[Snort-users] Spade ---What gives

bthaler at ...2720... bthaler at ...2720...
Tue Mar 12 11:35:09 EST 2002


I enabled Spade as described in the docs, but can't seem to get any output from it.

In my snort.conf, I am using:
preprocessor spade: 0.005 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
preprocessor spade-homenet: 1.1.1.1/20 2.2.2.2/20 3.3.3.3/20
preprocessor spade-adapt3: 0.01 60 168
preprocessor spade-stats: entropy uncondprob condprob

I've tried different values for the threshhold argument, everything from the default "-1" to the current "0.005".

My output plugin is:
output database: log, mysql, user=xxx dbname=xxx password=xxx host=1.1.1.1 sensor_name=xxx

Is there some problem with Spade and the database output plugin?

In my /var/log/spade/log.txt, I see lots of entries like:
P(dport=80|dip=1234567890)= 1.000000000000
P(dport=80|dip=1234567890)= 0.625000000000
P(dport=443|dip=1234567890)= 0.375000000000
P(dport=80|dip=1234567890)= 1.000000000000
***not the real IPs, of course***

Since the last field is always greater than my threshhold of 0.005, these should be considered as anamolous by Spade, right?  With a
threshhold of 0.005, and tons of traffic (about 30Mb/s right now), I should be getting loads of "spp_anomsensor" alerts, right?

Someone, please tell me what I'm missing here.




Sincerely,

Brad T.






More information about the Snort-users mailing list