Converting WEKA rules into SNORT rules

Computer Science

ksu

Question Description

Hi, I am using WEKA as a machine learning tool to process the NSL KDD dataset in order to produces rules that can distinguish the anomaly and the legitimate traffic. I need to translate the produced rules into SNORT rules. Just writing SNORT rules that can present the generated rules by WEKA. I am attaching a file that contains the WEKA rules (in red color) that were generated by using the J48 algorithm. It is not necessarily to have an interface to automate the process. Manually written SNORT rules (10 rules could be enough) is enough for me as long as they reflect the WEKA rules.

So, you should make sure that the extracted NSL KDD features can be represented in SNORT.

Thanks,

Unformatted Attachment Preview

=== Run information === Scheme: weka.classifiers.trees.J48 -C 0.6 -M 2 Relation: KDDTrain Instances: 125973 Attributes: 42 duration protocol_type service flag src_bytes dst_bytes land wrong_fragment urgent hot num_failed_logins logged_in num_compromised root_shell su_attempted num_root num_file_creations num_shells num_access_files num_outbound_cmds is_host_login is_guest_login count srv_count serror_rate srv_serror_rate rerror_rate srv_rerror_rate same_srv_rate diff_srv_rate srv_diff_host_rate dst_host_count dst_host_srv_count dst_host_same_srv_rate dst_host_diff_srv_rate dst_host_same_src_port_rate dst_host_srv_diff_host_rate dst_host_serror_rate dst_host_srv_serror_rate dst_host_rerror_rate dst_host_srv_rerror_rate class Test mode: user supplied test set: size unknown (reading incrementally) === Classifier model (full training set) === J48 pruned tree -----------------src_bytes <= 28 | dst_host_srv_count <= 88 | | dst_bytes <= 3 | | | logged_in = 0 | | | | count <= 4 | | | | | dst_host_same_src_port_rate <= 0.5 | | | | | | dst_host_same_srv_rate <= 0.27 | | | | | | | src_bytes <= 5 | | | | | | | | dst_host_rerror_rate <= 0.1 | | | | | | | | | dst_host_serror_rate <= 0.97 | | | | | | | | | | dst_host_srv_count <= 2 | | | | | | | | | | | service = aol: anomaly (0.0) | | | | | | | | | | | service = auth: normal (5.0) | | | | | | | | | | | service = bgp: anomaly (0.0) | | | | | | | | | | | service = courier: anomaly (0.0) | | | | | | | | | | | service = csnet_ns: anomaly (0.0) | | | | | | | | | | | service = ctf: anomaly (0.0) | | | | | | | | | | | service = daytime: anomaly (3.0) | | | | | | | | | | | service = discard: anomaly (2.0) | | | | | | | | | | | service = domain: normal (1.0) | | | | | | | | | | | service = domain_u: anomaly (0.0) | | | | | | | | | | | service = echo: anomaly (5.0) | | | | | | | | | | | service = eco_i: anomaly (0.0) | | | | | | | | | | | service = ecr_i: anomaly (0.0) | | | | | | | | | | | service = efs: anomaly (0.0) | | | | | | | | | | | service = exec: anomaly (0.0) | | | | | | | | | | | service = finger: anomaly (2.0) | | | | | | | | | | | service = ftp: anomaly (1.0) | | | | | | | | | | | service = ftp_data: anomaly (1.0) | | | | | | | | | | | service = gopher: anomaly (2.0) | | | | | | | | | | | service = harvest: anomaly (0.0) | | | | | | | | | | | service = hostnames: anomaly (0.0) | | | | | | | | | | | service = http: normal (4.0) | | | | | | | | | | | service = http_2784: anomaly (0.0) | | | | | | | | | | | service = http_443: anomaly (0.0) | | | | | | | | | | | service = http_8001: anomaly (0.0) | | | | | | | | | | | service = imap4: anomaly (0.0) | | | | | | | | | | | service = IRC: anomaly (0.0) | | | | | | | | | | | service = iso_tsap: anomaly (0.0) | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | service = klogin: anomaly (0.0) | service = kshell: anomaly (0.0) | service = ldap: anomaly (0.0) | service = link: anomaly (0.0) | service = login: anomaly (0.0) | service = mtp: anomaly (0.0) | service = name: anomaly (0.0) | service = netbios_dgm: anomaly (0.0) | service = netbios_ns: anomaly (0.0) | service = netbios_ssn: anomaly (0.0) | service = netstat: anomaly (0.0) | service = nnsp: anomaly (0.0) | service = nntp: anomaly (0.0) | service = ntp_u: anomaly (0.0) | service = other: anomaly (2.0) | service = pm_dump: anomaly (0.0) | service = pop_2: anomaly (0.0) | service = pop_3: normal (1.0) | service = printer: anomaly (0.0) | service = private: anomaly (104.0) | service = red_i: anomaly (0.0) | service = remote_job: anomaly (0.0) | service = rje: anomaly (0.0) | service = shell: anomaly (0.0) | service = smtp: anomaly (0.0) | service = sql_net: anomaly (0.0) | service = ssh: anomaly (1.0) | service = sunrpc: anomaly (0.0) | service = supdup: anomaly (0.0) | service = systat: anomaly (2.0) | service = telnet: normal (17.0/1.0) | service = tftp_u: anomaly (0.0) | service = tim_i: anomaly (0.0) | service = time: anomaly (0.0) | service = urh_i: anomaly (0.0) | service = urp_i: anomaly (0.0) | service = uucp: anomaly (1.0) | service = uucp_path: anomaly (0.0) | service = vmnet: anomaly (0.0) | service = whois: anomaly (0.0) | service = X11: normal (5.0/1.0) | service = Z39_50: anomaly (0.0) dst_host_srv_count > 2 | protocol_type = tcp | | dst_host_same_src_port_rate <= 0.03: normal (76.0) | | dst_host_same_src_port_rate > 0.03 | | | dst_host_same_src_port_rate <= 0.06: normal (3.0) | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | dst_host_same_src_port_rate > 0.06: anomaly (2.0) | | | | | protocol_type = udp: anomaly (8.0) | | | | | protocol_type = icmp: normal (0.0) | | | dst_host_serror_rate > 0.97: anomaly (233.0) | | dst_host_rerror_rate > 0.1 | | | dst_host_same_srv_rate <= 0.13: anomaly (999.0/1.0) | | | dst_host_same_srv_rate > 0.13 | | | | dst_host_rerror_rate <= 0.27: normal (9.0) | | | | dst_host_rerror_rate > 0.27: anomaly (16.0) | src_bytes > 5 | | protocol_type = tcp | | | srv_count <= 1: normal (113.0) | | | srv_count > 1 | | | | duration <= 0: normal (31.0) | | | | duration > 0: anomaly (3.0) | | protocol_type = udp: anomaly (28.0/1.0) | | protocol_type = icmp: anomaly (27.0) dst_host_same_srv_rate > 0.27 | dst_host_srv_serror_rate <= 0.31 | | protocol_type = tcp | | | dst_host_diff_srv_rate <= 0.13: normal (395.0) | | | dst_host_diff_srv_rate > 0.13 | | | | flag = OTH: normal (0.0) | | | | flag = REJ | | | | | service = aol: normal (0.0) | | | | | service = auth: normal (0.0) | | | | | service = bgp: normal (0.0) | | | | | service = courier: normal (0.0) | | | | | service = csnet_ns: normal (0.0) | | | | | service = ctf: normal (0.0) | | | | | service = daytime: normal (0.0) | | | | | service = discard: normal (0.0) | | | | | service = domain: normal (0.0) | | | | | service = domain_u: normal (0.0) | | | | | service = echo: normal (0.0) | | | | | service = eco_i: normal (0.0) | | | | | service = ecr_i: normal (0.0) | | | | | service = efs: normal (0.0) | | | | | service = exec: normal (0.0) | | | | | service = finger: normal (0.0) | | | | | service = ftp: normal (0.0) | | | | | service = ftp_data: normal (0.0) | | | | | service = gopher: normal (0.0) | | | | | service = harvest: normal (0.0) | | | | | service = hostnames: normal (0.0) | | | | | service = http: normal (19.0) | | | | | service = http_2784: normal (0.0) | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | service = http_443: normal (0.0) service = http_8001: normal (0.0) service = imap4: normal (0.0) service = IRC: normal (0.0) service = iso_tsap: normal (0.0) service = klogin: normal (0.0) service = kshell: normal (0.0) service = ldap: normal (0.0) service = link: normal (0.0) service = login: normal (0.0) service = mtp: normal (0.0) service = name: normal (0.0) service = netbios_dgm: normal (0.0) service = netbios_ns: normal (0.0) service = netbios_ssn: normal (0.0) service = netstat: normal (0.0) service = nnsp: normal (0.0) service = nntp: normal (0.0) service = ntp_u: normal (0.0) service = other: normal (5.0) service = pm_dump: normal (0.0) service = pop_2: normal (0.0) service = pop_3: normal (0.0) service = printer: normal (0.0) service = private: normal (1.0) service = red_i: normal (0.0) service = remote_job: normal (0.0) service = rje: normal (0.0) service = shell: normal (0.0) service = smtp: normal (0.0) service = sql_net: normal (0.0) service = ssh: anomaly (1.0) service = sunrpc: normal (0.0) service = supdup: normal (0.0) service = systat: normal (0.0) service = telnet: normal (0.0) service = tftp_u: normal (0.0) service = tim_i: normal (0.0) service = time: normal (0.0) service = urh_i: normal (0.0) service = urp_i: normal (0.0) service = uucp: normal (0.0) service = uucp_path: normal (0.0) service = vmnet: normal (0.0) service = whois: normal (0.0) service = X11: normal (0.0) service = Z39_50: normal (0.0) | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | flag = RSTO: normal (0.0) | | | | | flag = RSTOS0: normal (0.0) | | | | | flag = RSTR: anomaly (3.0) | | | | | flag = S0: normal (0.0) | | | | | flag = S1: normal (1.0) | | | | | flag = S2: normal (0.0) | | | | | flag = S3: normal (0.0) | | | | | flag = SF: normal (6.0) | | | | | flag = SH: normal (0.0) | | | protocol_type = udp: anomaly (2.0) | | | protocol_type = icmp: anomaly (5.0) | | dst_host_srv_serror_rate > 0.31: anomaly (30.0) dst_host_same_src_port_rate > 0.5 | service = aol: anomaly (0.0) | service = auth: anomaly (7.0) | service = bgp: anomaly (8.0) | service = courier: anomaly (6.0) | service = csnet_ns: anomaly (6.0) | service = ctf: anomaly (6.0) | service = daytime: anomaly (2.0) | service = discard: anomaly (4.0) | service = domain: anomaly (4.0) | service = domain_u: normal (4.0) | service = echo: anomaly (3.0) | service = eco_i: anomaly (2158.0) | service = ecr_i: anomaly (40.0/1.0) | service = efs: anomaly (5.0) | service = exec: anomaly (6.0) | service = finger | | dst_host_count <= 64 | | | dst_host_srv_serror_rate <= 0.1: normal (2.0) | | | dst_host_srv_serror_rate > 0.1 | | | | dst_host_srv_serror_rate <= 0.91: anomaly (10.0/1.0) | | | | dst_host_srv_serror_rate > 0.91: normal (9.0/4.0) | | dst_host_count > 64: anomaly (5.0) | service = ftp: anomaly (2.0) | service = ftp_data | | src_bytes <= 6: anomaly (11.0) | | src_bytes > 6: normal (9.0) | service = gopher: anomaly (5.0) | service = harvest: anomaly (0.0) | service = hostnames: anomaly (6.0) | service = http | | dst_host_srv_diff_host_rate <= 0.02: anomaly (7.0) | | dst_host_srv_diff_host_rate > 0.02: normal (59.0) | service = http_2784: anomaly (0.0) | service = http_443: anomaly (5.0) | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | service = http_8001: anomaly (0.0) service = imap4: anomaly (16.0) service = IRC: anomaly (0.0) service = iso_tsap: anomaly (8.0) service = klogin: anomaly (6.0) service = kshell: anomaly (5.0) service = ldap: anomaly (4.0) service = link: anomaly (4.0) service = login: anomaly (4.0) service = mtp: anomaly (4.0) service = name: anomaly (3.0) service = netbios_dgm: anomaly (8.0) service = netbios_ns: anomaly (8.0) service = netbios_ssn: anomaly (8.0) service = netstat: anomaly (2.0) service = nnsp: anomaly (7.0) service = nntp: anomaly (6.0) service = ntp_u: anomaly (0.0) service = other: anomaly (504.0/1.0) service = pm_dump: anomaly (0.0) service = pop_2: anomaly (4.0) service = pop_3: anomaly (7.0) service = printer: anomaly (4.0) service = private | dst_host_same_srv_rate <= 0.03: anomaly (1318.0) | dst_host_same_srv_rate > 0.03 | | dst_host_same_srv_rate <= 0.64: anomaly (23.0) | | dst_host_same_srv_rate > 0.64: normal (2.0) service = red_i: anomaly (0.0) service = remote_job: anomaly (6.0) service = rje: anomaly (6.0) service = shell: anomaly (4.0) service = smtp: anomaly (3.0) service = sql_net: anomaly (8.0) service = ssh: anomaly (2.0) service = sunrpc: anomaly (7.0) service = supdup: anomaly (6.0) service = systat: anomaly (3.0) service = telnet: anomaly (4.0) service = tftp_u: anomaly (0.0) service = tim_i: anomaly (0.0) service = time: anomaly (4.0/1.0) service = urh_i: anomaly (0.0) service = urp_i: anomaly (0.0) service = uucp: anomaly (6.0) service = uucp_path: anomaly (8.0) service = vmnet: anomaly (7.0) | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | service = whois: anomaly (3.0) | | | | service = X11: anomaly (0.0) | | | | service = Z39_50: anomaly (7.0) | | count > 4 | | | dst_host_same_srv_rate <= 0.61 | | | | dst_host_count <= 66 | | | | | protocol_type = tcp: anomaly (396.0) | | | | | protocol_type = udp: normal (3.0) | | | | | protocol_type = icmp: anomaly (0.0) | | | | dst_host_count > 66: anomaly (44583.0/1.0) | | | dst_host_same_srv_rate > 0.61 | | | | dst_host_count <= 60: anomaly (109.0/1.0) | | | | dst_host_count > 60 | | | | | dst_host_serror_rate <= 0.49: normal (5.0) | | | | | dst_host_serror_rate > 0.49: anomaly (2.0) | logged_in = 1 | | src_bytes <= 7: anomaly (18.0/1.0) | | src_bytes > 7: normal (273.0) dst_bytes > 3 | dst_host_rerror_rate <= 0.09 | | dst_bytes <= 791 | | | count <= 2 | | | | dst_host_srv_count <= 1 | | | | | protocol_type = tcp | | | | | | count <= 1 | | | | | | | logged_in = 0: normal (35.0) | | | | | | | logged_in = 1 | | | | | | | | num_compromised <= 0: normal (8.0/1.0) | | | | | | | | num_compromised > 0: anomaly (2.0) | | | | | | count > 1 | | | | | | | logged_in = 0: normal (3.0/1.0) | | | | | | | logged_in = 1: anomaly (2.0) | | | | | protocol_type = udp: anomaly (2.0) | | | | | protocol_type = icmp: normal (0.0) | | | | dst_host_srv_count > 1 | | | | | dst_host_same_src_port_rate <= 0.13 | | | | | | service = aol: normal (0.0) | | | | | | service = auth: normal (170.0) | | | | | | service = bgp: normal (0.0) | | | | | | service = courier: normal (0.0) | | | | | | service = csnet_ns: normal (0.0) | | | | | | service = ctf: normal (0.0) | | | | | | service = daytime: normal (0.0) | | | | | | service = discard: normal (0.0) | | | | | | service = domain: normal (0.0) | | | | | | service = domain_u: normal (6.0) | | | | | | service = echo: normal (0.0) | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | service = eco_i: normal (0.0) service = ecr_i: normal (0.0) service = efs: normal (0.0) service = exec: normal (0.0) service = finger: normal (403.0) service = ftp: normal (0.0) service = ftp_data: normal (10.0) service = gopher: normal (0.0) service = harvest: normal (0.0) service = hostnames: normal (0.0) service = http: normal (0.0) service = http_2784: normal (0.0) service = http_443: normal (0.0) service = http_8001: normal (0.0) service = imap4: normal (0.0) service = IRC: normal (0.0) service = iso_tsap: normal (0.0) service = klogin: normal (0.0) service = kshell: normal (0.0) service = ldap: normal (0.0) service = link: normal (0.0) service = login: normal (0.0) service = mtp: normal (0.0) service = name: normal (0.0) service = netbios_dgm: normal (0.0) service = netbios_ns: normal (0.0) service = netbios_ssn: normal (0.0) service = netstat: normal (0.0) service = nnsp: normal (0.0) service = nntp: normal (0.0) service = ntp_u: normal (0.0) service = other: normal (0.0) service = pm_dump: normal (0.0) service = pop_2: normal (0.0) service = pop_3: normal (0.0) service = printer: normal (0.0) service = private: normal (0.0) service = red_i: normal (0.0) service = remote_job: normal (0.0) service = rje: normal (0.0) service = shell: normal (0.0) service = smtp: anomaly (1.0) service = sql_net: normal (0.0) service = ssh: normal (0.0) service = sunrpc: normal (0.0) service = supdup: normal (0.0) service = systat: normal (0.0) | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | service = telnet: normal (14.0) | service = tftp_u: normal (0.0) | service = tim_i: normal (0.0) | service = time: normal (50.0) | service = urh_i: normal (0.0) | service = urp_i: normal (0.0) | service = uucp: normal (0.0) | service = uucp_path: normal (0.0) | service = vmnet: normal (0.0) | service = whois: normal (0.0) | service = X11: normal (0.0) | service = Z39_50: normal (0.0) dst_host_same_src_port_rate > 0.13 | service = aol: normal (0.0) | service = auth | | dst_host_srv_diff_host_rate <= 0.08: anomaly (2.0) | | dst_host_srv_diff_host_rate > 0.08: normal (19.0) | service = bgp: normal (0.0) | ...
Student has agreed that all tutoring, explanations, and answers provided by the tutor will be used to help in the learning process and in accordance with Studypool's honor code & terms of service.
Tags: ksu

This question has not been answered.

Create a free account to get help with this and any other question!