[Snort-users] Spade 021008.1 available!

James Hoagland hoagland at ...47...
Wed Oct 9 06:56:05 EDT 2002

FYI, looks like a last minute fix I made to the installation Makefile 
might have bit me a bit.  If you get the message:

   Makefile:17: *** missing separator.  Stop.

just edit Makefile to delete the 2 lines that begin with "@#".

I'll get a new version out before long with that fixed, but want to 
see if there are any other priority changes.  So, try it out folks! :)

-- Jim

At 5:50 PM -0700 10/8/02, James Hoagland wrote:
>Hello everyone,
>Silicon Defense is pleased to announce the availability of Spade 
>version 021008.1.  This version of Spade has significant expansion 
>of its detection capabilities and other features.  For those not 
>familiar with Spade, it is a Snort preprocessor plugin that finds 
>anomalous packets on your network.
>Here is the change list since the previous release (which was also a 
>standard part of Snort):
>+ Large expansion of Spade detection capabilities, including:
>     + UDP and non-SYN TCP anomaly detection added
>     + a new detection type looks for packets to unused IP addresses
>     + another new detection type looks for sources using unusual destination
>         port numbers
>     + you can apply Spade to the outbound direction of your network as well
>         as inbound and internal
>+ You can now ask Spade to hold a report for a few seconds to see if the
>     port is open or closed (bye bye passive FTP reports)
>+ Ported to Snort 1.9
>+ You have a little more control over what is reported (you can suppress
>     certain source or dest networks and source or dest ports)
>+ Relative anomaly scores are now standard (unlike the formerly standard raw
>     anomaly scores, this has a much more predictable range)
>+ Spade alert message strings updated (e.g., now always starts with "Spade",
>     indicates detection type, and indicates scope detection was being
>     applied to)
>+ The way you configure snort has changed (but backwards compatibility
>     preserved); you now enable a number of detectors, all options are in the
>     form of <option>=<val>, etc.
>+ You can now control whether Spade reports go to the Snort alert facility,
>     log facility, or both
>+ Documentation significantly updated
>+ New, easier installation into Snort
>+ You can now specify your Spade homenets in the Snortesque manner of
>     [<net>,<net>]
>+ spade-threshadvise (formerly called spade-threshlearn) now correctly
>     reports how long it ran for
>+ Stats mode provides more contextual information
>+ The options controlling how Spade's observations decay can now be set in
>     the configuration file
>+ Spade produces informative log messages as it starts up
>+ Spade now checks to make sure the main configuration line is given before
>     its other configuration lines (this eliminates an obscure error
>     condition when the user forgets the main Spade line)
>+ Spade's Snort source files renamed to spp_spade.[ch] from
>     spp_anomsensor.[ch] for clarity
>+ Packet cloning patch included in installation (this is Snort internal
>     functionality that this version of Spade requires)
>+ Probably more changes I can't recall right now
>This release involved some significant internal restructuring of the 
>Spade code.  This should set it up quite well for adding additional 
>detection capabilities in the future.
>You can download Spade and read more about it here:
>   http://www.silicondefense.com/software/spice/
>We're also pleased to announce a new mailing lists for Spade, 
>Spade-users.  This is a good place to talk about Spade (ask 
>questions, make suggestions, etc.).  You can subscribe here:
>   http://www.silicondefense.com/mailman/listinfo/spade-users
>We'd like to thank DARPA for their continuing support of Spade.
>   Jim Hoagland
>|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
>|*            --- Silicon Defense: IDS Solutions ---             *|
>|*  hoagland at ...47..., http://www.silicondefense.com/  *|
>|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

More information about the Snort-users mailing list