[Snort-devel] Patch to update Spade

James Hoagland hoagland at ...63...
Sat Aug 18 19:00:30 EDT 2001


Gettings,

Here is a patch to bring the Spade parts of Snort up to v010818.1.  It includes:

+ updated documentation
+ -corrscore option computes anomaly scores as originally intended (only matters
to a few users)
+ added spade-correlate mode to produce IDMEF alerts via TCP sockets (awaits
addition of output plugin message passing into Snort; patch to do this to be
provided soon)
+ a little code cleanup
+ Spade now checkpoints, etc. on SIGINT
+ renamed a couple functions to avoid conflicts
+ re-submit of a couple previous patches

Could someone please commit this and let me know when they do?

Thanks,

  Jim

-- snip -- 

Common subdirectories: snort/CVS and snort.new/CVS
Common subdirectories: snort/MIBS and snort.new/MIBS
diff -U 2 snort/README.Spade snort.new/README.Spade
--- snort/README.Spade	Wed Dec 13 00:14:41 2000
+++ snort.new/README.Spade	Sat Aug 18 14:56:29 2001
@@ -1,8 +1,8 @@
-README file for the Spade v092200.1
+README file for the Spade v010818.1
 -----------------------------------
 
 Greetings,
 
-Welcome to release version 092200.1 of the Spade sensor, spp_anomsensor. 
+Welcome to release version 010818.1 of the Spade sensor, spp_anomsensor. 
 Spade stands for Statistical Packet Anomaly Detection Engine and is produced
 by Silicon Defense (http://www.silicondefense.com/).  It is a Snort plugin to
@@ -19,9 +19,10 @@
 eventually consist of two parts, an anomaly sensor (Spade) and a portscan
 correlator.  The basic operation of this will be that Spade will monitor the
-network and report anomalous events to the correlator.  The correlator will
-then group these events together and send out reports of portscans, even those
-that have been crafted to be difficult to detect (e.g., they probe slowly,
-from different sources, or they randomize the scan).  This distribution is the
-sensor component of Spice.  The correlator is under active development.
+network and report anomalous events to the SPICE correlator.  The correlator
+will then group these events together and send out reports of portscans, even
+those that have been crafted to be difficult to detect (e.g., they probe
+slowly, from different sources, or they randomize the scan).  This
+distribution is the sensor component of Spice.  The correlator is now largely
+developed.
 
 We release this in the hopes that it will be useful.  We note though that it
@@ -39,6 +40,7 @@
 express no warranty for the program.
 
-The web page for Spade and Spice is http://www.silicondefense.com/spice/.  You
-can download the latest releases of it there.
+The web page for Spade and Spice is
+http://www.silicondefense.com/software/spice/.  You can download the latest
+releases of it there.
 
 
@@ -75,5 +77,7 @@
 ports given your destination ports or produce periodic reports of the number
 of packets seen and order statistics such as median of the anomaly scores
-produced.
+produced.  (Note however, that these features are "bonuses" and may not be as
+useful, well tested, or supported as the parts of Spade that relate to it
+reporting anomalous events.)
 
 
@@ -89,7 +93,8 @@
 
 Spade will not group related anomalous events together.  That will be the job
-of the correlator when it is complete.  You might consider using SnortSnarf
-(http://www.silicondefense.com/snortsnarf/) to help with this task; version
-090700.1 generates a special section to browse anomaly reports.
+of the SPICE correlator when it is complete.  You might consider using
+SnortSnarf (http://www.silicondefense.com/software/snortsnarf/) to help with
+this task; versions 090700.1 and later generate a special section to browse
+anomaly reports.
 
 
@@ -116,8 +121,7 @@
 Efficiency will depend on many factors including configuration and will vary
 from network to network.  We were able to go through a file of 1.25 million
-TCP
-SYN packets in about 2 minutes on a modern desktop machine, including
+TCP SYN packets in about 2 minutes on a modern desktop machine, including
 generating reports and probability maintenance but not with any Snort rules or
-plugins.   That is about 96 microseconds per packet.  Memory usage varied from
+plugins.  That is about 96 microseconds per packet.  Memory usage varied from
 2Mb to 42Mb depending on the probability mode.  If your network sees more
 traffic, especially different kinds of traffic, we would expect that your
@@ -125,7 +129,9 @@
 little (per packet).
 
-Stability seems good.  We have had it running on an ISP for 5 weeks without
+Stability seems good.  We had it running on an ISP for over 5 weeks without
 any problems.  When you are first running it, you might want to run it in a
-separate Snort process though, just in case.
+separate Snort process though, just in case.  There were a few bugs that
+caused core dumps that people found, but we have fixed all the known ones and
+beleive that is the last of them.
 
 
@@ -145,4 +151,9 @@
 try it out.  Otherwise, you can browse through the Usage file to see what all
 your options are.
+
+
+-= Spade To Do =-
+
+It would be nice to be able to optionally ignore packets that are part of established FTP connections.  Since these sometimes look like portscans from the packet header level, to do this correctly, packet contents would need to be examined and FTP protocol analysis done.  We would (quite!) welcome contributions to do this.
 
 
diff -U 2 snort/README.Spade.Usage snort.new/README.Spade.Usage
--- snort/README.Spade.Usage	Wed Dec 13 00:14:41 2000
+++ snort.new/README.Spade.Usage	Sat Aug 18 14:56:46 2001
@@ -1,4 +1,4 @@
-Usage file for the Spade v092200.1
-----------------------------------
+Usage file for Spade v010818.1
+------------------------------
 
 Author: Jim Hoagland (hoagland at ...60...)
@@ -13,5 +13,5 @@
 configuration file:
 
-    preprocessor spade: <anom-report-thresh> <state-file> <log-file> <prob-mode> <checkpoint-freq>
+    preprocessor spade: <anom-report-thresh> <state-file> <log-file> <prob-mode> <checkpoint-freq> [-corrscore]
 
 For example:
@@ -44,4 +44,8 @@
 default.
 
+Note that Spade alerts are sent to whatever output destinations you have set
+up in Snort.  For example a full alert format file or a database.  They do not
+appear in this log file.
+
 
 -= Checkpointing and recovery =-
@@ -57,6 +61,6 @@
 starts up with a clean slate.)  Periodically this state file is updated with
 the current state.  This is done with a frequency of every <checkpoint-freq>
-accepted packets (default 50000), on SIGHUP, SIGQUIT, and SIGUSR1, and on
-Snort exit.
+accepted packets (default 50000), on SIGHUP, SIGQUIT, SIGINT, and SIGUSR1, and
+on Snort exit.
 
 To disable checkpointing and recovering (not generally recommended), give "0"
@@ -92,4 +96,34 @@
 
 
+-= -corrscore option =-
+
+There was a misplaced parenthesis in all released versions of Spade through
+011701.1 that affected its computation of anomaly scores in probability modes
+1, 2, and 3.  Therefore, they do not compute their anomaly scores exactly as
+advertised in the README file and in the Spade/Spice publications.  Providing
+-corrscore at the end of the 'preprocessor spade' line tells Spade to compute
+the score correctly, specifically A(X)= -log2(P(X)).
+
+The reason it went unnoticed for a while and uncorrected up through the
+010818.1 version of Spade is that it doesn't matter for almost all users. 
+This is the reason it is still the default.  Here are conversion formulas
+between the old version of the score and the correct version:
+
++ corrscore= (oldscore *1.44)  +0.5289 + oldscore=  (corrscore*0.693) -0.3665
+
+As you might notice, both versions of the score do their job of ordering the
+relative anomalousness of packets equally well.  The old version simply
+produces scores about 70% of the correct version and can produce a score as
+low as -0.3665 (versus 0.0).  You might do well to regard the difference
+between these as similar to the difference between Fahrenheit and Celsius.
+
+Another affect of -corrscore is that alerts from Spade have messages that
+begin with 'Spade:' rather than 'spp_anomsensor:'.  This is to make it easier
+to tell which version of the score was used.  This might break some versions
+of certain alert consuming programs.  The maintainers of affected programs are
+encouraged to update their code.  Users of such programs should delay using
+-corrscore until updated versions are available.
+
+
 -= Home networks =-
 
@@ -146,6 +180,6 @@
 (default 200) during that time.  At the end of the time period, a report about
 this is generated to the log file specified on the main sensor configuration
-line.  An intermediate report is produced on every SIGHUP, SIGQUIT, and
-SIGUSR1 and on Snort exit.
+line.  An intermediate report is produced on every SIGHUP, SIGQUIT, SIGINT,
+and SIGUSR1 and on Snort exit.
 
 
@@ -212,4 +246,34 @@
 
 
+-= IDMEF socket alerts =-
+
+** Note: As of August 18, 2001, no standard version of Snort (including any
+versions through 1.8.1) was capable of supporting this mode.  This mode
+*should* work in any future version of Snort with the right capability.  The
+specific capability needed is a certain form of output message passing.  A
+patch will be provided to the Snort maintainers shortly to implement this.  We
+hope that this will be added to standard Snort.  **
+
+A new Spade mode instructs it to send a copy of all anomalous packets in IDMEF
+format via a TCP socket to a certain destination IP and port.  This mode was
+added to enable communication with the Spice correlator.  You enable this mode
+and specify the alert target by providing a line of this form in the Snort
+configuration file:
+
+preprocessor spade-correlate: <dest-IP> <dest-port>
+
+The default destination IP is 127.0.0.1.  The default destination port is
+19603, the default receive port for Spice.
+
+This mode makes use of the IDMEF XML output plugin.  You will need to
+configure this plugin by adding a 'idmef:' line to your snort configuration
+file to use this mode.  For details on this plugin and how to configure it,
+see:
+
+http://www.silicondefense.com/idwg/snort-idmef/
+
+At present, each IDMEF message is sent in a separate connection.
+  
+  
 -= Survey mode =-
 
@@ -258,7 +322,7 @@
 + "condprob" (to display the known non-0 conditional (joint) probabilities)
 
-These are written to the log file on SIGHUP, SIGQUIT, and SIGUSR1 and on Snort
-exit.  Be aware that it might take a while to write the "uncondprob" and
-"condprob" results as there is in general alot of those.
+These are written to the log file on SIGHUP, SIGQUIT, SIGINT, and SIGUSR1 and
+on Snort exit.  Be aware that it might take a while to write the "uncondprob"
+and "condprob" results as there is, in general, alot of details to record.
 
 The following results are available from probability mode 3:
@@ -291,11 +355,11 @@
 a little over 3 days.
 
-At some point, the occurrance of something a long time ago (relative to the
+At some point, the occurrence of something a long time ago (relative to the
 number of times it occurred) makes little difference in the anomaly scores
 produces, so it might as well be discarded to save memory.  MIN_NODE_SIZE is
-the size of an occurrance count at which the record of something has occurred
+the size of an occurrence count at which the record of something has occurred
 is discarded (distributed value is 0.18).  The combination of these parameters
 as distributed means that a one-time occurrence is discarded after a little
-over one week (and a double occurrance after two weeks, etc.).
+over one week (and a double occurrence after two weeks, etc.).
 
 A different set of parameters are used to control how much memory can be used
Common subdirectories: snort/contrib and snort.new/contrib
diff -U 2 snort/snort.conf snort.new/snort.conf
--- snort/snort.conf	Sat Aug 11 21:31:01 2001
+++ snort.new/snort.conf	Sat Aug 18 15:07:14 2001
@@ -248,5 +248,5 @@
 #
 # preprocessor spade: <anom-report-thresh> <state-file>
-# <log-file> <prob-mode> <checkpoint-freq>
+# <log-file> <prob-mode> <checkpoint-freq> [-corrscore]
 #
 # set this to a directory Spade can read and write to
@@ -258,5 +258,5 @@
 #
 # put a list of the networks you are interested in Spade observing packets
-# going to here
+# going to here; separate these by spaces
 #
 # preprocessor spade-homenet: 0.0.0.0/0
diff -U 2 snort/spp_anomsensor.c snort.new/spp_anomsensor.c
--- snort/spp_anomsensor.c	Tue Aug  7 04:46:11 2001
+++ snort.new/spp_anomsensor.c	Sat Aug 18 15:36:45 2001
@@ -1,3 +1,2 @@
-/* DO NOT EDIT THIS FILE. EDIT THE ORIGINAL SOURCE FILES INSTEAD AND RUN make */
 /*********************************************************************
 Spade, a Snort preprocessor plugin to report unusual packets
@@ -33,5 +32,5 @@
 any time.
 
-This file (anomsensor_plug.c) is part of Spade v011701.1.  It contains all
+This file (anomsensor_plug.c) is part of Spade v010818.1.  It contains all
 the Snort- and sensor-specific code in Spade.
 *********************************************************************/
@@ -45,4 +44,7 @@
 #include "rules.h"
 #include "log.h"
+#ifdef PLUGIN_MESSAGE_PASSING
+#include "spo_idmef.h"
+#endif
 #include <string.h>
 
@@ -55,4 +57,5 @@
                      // to checkpoint
 int prob_mode; // the probability calculation mode
+int use_corrscore=0; // the correctly compute the anomaly score?
 
 int as_debug= 0; // the bigger the number, the more debuging statements
@@ -83,4 +86,8 @@
                       // far on this packet
 
+#ifdef PLUGIN_MESSAGE_PASSING
+int send_to_correlator= 0;
+struct sockaddr_in corr_dest;  // the socket to send reports to
+#endif
 
 /* globals used in the tree and memory management */
@@ -123,4 +130,7 @@
     RegisterPreprocessor("spade", SpadeInit);
     RegisterPreprocessor("spade-homenet", SpadeHomenetInit);
+#ifdef PLUGIN_MESSAGE_PASSING
+    RegisterPreprocessor("spade-correlate", SpadeCorrelateInit);
+#endif
     RegisterPreprocessor("spade-stats", SpadeStatInit);
     RegisterPreprocessor("spade-threshlearn", SpadeThreshlearnInit);
@@ -176,14 +186,6 @@
 	}
 
-#ifndef OLD_SNORT
-    // requires snort 1.6.1-beta3 or later
 	AddFuncToCleanExitList(SpadeCatchSig,NULL);
 	AddFuncToRestartList(SpadeCatchSig,NULL);
-#else
-	// use this if above won't compile
-    signal(SIGUSR1, CleanUpSpade);
-    signal(SIGQUIT, CleanUpSpade);
-    signal(SIGHUP, CleanUpSpade);
-#endif
 
 	if (as_debug) printf("Preprocessor: Spade Initialized\n");
@@ -232,4 +234,10 @@
     }
 	if (as_debug) printf("checkpoint frequency is %d\n",checkpoint_freq);
+	if (numToks > 5 && !strcmp(toks[5],"-corrscore")) {
+    	use_corrscore= 1;
+    } else {
+    	use_corrscore= 0;
+    }
+	if (as_debug) printf("use_corrscore is %d\n",use_corrscore);
 }
 
@@ -239,16 +247,51 @@
     Event event;
 
-    if (record_maybe_skip(p)) return;
-    /* accepted packets only past here; anom score is last_anom_score */
-
-    if (report_anom_thres >= 0.0 && last_anom_score >= report_anom_thres) {
-        char logMessage[65];
-        alert_count++;
-        recent_alert_count++;
-        sprintf(logMessage,"spp_anomsensor: Anomaly threshold exceeded: %.4f",last_anom_score);
+	if (record_maybe_skip(p)) return;
+	/* accepted packets only past here; anom score is last_anom_score */
+	
+	if (as_debug > 1) printf("packet #%d: %.4f\n",tot_packets,last_anom_score);
+	if (report_anom_thres >= 0.0 && last_anom_score >= report_anom_thres) {
+#ifdef PLUGIN_MESSAGE_PASSING
+		output_msg_info *msgs[3];
+		extra_fields extra;
+#endif
+		char logMessage[65];
+		alert_count++;
+		recent_alert_count++;
+		if (as_debug > 1) printf("reporting\n");
+		if (use_corrscore)
+			sprintf(logMessage,"Spade: Anomaly threshold exceeded: %.4f",last_anom_score);
+		else
+			sprintf(logMessage,"spp_anomsensor: Anomaly threshold exceeded: %.4f",last_anom_score);
+		
+#ifndef PLUGIN_MESSAGE_PASSING
         SetEvent(&event, GENERATOR_SPP_SPADE, SPADE_ANOM_THRESHOLD_EXCEEDED, 
                 1, 0, 0, 0);
-        CallAlertFuncs(p , logMessage, NULL, &event);
-    }
+		CallAlertFuncs(p, logMessage, NULL, &event);
+#endif
+#ifdef PLUGIN_MESSAGE_PASSING
+        extra.spade.anomscore= last_anom_score;
+		msgs[0]= (output_msg_info *)malloc(sizeof(output_msg_info));
+		msgs[0]->type= EXTRA_FIELDS;
+		msgs[0]->msg= &extra;
+		msgs[1]= NULL;
+		event.out_messages= msgs;
+		CallAlertFuncs(p, logMessage, NULL, &event);
+		
+		if (send_to_correlator) {
+			idmef_output_spec_msg outspec;
+			outspec.msg_type= IDMEF_ANOMREP;
+			outspec.outtype= tcp_conn;
+			outspec.outdet.sock_dest= &corr_dest;
+			msgs[1]= (output_msg_info *)malloc(sizeof(output_msg_info));
+			msgs[1]->type= IDMEF_OUTPUT_SPEC;
+			msgs[1]->msg= &outspec;
+			msgs[2]= NULL;
+			CallAlertFuncs(p,"Anomalous Event Report",NULL,&event);
+			free(msgs[1]);
+		}
+		free(msgs[0]);
+#endif // def PLUGIN_MESSAGE_PASSING
+	}
 }	
 
@@ -360,4 +403,60 @@
 }
 
+#ifdef PLUGIN_MESSAGE_PASSING
+/*========================================================================*/
+/*========================= SpadeCorrelate module ========================*/
+/*========================================================================*/
+
+/* This module causes your anomaly reports to be sent to specified correlator in IDMEF format via TCP */
+
+/* snort config file line:
+	preprocessor spade-correlate: [<IP-address> [<port>]]
+	where :
+		<IP-address> is the IP address of the correlator (default 127.0.0.1)
+		<port> is the port # of the correlator (default 19603)
+*/
+														
+/* Spade correlator init function:
+     set up the destination */
+void SpadeCorrelateInit(u_char *args)
+{
+    char **toks;
+    int numToks;
+    char *IP_str;
+    int port;
+    int res;
+
+	
+	if (as_debug) printf("Preprocessor: SpadeCorrelate Initialized\n");
+
+    /* parse the argument list from the rules file */
+    toks = mSplit(args, " ", 3, &numToks, '\\');
+
+	if (numToks > 0) {
+		IP_str= toks[0];
+	} else {
+		IP_str= "127.0.0.1";
+	}
+	if (numToks > 1) {
+		port= atoi(toks[1]);
+	} else {
+		port= 19603;
+	}
+	
+	bzero(&corr_dest,sizeof(corr_dest));
+  	corr_dest.sin_family= AF_INET;
+  	corr_dest.sin_port= htons(port);
+  	res= inet_pton(AF_INET,IP_str,&corr_dest.sin_addr);
+  	if (res <= 0) {
+  		if (res == 0) fprintf(stderr,"spade-correlate: invalid address specification: %s\n",IP_str);
+  		else fprintf(stderr,"spade-correlate: error with inet_pton for %s\n",IP_str);
+    	return;  // don't set send_to_correlator
+    }
+
+	send_to_correlator= 1; 
+}
+
+#endif // def PLUGIN_MESSAGE_PASSING
+
 /*========================================================================*/
 /*=========================== SpadeStat module ===========================*/
@@ -463,4 +562,5 @@
 	   empty elsewhere */
 	top_anom_list= (ll_double *)malloc(sizeof(ll_double));
+	top_anom_list->next= NULL;
 	top_anom_list->val= 0.0;
 	top_anom_list_size= 1;
@@ -518,5 +618,6 @@
 		top_anom_list_size++;
 	} else if (anom > top_anom_list->val) {
-		if (top_anom_list->next != NULL && anom < top_anom_list->next->val) {
+		if (top_anom_list->next == NULL ||
+		    (top_anom_list->next != NULL && anom < top_anom_list->next->val)) {
 			top_anom_list->val= anom; /* can just replace first */
 			return;
@@ -607,5 +708,5 @@
 	top_adapt_list->next= (ll_double *)malloc(sizeof(ll_double));
 	top_adapt_list->next->val= 0.0;
-      top_adapt_list->next->next= NULL;
+	top_adapt_list->next->next= NULL;
 	top_adapt_list_size= 1;
 	
@@ -1143,5 +1244,5 @@
 	adapt3anoms->next= (ll_double *)malloc(sizeof(ll_double));
 	adapt3anoms->next->val= 0.0;
-      adapt3anoms->next->next= NULL;
+	adapt3anoms->next->next= NULL;
 	adapt3anoms_size= 1;
 	completed_obs_per= 0;
@@ -1424,11 +1525,10 @@
 	double posnum;
 	
-	//printf("loc= %f\n",loc);
 	if (survey_list_len == 0) return 0.0;
-	posnum= loc*(double)survey_list_len + (1-loc);/* = (survey_list_len-1)*loc+1 */
+	posnum= loc*(double)survey_list_len + (1.0-loc);/* = (survey_list_len-1)*loc+1 */
 
-	for (p= 1, pos=survey_list; p <= posnum; p++,pos=pos->next);
+	for (p= 1, pos=survey_list; p <= posnum && pos->next != NULL; p++,pos=pos->next);
 	fromnext= posnum-(double)(p-1);
-	if (fromnext == 0 || pos->next == NULL) { /* got it exactly */
+	if (fromnext == 0.0 || pos->next == NULL) { /* got it exactly */
 		return pos->val;
 	} else {
@@ -1505,10 +1605,22 @@
 				prob_cond2(DIP,val[DIP],SPORT,val[SPORT],SIP,val[SIP]);  /* P(dip|sport,sip) */
 			return -1*(log(prob)/LOG2);
-		} else if (prob_mode == 1) {
-			return -1.0*log((double)prob_Njoint(4,fl,vl)/LOG2);
-		} else if (prob_mode == 2) {
-			return -1.0*log((double)prob_Njoint(3,fl,vl)/LOG2);
-		} else if (prob_mode == 3) {
-			return -1.0*log((double)prob_2joint(DIP,val[DIP],DPORT,val[DPORT])/LOG2);
+		} else {
+			if (use_corrscore) { // use the scores that are computed as adverstised
+				if (prob_mode == 1) {
+					return -1.0*(log((double)prob_Njoint(4,fl,vl))/LOG2);
+				} else if (prob_mode == 2) {
+					return -1.0*(log((double)prob_Njoint(3,fl,vl))/LOG2);
+				} else if (prob_mode == 3) {
+					return -1.0*(log((double)prob_2joint(DIP,val[DIP],DPORT,val[DPORT]))/LOG2);
+				}
+			} else { // use the old, incorrectly computed score
+				if (prob_mode == 1) {
+					return -1.0*log((double)prob_Njoint(4,fl,vl)/LOG2);
+				} else if (prob_mode == 2) {
+					return -1.0*log((double)prob_Njoint(3,fl,vl)/LOG2);
+				} else if (prob_mode == 3) {
+					return -1.0*log((double)prob_2joint(DIP,val[DIP],DPORT,val[DPORT])/LOG2);
+				}
+			}
 		} 
 		return 9999999.0;
@@ -1642,12 +1754,15 @@
 
 void set_new_threshold(double t) {
-    char logMessage[85];
+	char logMessage[85];
     Event event;
-
-    report_anom_thres= t;
-    sprintf(logMessage,"spp_anomsensor: Threshold adjusted to %.4f after %d alerts (of %d)",report_anom_thres,recent_alert_count,recent_packets);
+	
+	report_anom_thres= t;
+	if (use_corrscore)
+		sprintf(logMessage,"Spade: Threshold adjusted to %.4f after %d alerts (of %d)",report_anom_thres,recent_alert_count,recent_packets);
+	else
+		sprintf(logMessage,"spp_anomsensor: Threshold adjusted to %.4f after %d alerts (of %d)",report_anom_thres,recent_alert_count,recent_packets);
     SetEvent(&event, GENERATOR_SPP_SPADE,
             SPADE_ANOM_THRESHOLD_ADJUSTED, 1, 0, 0, 0);
-    CallAlertFuncs(NULL , logMessage, NULL, &event);
+	CallAlertFuncs(NULL, logMessage, NULL, &event);
 }
 
@@ -1656,5 +1771,5 @@
  *****************************************************/
 void SpadeCatchSig(int signal,void *arg) {
-	if (signal == SIGQUIT || signal == SIGHUP || signal == SIGUSR1) {
+	if (signal == SIGQUIT || signal == SIGHUP || signal == SIGUSR1 || signal == SIGINT) {
 		CleanUpSpade(signal);
 	}
@@ -1756,5 +1871,5 @@
 }
 /*********************************************************************
-tree.c, distributed as part of Spade v092200.1
+tree.c, distributed as part of Spade v010818.1
 Author: James Hoagland, Silicon Defense (hoagland at ...60...)
 copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
@@ -1773,4 +1888,5 @@
 #include <limits.h>
 #include <math.h>
+
 #ifndef LOG2
 /*#define LOG2 log(2);*/
@@ -1785,9 +1901,9 @@
 }
 
-__inline int anom_min(int a,int b) {
+int min_int(int a,int b) {
 	return a < b ? a : b;
 }
 
-__inline int anom_max(int a,int b) {
+int max_int(int a,int b) {
 	return a > b ? a : b;
 }
@@ -2579,5 +2695,5 @@
 	tree_min_max_depth(tree,mind,maxd);
 	*aved= (float)tot/num_leafs;	
-	*waved= (float) (wtot/tree_count(tree));	
+	*waved= wtot/tree_count(tree);	
 /*printf("tree_stats results for tree %X: min depth=%u; max depth=%u; ave depth=%.2f; w. ave depth=%.2f; # vals repr=%u\n",tree,*mind,*maxd,*aved,*waved,num_leafs);*/
 	return num_leafs;
@@ -3058,7 +3174,6 @@
 
 
-/* $Id: spp_anomsensor.c,v 1.12 2001/08/07 11:46:11 fygrave Exp $ */
 /*********************************************************************
-anommem.c, distributed as part of Spade v092200.1
+anommem.c, distributed as part of Spade v010818.1
 Author: James Hoagland, Silicon Defense (hoagland at ...60...)
 copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
@@ -3107,6 +3222,5 @@
 mindex new_treeinfo(features type) {
 	mindex root;
-	int i;
-    unsigned int p;
+	int i,p;
 	if (root_freelist == TNULL) { /* need to allocate a new block */
 		/* find first unused block */
@@ -3158,6 +3272,5 @@
 mindex new_int() {
 	mindex res;
-	int i;
-    unsigned int p;
+	int i,p;
 	if (int_freelist == TNULL) { /* need to allocate a new block */
 		/* find first unused block */
@@ -3209,6 +3322,5 @@
 mindex new_leaf(valtype val) {
 	mindex res;
-	int i;
-    unsigned int p;
+	int i,p;
 	if (leaf_freelist == TNULL) { /* need to allocate a new block */
 		/* find first unused block */
@@ -3256,7 +3368,6 @@
 }
 
-/* $Id: spp_anomsensor.c,v 1.12 2001/08/07 11:46:11 fygrave Exp $ */
 /*********************************************************************
-store.c, distributed as part of Spade v092200.1
+store.c, distributed as part of Spade v010818.1
 Author: James Hoagland, Silicon Defense (hoagland at ...60...)
 copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
@@ -3429,4 +3540,2 @@
 	return 1;
 }
-
-/* $Id: spp_anomsensor.c,v 1.12 2001/08/07 11:46:11 fygrave Exp $ */
diff -U 2 snort/spp_anomsensor.h snort.new/spp_anomsensor.h
--- snort/spp_anomsensor.h	Tue Aug  7 04:46:11 2001
+++ snort.new/spp_anomsensor.h	Sat Aug 18 15:46:58 2001
@@ -1,9 +1,6 @@
-/* DO NOT EDIT THIS FILE. EDIT THE ORIGINAL SOURCE FILES INSTEAD AND RUN make */
-#ifndef _SPP_ANOMSENSOR_H
-#define _SPP_ANOMSENSOR_H
 /*********************************************************************
-anomsensor.h, distributed as part of Spade v092200.1
+anomsensor.h, distributed as part of Spade v010818.1
 Author: James Hoagland, Silicon Defense (hoagland at ...60...)
-copyright (c) 2000,2001 by Silicon Defense (http://www.silicondefense.com/)
+copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
 Released under GNU General Public License, see the COPYING file included
 with the distribution or http://www.silicondefense.com/spice/ for details.
@@ -113,5 +110,5 @@
 #endif
 /*********************************************************************
-anomsensor_plug.h, distributed as part of Spade v092200.1
+anomsensor_plug.h, distributed as part of Spade v010818.1
 Author: James Hoagland, Silicon Defense (hoagland at ...60...)
 copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
@@ -135,4 +132,5 @@
 #include <signal.h>
 #include <math.h>
+
 #define SPP_ANOMSENSOR_ENABLED 1
 
@@ -174,4 +172,5 @@
 void PreprocSpade(Packet *);
 void SpadeHomenetInit(u_char *args);
+void SpadeCorrelateInit(u_char *args);
 void SpadeStatInit(u_char *args);
 void ParseSpadeStatArgs(char *args);
@@ -215,7 +214,6 @@
 
 
-/* $Id: spp_anomsensor.h,v 1.4 2001/08/07 11:46:11 fygrave Exp $ */
 /*********************************************************************
-params.h, distributed as part of Spade v092200.1
+params.h, distributed as part of Spade v010818.1
 Author: James Hoagland, Silicon Defense (hoagland at ...60...)
 copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
@@ -247,7 +245,6 @@
 #endif
 
-/* $Id: spp_anomsensor.h,v 1.4 2001/08/07 11:46:11 fygrave Exp $ */
 /*********************************************************************
-anommem.h, distributed as part of Spade v092200.1
+anommem.h, distributed as part of Spade v010818.1
 Author: James Hoagland, Silicon Defense (hoagland at ...60...)
 copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
@@ -284,7 +281,6 @@
 #endif
 
-/* $Id: spp_anomsensor.h,v 1.4 2001/08/07 11:46:11 fygrave Exp $ */
 /*********************************************************************
-tree.h, distributed as part of Spade v092200.1
+tree.h, distributed as part of Spade v010818.1
 Author: James Hoagland, Silicon Defense (hoagland at ...60...)
 copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
@@ -324,5 +320,5 @@
 /* return the standard wait time for an interior node given the counts on 
    its children */
-#define wait_time(c1,c2) (anom_min(anom_max(10,ceil(c1>c2?(2*c2-c1):(2*c1-c2))),MAX_U16))
+#define wait_time(c1,c2) (min_int(max_int(10,ceil(c1>c2?(2*c2-c1):(2*c1-c2))),MAX_U16))
 
 void tree_init();
@@ -405,7 +401,6 @@
 int sanity_check_subtree(dmindex encnode);
 
-/* $Id: spp_anomsensor.h,v 1.4 2001/08/07 11:46:11 fygrave Exp $ */
 /*********************************************************************
-store.h, distributed as part of Spade v092200.1
+store.h, distributed as part of Spade v010818.1
 Author: James Hoagland, Silicon Defense (hoagland at ...60...)
 copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
@@ -426,4 +421,2 @@
 int recover(char *filename);
 
-/* $Id: spp_anomsensor.h,v 1.4 2001/08/07 11:46:11 fygrave Exp $ */
-#endif /*_SPP_ANOMSENSOR_H*/
Common subdirectories: snort/templates and snort.new/templates
Common subdirectories: snort/win32 and snort.new/win32


-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...60...                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|




More information about the Snort-devel mailing list