[Snort-users] Spade/Spice and Snort?
mkettler at ...4108...
Mon Nov 3 07:05:28 EST 2003
At 03:34 PM 11/2/2003, Mark.Schutzmann at ...10438... wrote:
>Thanks for that. In fact, I have learned about Spade from SiliconDefense.
>Since this is a user group, I am actually asking for experiential comments.
>In knowing that Spade works on statistical anomolies, I am wondering if
>people are finding this to be as useful as it sounds, or whether it is just
>another tool to sort out FPs and whether it just adds overhead to Snort.
(dropping the undesirable cc to snort-users-admin at lists.sourceforge.net)
Personally, I successfully ran spade on a low-end hardware box so it's not
very high overhead.. it's definitely MUCH lower overhead than the
spp_conversation/spp_portscan2 pairing, which caused truly horrid packet
drop rates on the same hardware (>10%, and I think it was over 20%).
I found that in general things like installing a p2p client on a host that
previously did nothing but browse the web causes it to fire off quite a bit
for a few days, but in general I found it to be fairly low on the false
alarms.. I did have to turn a few of the default settings off to get a
decent level of noise, but later versions of spade appeared to adopt the
same settings as the default.
Unfortunately, it looks like there's no version of spade designed for snort
2.0.. the last version they released was 1/25/2003, and supported snort
1.9.0 (it works on 1.9.1 as well). It could possibly work with 2.0, but
I've not tried it.
Given that Silicon Defense has sold their sentaurus product line to demarc,
it's unclear if they are going to continue development of spade or not.
It's kind of a shame I've not seen more active development of it.. it was a
very useful plugin.
More information about the Snort-users