[Snort-users] Spade/Spice and Snort?

Michael Steele michaels at ...9077...
Mon Nov 3 10:59:11 EST 2003


Spade and Spice will be transferred to Demarc shortly, and as far as I know
the current release of Spade will work with 2.x. At one point we did have it
installed and working on 2.x

Spade had a lot of possibilities, and still does, and would have gone far if
it would not have had the Silicon Defense name behind it.

Hopefully when the transfer of that technology to Demarc is finalized then
Spade will be given another chance based on its merits. It is a great
plug-in for Snort.


-Michael Steele
 System Engineer / Security Support Technician     
 mailto:michaels at ...9077...    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Mark.Schutzmann at ...10438...
> Sent: Monday, November 03, 2003 8:38 AM
> To: Matt Kettler
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Spade/Spice and Snort?
> Michael,
> Excellent comments... exactly what I was looking for.
> Best Regards,
> Mark
>                       Matt Kettler
>                       <mkettler at ...10450...        To:
> Mark.Schutzmann at ...10438..., "Michael Steele" <michaels at ...9077...>
>                       .com>                    cc:       snort-
> users at lists.sourceforge.net
>                                                Subject:  RE: [Snort-users]
> Spade/Spice and Snort?
>                       11/03/2003 09:05
>                       AM
> At 03:34 PM 11/2/2003, Mark.Schutzmann at ...10438... wrote:
> >Michael,
> >
> >Thanks for that. In fact, I have learned about Spade from SiliconDefense.
> >Since this is a user group, I am actually asking for experiential
> comments.
> >In knowing that Spade works on statistical anomolies, I am wondering if
> >people are finding this to be as useful as it sounds, or whether it is
> just
> >another tool to sort out FPs and whether it just adds overhead to Snort.
> (dropping the undesirable cc to snort-users-admin at lists.sourceforge.net)
> Personally, I successfully ran spade on a low-end hardware box so it's not
> very high overhead.. it's definitely MUCH lower overhead than the
> spp_conversation/spp_portscan2 pairing, which caused truly horrid packet
> drop rates on the same hardware (>10%, and I think it was over 20%).
> I found that in general things like installing a p2p client on a host that
> previously did nothing but browse the web causes it to fire off quite a
> bit
> for a few days, but in general I found it to be fairly low on the false
> alarms.. I did have to turn a few of the default settings off to get a
> decent level of noise, but later versions of spade appeared to adopt the
> same settings as the default.
> Unfortunately, it looks like there's no version of spade designed for
> snort
> 2.0.. the last version they released was 1/25/2003, and supported snort
> 1.9.0 (it works on 1.9.1 as well). It could possibly work with 2.0, but
> I've not tried it.
> Given that Silicon Defense has sold their sentaurus product line to
> demarc,
> it's unclear if they are going to continue development of spade or not.
> It's kind of a shame I've not seen more active development of it.. it was
> a
> very useful plugin.
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?   SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list