[Snort-users] Spade ---What gives

James Hoagland hoagland at ...47...
Tue Mar 12 13:42:07 EST 2002


Hello Brad,

At 2:34 PM -0500 3/12/02, <bthaler at ...2720...> wrote:
>I enabled Spade as described in the docs, but can't seem to get any 
>output from it.
>
>In my snort.conf, I am using:
>preprocessor spade: 0.005 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
>preprocessor spade-homenet: 1.1.1.1/20 2.2.2.2/20 3.3.3.3/20
>preprocessor spade-adapt3: 0.01 60 168
>preprocessor spade-stats: entropy uncondprob condprob


>I've tried different values for the threshhold argument, everything 
>from the default "-1" to the current "0.005".

This looks alright.

>My output plugin is:
>output database: log, mysql, user=xxx dbname=xxx password=xxx 
>host=1.1.1.1 sensor_name=xxx
>
>Is there some problem with Spade and the database output plugin?

I cannot speak to these, hopefully someone else can.  What version of 
Snort are you using?

>In my /var/log/spade/log.txt, I see lots of entries like:
>P(dport=80|dip=1234567890)= 1.000000000000
>P(dport=80|dip=1234567890)= 0.625000000000
>P(dport=443|dip=1234567890)= 0.375000000000
>P(dport=80|dip=1234567890)= 1.000000000000
>***not the real IPs, of course***
>
>Since the last field is always greater than my threshhold of 0.005, 
>these should be considered as anamolous by Spade, right?  With a
>threshhold of 0.005, and tons of traffic (about 30Mb/s right now), I 
>should be getting loads of "spp_anomsensor" alerts, right?

You should be.  (However the reported probabilities in the Spade log 
file are not the same thing as anomaly scores, which is what 
threshold applies to.)

Based on the fact that you are getting entries in log.txt, I would 
infer that Spade is receiving packets and processing them.  With your 
configuration as shown above, you should be getting many Spade alerts 
for the first hour (since 0.005 is a pretty darn low threshold). 
After 1 hour adapt3 will make its first adjustment to the threshold, 
it will choose a threshold which it thinks will result in 1% of 
packets being reported.

I suggest trying to log to a file to see if Spade alerts appear. 
This will verify that Spade is sending alerts for your network.

Hope this helps,

   Jim
-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-users mailing list