Rolling your own pre-processor for Snort
BleedingSnort invoked a funky sound from the RSS feed-reader today when they announced the availability of a new anomaly-based preprocessor for Snort, called PortscanAI. The preprocessor uses a neaural network-based aproach to find portscans and should, according to the author, be successfull in detecting slow and carefully performed port scans.
Although that is nice news, I like the documentation provided by the project to be even cooler. One document presents, in a very brief and concise way, how a preprocessor is constructed and introduced in the Snort source. The “hello world” implementation does a great way of highlighting the basic steps, which I hope to go through some day. Another document carefully describes the internals of Snort, with the helps of loads of pictures and diagrams. Not eye candy, but sure as hell tells a couple of thousand words :)
I hope to benefit from these documents once I get my Master thesis going.