[Snort-users] Spade ---What gives

bthaler at ...2720... bthaler at ...2720...
Wed Mar 13 08:26:08 EST 2002


Something else I noticed:
Even with my usual database output plugin enabled, Snort still creates the "alert" file.

I grep'd this for "spp_anomsensor", and viola!  There's millions of Spade alerts in there.  So evidently Spade was working properly,
and it seems that Snort was just not writing the spp_anomsensor alerts to the database.






Sincerely,

Brad T.




----- Original Message -----
From: "James Hoagland" <hoagland at ...47...>
To: <bthaler at ...2720...>; <snort-users at lists.sourceforge.net>
Sent: Tuesday, March 12, 2002 4:41 PM
Subject: Re: [Snort-users] Spade ---What gives


> Hello Brad,
>
> At 2:34 PM -0500 3/12/02, <bthaler at ...2720...> wrote:
> >I enabled Spade as described in the docs, but can't seem to get any
> >output from it.
> >
> >In my snort.conf, I am using:
> >preprocessor spade: 0.005 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
> >preprocessor spade-homenet: 1.1.1.1/20 2.2.2.2/20 3.3.3.3/20
> >preprocessor spade-adapt3: 0.01 60 168
> >preprocessor spade-stats: entropy uncondprob condprob
>
>
> >I've tried different values for the threshhold argument, everything
> >from the default "-1" to the current "0.005".
>
> This looks alright.
>
> >My output plugin is:
> >output database: log, mysql, user=xxx dbname=xxx password=xxx
> >host=1.1.1.1 sensor_name=xxx
> >
> >Is there some problem with Spade and the database output plugin?
>
> I cannot speak to these, hopefully someone else can.  What version of
> Snort are you using?
>
> >In my /var/log/spade/log.txt, I see lots of entries like:
> >P(dport=80|dip=1234567890)= 1.000000000000
> >P(dport=80|dip=1234567890)= 0.625000000000
> >P(dport=443|dip=1234567890)= 0.375000000000
> >P(dport=80|dip=1234567890)= 1.000000000000
> >***not the real IPs, of course***
> >
> >Since the last field is always greater than my threshhold of 0.005,
> >these should be considered as anamolous by Spade, right?  With a
> >threshhold of 0.005, and tons of traffic (about 30Mb/s right now), I
> >should be getting loads of "spp_anomsensor" alerts, right?
>
> You should be.  (However the reported probabilities in the Spade log
> file are not the same thing as anomaly scores, which is what
> threshold applies to.)
>
> Based on the fact that you are getting entries in log.txt, I would
> infer that Spade is receiving packets and processing them.  With your
> configuration as shown above, you should be getting many Spade alerts
> for the first hour (since 0.005 is a pretty darn low threshold).
> After 1 hour adapt3 will make its first adjustment to the threshold,
> it will choose a threshold which it thinks will result in 1% of
> packets being reported.
>
> I suggest trying to log to a file to see if Spade alerts appear.
> This will verify that Spade is sending alerts for your network.
>
> Hope this helps,
>
>    Jim
> --
> |*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
> |*            --- Silicon Defense: IDS Solutions ---             *|
> |*  hoagland at ...47..., http://www.silicondefense.com/  *|
> |*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list