[Snort-devel] Heads up: New format for Spade message strings upcoming
hoagland at ...60...
Thu Oct 3 16:41:02 EDT 2002
This message is mostly intended for those that contribute to projects
that parse messages from Snort and from Spade in particular. I
wanted to give you a heads-up that the Spade message string will be
changing in the next major release of Spade. This message briefly
documents the new format.
First, lets talk about the messages that come out of Spade when it
finds something that it wants to reports. In the new Spade, the user
can enable a number of 'detectors' which are looking for a particular
type of anomaly in certain types of packets. The type of anomaly the
detector is looking for depends on the detector's type. The certain
type of packets that Spade is looking for anomalies in is what we
refer to as its scope. (There are other configuration options for a
detector, but those are beyond the scope of this discussion.)
So, the new alert message string format will take this form:
Spade: <activity description>: <scope>: <anomaly score>
[**] [104:1:1] Spade: Closed dest port used: local dest, syn: 0.8759 [**]
The <activity description> is tied to the detector type. In this
case, the activity description "Closed dest port used" comes from the
detector type "closed-dport" (the traditional type of Spade
<scope> is a brief text description of what kind of packet the
detector is looking for. In this case, the detector is looking for
SYN packets with a local destination. A detection type can be
applied to different scopes in different detectors, so you might see
different scope strings for the same activity description.
Finally, there is the <anomaly score> which (like now) indicates how
unusual the packet is perceived to be. The bigger the number, the
more unusual. This can either be a absolute score, which is always
positive, or a relative score, which is always between 0 and 1
If you were to draw an analogy to the standard signature-based
detection in Snort, "Spade: <activity description>: <scope>" is most
similar to a 'msg' field in a given rule. "Spade: <activity
description>" would be comparable to a clustered group of related
signatures, if there were such an abstraction in Snort.
The new Spade uses more of its 'id' range as well ('id' being the
field displayed right after the generator id). Each detector type
will have its own id. '1' will refer to the traditional closed dest
port type of detection. Other detection types will correspond to
id's 3 and up. ('2' is the id for a threshold adjusted message.)
The revision id will always be '1' for now.
BTW, the packets that Spade is reporting on won't necessarily be TCP
SYNs as they are now; they can be any type of TCP, UDP, and
(eventually) ICMP packets.
Okay, the other type of message that can come from Spade will be the
messages about Spade's reporting threshold changing due to the user
specifying automatic threshold adapting. Thresholds are specific to
a given detector. These messages are just informational and have no
associated packet. This is the format:
Spade: id=<detector id>: Threshold adjusted to <new thresh> <gobboly-gook>
Here, <detector id> is a string that the user chose to represent a
given detector (if the user is doing adapting, it would appear on the
line the enables a detector and on the line that enables adapting).
<new thresh> is the new minimum anomaly score that will be reported.
If you care about what <gobboly-gook> is, let me know. Otherwise you
can treat it as opaque.
Not strictly on the main subject of this e-mail, but let me also
mention that the user will be able to specify whether they want Spade
alerts to be sent by the Snort alert facility, by the Snort log
facility, or both. Also, Spade messages might appear slightly out of
order due to Spade trying to reduce false positives.
Let me know if you have any questions,
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...60..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-devel