Snort mailing list archives
Help with Spade Threshold
From: "james" <the_saint_james () yahoo com>
Date: Thu, 14 Feb 2002 11:20:57 -0700
I am trying to set the spp_anomsensor: Threshold to at least 11, so it starts at this level. It will adjust, ie "spp_anomsensor: Threshold adjusted to 11.0972 after 52 alerts (of 4483)" but is takes overnight to get to this point. It seems that when I restart snort I lose the state table or adjusted threshold and start back at ~8. Per the README.Shade.Usage, I tried adjusting "preprocessor spade: 11 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000" to 11 and also "preprocessor spade-adapt2: 0.01 15 4 24 7" to 11 (where 0.01 is now) to no luck. here is the current config, thanks: var SPADEDIR /var/log/snort/spade/ # preprocessor spade: 11 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000 preprocessor spade-homenet: xxx.xxx.152.0/24 xxx.xxx.27.0/24 xxx.xx.74.0/24 xxx.xxx.201.0/24 xxx .xxx.75.0/24 xxx.xxx.109.0/24 xxx.xxx.22.0/24 \ xxx.xxx.145.0/24 xxx.xxx.144.0/24 xxx.xxx.21.0/24 var SPADEDIR /var/log/snort/spade # preprocessor spade: 11 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000 # # put a list of the networks you are interested in Spade observing packets # going to here; separate these by spaces preprocessor spade-homenet: 206.115.152.0/24 128.165.27.0/24 209.12.74.0/24 209.194.201.0/24 209 .12.75.0/24 198.59.109.0/24 66.55.22.0/24 \ 216.253.145.0/24 216.253.144.0/24 66.55.21.0/24 # this causes Spade to adjust the reporting threshold automatically # the first argument is the target rate of alerts for normal circumstances # (0.01 = 1% or you can give it an hourly rate) after the first hour (or # however long the period is set to in the second argument), the reporting # threshold given above is ignored you can comment this out to have the # threshold be static, or try one of the other adapt methods below #preprocessor spade-adapt3: 0.01 60 168 # other possible Spade config lines: # adapt method #1 #preprocessor spade-adapt: 20 2 0.5 #adapt method #2 preprocessor spade-adapt2: 0.01 15 4 24 7 # offline threshold learning preprocessor spade-threshlearn: 200 06 #periodically report on the anom scores and count of packets seen preprocessor spade-survey: $SPADEDIR/survey.txt 60 # print out known stats about packet feature #preprocessor spade-stats: entropy uncondprob condprob #---------------------------------------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with Spade Threshold james (Feb 14)
- Re: Help with Spade Threshold James Hoagland (Feb 14)