[Snort-users] Help with Spade Threshold
hoagland at ...47...
Thu Feb 14 17:36:11 EST 2002
At 11:20 AM -0700 2/14/02, james wrote:
>I am trying to set the spp_anomsensor: Threshold to at least 11, so it
>starts at this level. It will adjust, ie "spp_anomsensor: Threshold adjusted
>to 11.0972 after 52 alerts (of 4483)" but is takes overnight to get to this
>point. It seems that when I restart snort I lose the state table or adjusted
>threshold and start back at ~8.
>Per the README.Shade.Usage, I tried adjusting "preprocessor spade: 11
>$SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000" to 11 and also "preprocessor
>spade-adapt2: 0.01 15 4 24 7" to 11 (where 0.01 is now) to no luck.
Where to start...
Okay, in Spade, you can either specify a fixed reporting threshold or
let one of the adapt modes work its magic. There is no way to have
it "automatically adjust but stay above 11".
If you give it a threshold on your 'spade:' line and use one of the
adapt modes, it will use your given threshold until the adapt mode
has made enough observations to set in on its own. The value it
chooses is independent of your specified threshold, except with adapt
method #1 (which is too quick to adapt for my taste).
You only get the "spp_anomsensor: Threshold adjusted" message when an
adapt mode is running and it adjusts. This message will not appear
when using a fixed threshold. Also, it does not appear on startup.
Is there any reason you are using 'adapt2'? That is fine but I think
'adapt3' works better for most networks.
Placing a threshold in the first position in 'spade-adapt2:' is
incorrect. That position contains a "specification of the number of
alerts wanted. If it is >= 1, it is an hourly alert rate. If it is
< 1, then it is a fraction of considered packets to report, based on
the best estimate of your packet rate." This is also the way you
specify how many alerts you want in adapt method #3 as well.
If you think you are getting too many alerts from Spade, you can
adjust the target specification (that first position) downward. Make
sure that you want this though. Look at the anomaly scores on the
alerts you are receiving. If the alerts that have a smaller score
are of interest to you, then you might not want to adjust downward.
It looks like you have things set up for state persistance alright.
State will be stored in $SPADEDIR/spade.rcv periodically and on Snort
exit. Note that the adapt modes do not presently store their state
persistantly. So, for the threshold, every time you start up, you
start up from scratch. So, if you restart snort frequently, you
might want to use a fixed threshold (once you have an idea what a
good one might be).
Wow, I think I covered everything there. :)
Good luck and let me know if more clarification is needed.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...47..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users