[Snort-users] Spade 021008.1 available!

James Hoagland hoagland at ...47...
Tue Oct 8 17:51:02 EDT 2002

Hello everyone,

Silicon Defense is pleased to announce the availability of Spade 
version 021008.1.  This version of Spade has significant expansion of 
its detection capabilities and other features.  For those not 
familiar with Spade, it is a Snort preprocessor plugin that finds 
anomalous packets on your network.

Here is the change list since the previous release (which was also a 
standard part of Snort):

+ Large expansion of Spade detection capabilities, including:
     + UDP and non-SYN TCP anomaly detection added
     + a new detection type looks for packets to unused IP addresses
     + another new detection type looks for sources using unusual destination
         port numbers
     + you can apply Spade to the outbound direction of your network as well
         as inbound and internal
+ You can now ask Spade to hold a report for a few seconds to see if the
     port is open or closed (bye bye passive FTP reports)
+ Ported to Snort 1.9
+ You have a little more control over what is reported (you can suppress
     certain source or dest networks and source or dest ports)
+ Relative anomaly scores are now standard (unlike the formerly standard raw
     anomaly scores, this has a much more predictable range)
+ Spade alert message strings updated (e.g., now always starts with "Spade",
     indicates detection type, and indicates scope detection was being
     applied to)
+ The way you configure snort has changed (but backwards compatibility
     preserved); you now enable a number of detectors, all options are in the
     form of <option>=<val>, etc.
+ You can now control whether Spade reports go to the Snort alert facility,
     log facility, or both
+ Documentation significantly updated
+ New, easier installation into Snort
+ You can now specify your Spade homenets in the Snortesque manner of
+ spade-threshadvise (formerly called spade-threshlearn) now correctly
     reports how long it ran for
+ Stats mode provides more contextual information
+ The options controlling how Spade's observations decay can now be set in
     the configuration file
+ Spade produces informative log messages as it starts up
+ Spade now checks to make sure the main configuration line is given before
     its other configuration lines (this eliminates an obscure error
     condition when the user forgets the main Spade line)
+ Spade's Snort source files renamed to spp_spade.[ch] from
     spp_anomsensor.[ch] for clarity
+ Packet cloning patch included in installation (this is Snort internal
     functionality that this version of Spade requires)
+ Probably more changes I can't recall right now

This release involved some significant internal restructuring of the 
Spade code.  This should set it up quite well for adding additional 
detection capabilities in the future.

You can download Spade and read more about it here:


We're also pleased to announce a new mailing lists for Spade, 
Spade-users.  This is a good place to talk about Spade (ask 
questions, make suggestions, etc.).  You can subscribe here:


We'd like to thank DARPA for their continuing support of Spade.


   Jim Hoagland
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

More information about the Snort-users mailing list