Re: How can I tell if spade is running?

[James Hoagland <hoagland () silicondefense com>]

Hello Matthew,

At 1:46 PM +0100 8/24/01, Matthew Collins wrote:
> Thanks for that. Someone had already alerted me to the -1 problem. I 
> changed the debug level, and got a Fatal error: Could not open file. 
> I then realised that I had a full stop (.) on the end of my SPADEDIR 
> variable. I removed this and changed the code again from 
> CallAlertFuncs to CallAlertPlugins (don't know if it makes any 
> difference). I also added a CallLogPlugins call, before I realised 
> that spade only looks at SYN packets, so I won't get payload anyway. 
> It would be nice to be able to log the next two ACK packets, to try 
> and get some of the payload, but I'm not sure how that could be done.

Just wondering.  For what reason did you change CallAlertFuncs to 
CallAlertPlugins?

> I don't know why I only got the Fatal error message when I put the 
> debug level up, looking at the code it should always produce that 
> message.

Not sure.  To start with I'd need to know how you changed the debug 
level.  And also precisely what error message you got.


> SPADE is now working, and I am trying to tune it. I didn't really 
> want to use the home-net plugin, because I wanted to scan for 
> anomalous traffic leaving the network as well, but it's just too 
> noisy.

That is to be expected.  There is just not enough information on the 
network, at least of the type we are looking at.

> Tuning the alert level is difficult.

You might try using spade-adapt3, which should keep things pretty 
straightforward.  This way your explicit threshold only matters for 
the first 60 minutes (in the default config).

> I notice, in the midst of alerts about normal web & email traffic, 
> traffic coming in to port 80 on unused IP addresses was also getting 
> logged. I thought this was good, until I noticed that it had the 
> same anomaly level as normal web traffic, so it disappeared when I 
> put the level up.

That is very surprising and something I'd never heard of before.  Can 
you check that result again?  How long had Spade been running at this 
point?

> How much normal traffic does it have to see before it starts 
> balancing out? I would have expected traffic coming in to port 80 on 
> unused IP addresses to have a higher anomaly score than traffic from 
> our email server. Still, I expect it will take a while to tune it to 
> our network traffic.

Roughly speaking, the formula for the anomaly score is A= -log2(n/N), 
where N is the number of SYN packets Spade has seen and n is the 
number of SYN packets with the particular combination of dest IP and 
dest port (for probability mode 3), including the packet whose score 
is being evaluated.  To state the formula more precisely, one would 
have to take into account that Spade exponentially decays the weight 
of older observed SYNs.  This keeps Spade's notion of the network 
distribution fresh.

As you can see, every new packet of the same type increases n and N 
and lowers the anomaly score.  If the web server you mention is 
well-used, the anomaly score should drop quickly.  Port 80 on the 
non-existant IP should keep a high anomaly score provided that 
packets with that as a destination are rare.

Not also that when Spade is just starting up, N will be on the small 
side.  This limits the maximum anomaly score.  This corresponds to 
Spade not having enough information to assert a higher anomalousness. 
So, you should let the score more-or-less level off before starting 
any manual tuning.

Hope this helps,

  Jim

--
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland () SiliconDefense com                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users