[Snort-users] Help with Spade Threshold

james the_saint_james at ...131...
Thu Feb 14 10:21:08 EST 2002


I am trying to set the spp_anomsensor: Threshold to at least 11, so it
starts at this level. It will adjust, ie "spp_anomsensor: Threshold adjusted
to 11.0972 after 52 alerts (of 4483)" but is takes overnight to get to this
point. It seems that when I restart snort I lose the state table or adjusted
threshold and start back at ~8.

Per the README.Shade.Usage,  I tried adjusting "preprocessor spade: 11
$SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000" to 11 and also "preprocessor
spade-adapt2: 0.01 15 4 24 7" to 11 (where 0.01 is now) to no luck.

here is the current config, thanks:


var SPADEDIR /var/log/snort/spade/
#
preprocessor spade: 11 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
preprocessor spade-homenet: xxx.xxx.152.0/24 xxx.xxx.27.0/24 xxx.xx.74.0/24
xxx.xxx.201.0/24 xxx
.xxx.75.0/24 xxx.xxx.109.0/24 xxx.xxx.22.0/24       \
xxx.xxx.145.0/24 xxx.xxx.144.0/24 xxx.xxx.21.0/24

var SPADEDIR /var/log/snort/spade
#
preprocessor spade: 11 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
#
# put a list of the networks you are interested in Spade observing packets
# going to here; separate these by spaces

preprocessor spade-homenet: 206.115.152.0/24 128.165.27.0/24 209.12.74.0/24
209.194.201.0/24 209
.12.75.0/24 198.59.109.0/24 66.55.22.0/24       \
216.253.145.0/24 216.253.144.0/24 66.55.21.0/24

# this causes Spade to adjust the reporting threshold automatically
# the first argument is the target rate of alerts for normal circumstances
# (0.01 = 1% or you can give it an hourly rate) after the first hour (or
# however long the period is set to in the second argument), the reporting
# threshold given above is ignored you can comment this out to have the
# threshold be static, or try one of the other adapt methods below
#preprocessor spade-adapt3: 0.01 60 168

# other possible Spade config lines:
# adapt method #1
#preprocessor spade-adapt: 20 2 0.5

#adapt method #2
preprocessor spade-adapt2: 0.01 15 4 24 7

# offline threshold learning
preprocessor spade-threshlearn: 200 06

#periodically report on the anom scores and count of packets seen
preprocessor spade-survey:  $SPADEDIR/survey.txt 60

# print out known stats about packet feature
#preprocessor spade-stats: entropy uncondprob condprob
#----------------------------------------






More information about the Snort-users mailing list