GetDoSRule

Applying Machine Learning to create DoS detection rules for Snort.

About

This software is a part of capstone project of Information Assurance department of FPT University.

How it work.

This program applies Machine Learning's algorithm to detects DoS attack in Bro IDS's logs. Then generates DoS detection rule for Snort.

Get logs from Bro's log directory, preprocessing logs to the form of KDDCup99 dataset format.
Fetch logs to ML's model to label connections to 'attack' or 'normal'.
Generates a threshold by calculating average of 'count' attribute's values with 'normal' label.
Generates rule in Sort's .rules file format. Rule format:

alert tcp any any -> $(HOME_NET) any (msg:"TCP SYN flood attack detected"; flags:S; threshold: type threshold, track by_dst, count 0 , seconds 2; sid: 5000001; rev:1;)

Store new rule in directory pointed by rule_dir variable in getdosrule.cfg

Installation

Prequisites

Python 2.7
- scikit-learn library
GNU/Make
GNU/gcc
libconfig
Bro IDS

Configuration

Program use libconfig library to parse and run configuration file. Modify two variables in src/getdosrule.cfg to point to Snort's rule directory and Bro's log directory.

# getdosrule.cfg

log_dir  = "/Bro/log/dir/"
rule_dir = "/Snort/rule/dir/"

Compile & Run

$ make
$ ./getdosrule

Clean

$ make clean

About

Program that create DoS detection rules for use of Snort

Languages

Language:Python 50.4%Language:C++ 42.5%Language:Makefile 4.3%Language:C 2.8%