Last couple of days I’m trying to execute snort AD project (anomalydetection.info) , but I’m not able to see results of that process.
First don’t forget to install snortAD on i386 machine and add snort AD files in install snort libraries (you can find instructions on http://www.rsreese.com/running-snortad) because if you install snort and then again try to install snortAD it will not go just clearly.
Current version of snortAD is compatible with snort 2.9.4.5. and daq 0.6.2. Usage of other versions is not recommended with snort 2.9.4.5. Instructions on official site are deprecated so I recommend to follow Stephen Reese‘s instructions.
During executing of the script I had one problem and I want to write about it here.
There is a problem with “check” variable for checking is .csv Profile File correctly formatted. On line 175 in spp_anomalydetection.c it writes data to ProfileFile and add “new line break – \n” which causes a break of the whole script.
In function “ReadProfile” on line 229, the script reads ProfileFile and since this line is in “infinite while loop” it will read also the previously mentioned “new line break” and than it will set “check” variable to “0”.
If I put at the end of function ReadProfile code : LogMessage(“%d”, check); and at the line 623 code : LogMessage(“—%d—“,check) and compile snort again I will obtain following result :
Commencing packet processing (pid=20873) AnomalyDetection: Opened an existing log file named AD60.txt AnomalyDetection: Loged transfer between 21-01-14 05:14:54 - 21-01-14 05:15:54 --0--AnomalyDetection: Profile opened. AnomalyDetection: Can't read proper profile row 0AnomalyDetection: Loged transfer between 21-01-14 05:15:54 - 21-01-14 05:16:54
So it is obvious that code inside if loop on line 623 will never be executed. I solve it temporary by commenting out this line for now.
Update (thanks to @Danny9Tee3):
Turns out I had to comment out lines 231 and 232 (the “Can’t read proper profile row” message, and the check=0) for it to work.