Spade ---What gives

[<bthaler () webstream net>]

I enabled Spade as described in the docs, but can't seem to get any output from it.

In my snort.conf, I am using:
preprocessor spade: 0.005 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
preprocessor spade-homenet: 1.1.1.1/20 2.2.2.2/20 3.3.3.3/20
preprocessor spade-adapt3: 0.01 60 168
preprocessor spade-stats: entropy uncondprob condprob

I've tried different values for the threshhold argument, everything from the default "-1" to the current "0.005".

My output plugin is:
output database: log, mysql, user=xxx dbname=xxx password=xxx host=1.1.1.1 sensor_name=xxx

Is there some problem with Spade and the database output plugin?

In my /var/log/spade/log.txt, I see lots of entries like:
P(dport=80|dip=1234567890)= 1.000000000000
P(dport=80|dip=1234567890)= 0.625000000000
P(dport=443|dip=1234567890)= 0.375000000000
P(dport=80|dip=1234567890)= 1.000000000000
***not the real IPs, of course***

Since the last field is always greater than my threshhold of 0.005, these should be considered as anamolous by Spade, 
right?  With a
threshhold of 0.005, and tons of traffic (about 30Mb/s right now), I should be getting loads of "spp_anomsensor" 
alerts, right?

Someone, please tell me what I'm missing here.




Sincerely,

Brad T.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users