[Snort-users] spade reports
hoagland at ...47...
Sun Jun 17 12:30:51 EDT 2001
At 4:56 PM -0600 6/16/01, Josh Gentry wrote:
>Spade is obviously keeping track of a bunch of stats on the
>traffic on the network, to be able to calculate probabilities,
>etc. The logs generated in the spade log dir seem to only
>contain the results of the calculations. Is there any way to get
>spade to report the stats its using to calculate the probability
>that a packet is anomylous?
If you are using probability mode 3 (the default), the anomaly score
is based on the joint probability of the particular destination IP
and destination port. Specifically it is the negative base-2 log of
that probability*. The probabilities are derived from observing TCP
SYNs on your particular network.
To get the full table of these probabilities (could be quite large),
you can look into the spade-stat mode. Not that using this mode
could introduce a several second delay in snort when the statistics
output is being produced and put in a file. This occurs on certain
signals and on snort exit. (There is no overhead for this mode at
See also README.Spade
the SPICE web page (http://www.silicondefense.com/software/spice/).
*= at least that is what is supposed to be. There is little
difference from a practical point of view, but I recently discovered
that due to a misplaced parenthesis in the source code, this is not
quite what it is. If A is correct anomaly score (correct meaning
what I described above) and B is what is produced in all released
versions of Spade, A= 0.693*B-0.3665. Note that the what is
currently produce is internally consistent and even proportionate, so
the differnence shouldn't matter from a practical point of view.
We'll need to make the transition at some point through, at least for
use with SPICE.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...47... *|
|* http://www.silicondefense.com/ *|
|* Silicon Defense - Technical Support for Snort *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users