[Snort-users] Spade Joint Prob table output

James Hoagland hoagland at ...47...
Tue Apr 2 08:55:09 EST 2002

At 1:16 PM -0500 4/1/02, Wilson Farrell wrote:
>I was hoping someone could tell me a little about how the joint 
>probability table for Spade is created.  I am assuming that spade 
>just counts SYN packets.  If it sees a SYN packet, it is counted 
>even if there is no SYN ACK.  So if a firewall is preventing a 
>connection, the connection attempt will still be accounted for in 
>the probability table.

That is correct.

When Spade gets a SYN packet destined for the specified spade-homenet 
( by default), it makes a record of it.  Otherwise the 
packet is discarded by Spade.  How it makes a record of it varies 
with probability mode, but with modes 1, 2, or 3 it records the joint 
occurrence of the packet's values in certain fields.

After recording the SYN, the anomaly score is calculated for the 
packet.  If it exceeds the current reporting threshold, an alert is 

To keep the probability table fresh, exponential decay is used. 
Ideally the decay would be on a continuous basis, but for the sake of 
efficiency it is actually done periodically.  Also, when it has been 
a long time since a particular combination of fields' values was 
seen, it is trimmed from the table.  (How long is long depends on how 
much it was seen previously.)

For more details, I can refer you to our upcoming Journal of Computer 
Security paper available here:


(This is largely the same paper as I presented at CCS IDS in Athens.) 
Also, feel free to ask more questions.

Best regards,

|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

More information about the Snort-users mailing list