[Snort-users] Help with Spade Threshold

James Hoagland hoagland at ...47...
Thu Feb 14 17:36:11 EST 2002


Dear James,

At 11:20 AM -0700 2/14/02, james wrote:
>I am trying to set the spp_anomsensor: Threshold to at least 11, so it
>starts at this level. It will adjust, ie "spp_anomsensor: Threshold adjusted
>to 11.0972 after 52 alerts (of 4483)" but is takes overnight to get to this
>point. It seems that when I restart snort I lose the state table or adjusted
>threshold and start back at ~8.
>
>Per the README.Shade.Usage,  I tried adjusting "preprocessor spade: 11
>$SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000" to 11 and also "preprocessor
>spade-adapt2: 0.01 15 4 24 7" to 11 (where 0.01 is now) to no luck.

Where to start...

Okay, in Spade, you can either specify a fixed reporting threshold or 
let one of the adapt modes work its magic.  There is no way to have 
it "automatically adjust but stay above 11".

If you give it a threshold on your 'spade:' line and use one of the 
adapt modes, it will use your given threshold until the adapt mode 
has made enough observations to set in on its own.  The value it 
chooses is independent of your specified threshold, except with adapt 
method #1 (which is too quick to adapt for my taste).

You only get the "spp_anomsensor: Threshold adjusted" message when an 
adapt mode is running and it adjusts.  This message will not appear 
when using a fixed threshold.  Also, it does not appear on startup.

Is there any reason you are using 'adapt2'?  That is fine but I think 
'adapt3' works better for most networks.

Placing a threshold in the first position in 'spade-adapt2:' is 
incorrect.  That position contains a "specification of the number of 
alerts wanted.  If it is >= 1, it is an hourly alert rate.  If it is 
< 1, then it is a fraction of considered packets to report, based on 
the best estimate of your packet rate."  This is also the way you 
specify how many alerts you want in adapt method #3 as well.

If you think you are getting too many alerts from Spade, you can 
adjust the target specification (that first position) downward.  Make 
sure that you want this though.  Look at the anomaly scores on the 
alerts you are receiving.  If the alerts that have a smaller score 
are of interest to you, then you might not want to adjust downward.

It looks like you have things set up for state persistance alright. 
State will be stored in $SPADEDIR/spade.rcv periodically and on Snort 
exit.  Note that the adapt modes do not presently store their state 
persistantly.  So, for the threshold, every time you start up, you 
start up from scratch.  So, if you restart snort frequently, you 
might want to use a fixed threshold (once you have an idea what a 
good one might be).

Wow, I think I covered everything there. :)

Good luck and let me know if more clarification is needed.

Sincerely,

   Jim

-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-users mailing list