[Snort-users] spade reports

James Hoagland hoagland at ...47...
Sun Jun 17 12:30:51 EDT 2001

At 4:56 PM -0600 6/16/01, Josh Gentry wrote:
>Spade is obviously keeping track of a bunch of stats on the
>traffic on the network, to be able to calculate probabilities,
>etc.  The logs generated in the spade log dir seem to only
>contain the results of the calculations.  Is there any way to get
>spade to report the stats its using to calculate the probability
>that a packet is anomylous?


If you are using probability mode 3 (the default), the anomaly score 
is based on the joint probability of the particular destination IP 
and destination port.  Specifically it is the negative base-2 log of 
that probability*.   The probabilities are derived from observing TCP 
SYNs on your particular network.

To get the full table of these probabilities (could be quite large), 
you can look into the spade-stat mode.  Not that using this mode 
could introduce a several second delay in snort when the statistics 
output is being produced and put in a file.   This occurs on certain 
signals and on snort exit.  (There is no overhead for this mode at 
other times.)

See also README.Spade 
(http://www.silicondefense.com/software/spice/spicereadme.htm) and 
the SPICE web page (http://www.silicondefense.com/software/spice/).

*= at least that is what is supposed to be.  There is little 
difference from a practical point of view, but I recently discovered 
that due to a misplaced parenthesis in the source code, this is not 
quite what it is.  If A is correct anomaly score (correct meaning 
what I described above) and B is what is produced in all released 
versions of Spade, A= 0.693*B-0.3665.  Note that the what is 
currently produce is internally consistent and even proportionate, so 
the differnence shouldn't matter from a practical point of view. 
We'll need to make the transition at some point through, at least for 
use with SPICE.



|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|

More information about the Snort-users mailing list