configuration

Compile & Run

Clean

About

Resources

Stars

Watchers

Forks

Languages