How to add Anomaly detector in Suricata

I have a Machine Learning model and I want to integrate it with Suricata. I do not know how to add the machine learning algorithm in Suricata to enable Suricata to perform anomaly-based detection.

Without more details that is hard to tell. In general you could work on the Suricata source code but this sounds like a bigger project that would need more coordination. Especially if it should be fast. There is already some anomaly detection, see 15.1.2. Eve JSON Format — Suricata 7.0.0-dev documentation

Basically, I wanted to ask how to pass the output of the pre-processor module to the classifier and then pass the output of the classifier to the output module of Suricata.

Is there any way to extract the traffic of Suricata before the detection engine and save it in a file. It is urgent please reply if someone has done it already.

You could use the pcap log feature, see 10.1. Suricata.yaml — Suricata 6.0.3 documentation but in that case you could also run tcpdump to capture the packets. Otherwise it would have to been developed.

Keep in mind this forum is a free service for the community run together with the community. Pushing your own topic with a bump post within 24h and flaging it as urgent is not very well received.

1 Like