Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: spade reports

From: James Hoagland <hoagland () SiliconDefense com>
Date: Sun, 17 Jun 2001 09:30:51 -0700
At 4:56 PM -0600 6/16/01, Josh Gentry wrote:

Folks,

Spade is obviously keeping track of a bunch of stats on the
traffic on the network, to be able to calculate probabilities,
etc.  The logs generated in the spade log dir seem to only
contain the results of the calculations.  Is there any way to get
spade to report the stats its using to calculate the probability
that a packet is anomylous?



Josh,
If you are using probability mode 3 (the default), the anomaly score is based on the joint probability of the particular destination IP and destination port. Specifically it is the negative base-2 log of that probability*. The probabilities are derived from observing TCP SYNs on your particular network.
To get the full table of these probabilities (could be quite large), you can look into the spade-stat mode. Not that using this mode could introduce a several second delay in snort when the statistics output is being produced and put in a file. This occurs on certain signals and on snort exit. (There is no overhead for this mode at other times.)
See also README.Spade (http://www.silicondefense.com/software/spice/spicereadme.htm) and the SPICE web page (http://www.silicondefense.com/software/spice/).
*= at least that is what is supposed to be. There is little difference from a practical point of view, but I recently discovered that due to a misplaced parenthesis in the source code, this is not quite what it is. If A is correct anomaly score (correct meaning what I described above) and B is what is produced in all released versions of Spade, A= 0.693*B-0.3665. Note that the what is currently produce is internally consistent and even proportionate, so the differnence shouldn't matter from a practical point of view. We'll need to make the transition at some point through, at least for use with SPICE. 

Sincerely,

  Jim


--
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland () SiliconDefense com                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: