[Snort-users] Spade/Spice and Snort?

Mark.Schutzmann at ...10438... Mark.Schutzmann at ...10438...
Mon Nov 3 08:36:19 EST 2003


Michael,

Excellent comments... exactly what I was looking for.

Best Regards,
Mark


                                                                                                                                       
                      Matt Kettler                                                                                                     
                      <mkettler at ...10450...        To:       Mark.Schutzmann at ...10438..., "Michael Steele" <michaels at ...9077...>           
                      .com>                    cc:       snort-users at lists.sourceforge.net                                             
                                               Subject:  RE: [Snort-users] Spade/Spice and Snort?                                      
                      11/03/2003 09:05                                                                                                 
                      AM                                                                                                               
                                                                                                                                       
                                                                                                                                       




At 03:34 PM 11/2/2003, Mark.Schutzmann at ...10438... wrote:

>Michael,
>
>Thanks for that. In fact, I have learned about Spade from SiliconDefense.
>Since this is a user group, I am actually asking for experiential
comments.
>In knowing that Spade works on statistical anomolies, I am wondering if
>people are finding this to be as useful as it sounds, or whether it is
just
>another tool to sort out FPs and whether it just adds overhead to Snort.

(dropping the undesirable cc to snort-users-admin at lists.sourceforge.net)

Personally, I successfully ran spade on a low-end hardware box so it's not
very high overhead.. it's definitely MUCH lower overhead than the
spp_conversation/spp_portscan2 pairing, which caused truly horrid packet
drop rates on the same hardware (>10%, and I think it was over 20%).

I found that in general things like installing a p2p client on a host that
previously did nothing but browse the web causes it to fire off quite a bit

for a few days, but in general I found it to be fairly low on the false
alarms.. I did have to turn a few of the default settings off to get a
decent level of noise, but later versions of spade appeared to adopt the
same settings as the default.

Unfortunately, it looks like there's no version of spade designed for snort

2.0.. the last version they released was 1/25/2003, and supported snort
1.9.0 (it works on 1.9.1 as well). It could possibly work with 2.0, but
I've not tried it.

Given that Silicon Defense has sold their sentaurus product line to demarc,

it's unclear if they are going to continue development of spade or not.
It's kind of a shame I've not seen more active development of it.. it was a

very useful plugin.













More information about the Snort-users mailing list