[Snort-users] Spade Joint Prob table output
hoagland at ...47...
Tue Apr 2 08:55:09 EST 2002
At 1:16 PM -0500 4/1/02, Wilson Farrell wrote:
>I was hoping someone could tell me a little about how the joint
>probability table for Spade is created. I am assuming that spade
>just counts SYN packets. If it sees a SYN packet, it is counted
>even if there is no SYN ACK. So if a firewall is preventing a
>connection, the connection attempt will still be accounted for in
>the probability table.
That is correct.
When Spade gets a SYN packet destined for the specified spade-homenet
(0.0.0.0/0 by default), it makes a record of it. Otherwise the
packet is discarded by Spade. How it makes a record of it varies
with probability mode, but with modes 1, 2, or 3 it records the joint
occurrence of the packet's values in certain fields.
After recording the SYN, the anomaly score is calculated for the
packet. If it exceeds the current reporting threshold, an alert is
To keep the probability table fresh, exponential decay is used.
Ideally the decay would be on a continuous basis, but for the sake of
efficiency it is actually done periodically. Also, when it has been
a long time since a particular combination of fields' values was
seen, it is trimmed from the table. (How long is long depends on how
much it was seen previously.)
For more details, I can refer you to our upcoming Journal of Computer
Security paper available here:
(This is largely the same paper as I presented at CCS IDS in Athens.)
Also, feel free to ask more questions.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...47..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users