Snort mailing list archives
Re: Spade ---What gives
From: <bthaler () webstream net>
Date: Wed, 13 Mar 2002 10:13:36 -0500
OK. Spade is now running in it's own process, logging to /var/log/spade/alert. I have verified that the spp_anomsensor alerts are showing up now, as expected. So, for some reason, they're not showing up in my database when Spade is run within the production Snort's process. Any ideas? Sincerely, Brad T. ----- Original Message ----- From: "James Hoagland" <hoagland () SiliconDefense com> To: <bthaler () webstream net>; <snort-users () lists sourceforge net> Sent: Tuesday, March 12, 2002 4:41 PM Subject: Re: [Snort-users] Spade ---What gives
Hello Brad, At 2:34 PM -0500 3/12/02, <bthaler () webstream net> wrote:I enabled Spade as described in the docs, but can't seem to get any output from it. In my snort.conf, I am using: preprocessor spade: 0.005 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000 preprocessor spade-homenet: 1.1.1.1/20 2.2.2.2/20 3.3.3.3/20 preprocessor spade-adapt3: 0.01 60 168 preprocessor spade-stats: entropy uncondprob condprobI've tried different values for the threshhold argument, everything from the default "-1" to the current "0.005".This looks alright.My output plugin is: output database: log, mysql, user=xxx dbname=xxx password=xxx host=1.1.1.1 sensor_name=xxx Is there some problem with Spade and the database output plugin?I cannot speak to these, hopefully someone else can. What version of Snort are you using?In my /var/log/spade/log.txt, I see lots of entries like: P(dport=80|dip=1234567890)= 1.000000000000 P(dport=80|dip=1234567890)= 0.625000000000 P(dport=443|dip=1234567890)= 0.375000000000 P(dport=80|dip=1234567890)= 1.000000000000 ***not the real IPs, of course*** Since the last field is always greater than my threshhold of 0.005, these should be considered as anamolous by Spade, right? With a threshhold of 0.005, and tons of traffic (about 30Mb/s right now), I should be getting loads of "spp_anomsensor" alerts, right?You should be. (However the reported probabilities in the Spade log file are not the same thing as anomaly scores, which is what threshold applies to.) Based on the fact that you are getting entries in log.txt, I would infer that Spade is receiving packets and processing them. With your configuration as shown above, you should be getting many Spade alerts for the first hour (since 0.005 is a pretty darn low threshold). After 1 hour adapt3 will make its first adjustment to the threshold, it will choose a threshold which it thinks will result in 1% of packets being reported. I suggest trying to log to a file to see if Spade alerts appear. This will verify that Spade is sending alerts for your network. Hope this helps, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Spade ---What gives bthaler (Mar 12)
- Re: Spade ---What gives James Hoagland (Mar 12)
- Re: Spade ---What gives bthaler (Mar 13)
- Re: Spade ---What gives bthaler (Mar 13)
- Re: Spade ---What gives Erek Adams (Mar 13)
- Re: Spade ---What gives bthaler (Mar 13)
- Re: Spade ---What gives Erek Adams (Mar 13)
- Re: Spade ---What gives bthaler (Mar 13)
- Re: Spade ---What gives Erek Adams (Mar 13)
- Re: Spade ---What gives bthaler (Mar 13)
- Re: Alerts, Logs and DB's--Oh My! Erek Adams (Mar 13)
- Re: Spade ---What gives James Hoagland (Mar 12)