[Snort-devel] Heads up: New format for Spade message strings upcoming

James Hoagland hoagland at ...60...
Thu Oct 3 16:41:02 EDT 2002


Greetings,

This message is mostly intended for those that contribute to projects 
that parse messages from Snort and from Spade in particular.  I 
wanted to give you a heads-up that the Spade message string will be 
changing in the next major release of Spade.  This message briefly 
documents the new format.


First, lets talk about the messages that come out of Spade when it 
finds something that it wants to reports.  In the new Spade, the user 
can enable a number of 'detectors' which are looking for a particular 
type of anomaly in certain types of packets.  The type of anomaly the 
detector is looking for depends on the detector's type.  The certain 
type of packets that Spade is looking for anomalies in is what we 
refer to as its scope.  (There are other configuration options for a 
detector, but those are beyond the scope of this discussion.)

So, the new alert message string format will take this form:

   Spade: <activity description>: <scope>: <anomaly score>

For example:

[**] [104:1:1] Spade: Closed dest port used: local dest, syn: 0.8759 [**]

The <activity description> is tied to the detector type.  In this 
case, the activity description "Closed dest port used" comes from the 
detector type "closed-dport" (the traditional type of Spade 
detection).

<scope> is a brief text description of what kind of packet the 
detector is looking for.  In this case, the detector is looking for 
SYN packets with a local destination.  A detection type can be 
applied to different scopes in different detectors, so you might see 
different scope strings for the same activity description.

Finally, there is the <anomaly score> which (like now) indicates how 
unusual the packet is perceived to be.  The bigger the number, the 
more unusual.  This can either be a absolute score, which is always 
positive, or a relative score, which is always between 0 and 1 
(inclusive).

If you were to draw an analogy to the standard signature-based 
detection in Snort, "Spade: <activity description>: <scope>" is most 
similar to a 'msg' field in a given rule.  "Spade: <activity 
description>" would be comparable to a clustered group of related 
signatures, if there were such an abstraction in Snort.

The new Spade uses more of its 'id' range as well ('id' being the 
field displayed right after the generator id).  Each detector type 
will have its own id.  '1' will refer to the traditional closed dest 
port type of detection.  Other detection types will correspond to 
id's 3 and up.  ('2' is the id for a threshold adjusted message.) 
The revision id will always be '1' for now.

BTW, the packets that Spade is reporting on won't necessarily be TCP 
SYNs as they are now; they can be any type of TCP, UDP, and 
(eventually) ICMP packets.


Okay, the other type of message that can come from Spade will be the 
messages about Spade's reporting threshold changing due to the user 
specifying automatic threshold adapting.  Thresholds are specific to 
a given detector.  These messages are just informational and have no 
associated packet.  This is the format:

   Spade: id=<detector id>: Threshold adjusted to <new thresh> <gobboly-gook>

Here, <detector id> is a string that the user chose to represent a 
given detector (if the user is doing adapting, it would appear on the 
line the enables a detector and on the line that enables adapting). 
<new thresh> is the new minimum anomaly score that will be reported.

If you care about what <gobboly-gook> is, let me know.  Otherwise you 
can treat it as opaque.


Not strictly on the main subject of this e-mail, but let me also 
mention that the user will be able to specify whether they want Spade 
alerts to be sent by the Snort alert facility, by the Snort log 
facility, or both.  Also, Spade messages might appear slightly out of 
order due to Spade trying to reduce false positives.

Let me know if you have any questions,

   Jim

-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...60..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-devel mailing list