Re: Snort Error Message Using spade configuration

[James Hoagland <jim () SiliconDefense com>]

At 5:28 AM -0800 3/2/03, Mahdi Kefayati wrote:
> In the Name of the Dearest
>
> Dear Jim,
>
> I'm using Spade-030125.1 downloaded from silicon defense's official 
> web site On Redhat Linux 8.0, kernel 2.4.20, and I'd no problem with 
> my spade until I extended my spade rules, i. e. preproccesssors. Now 
> I get segmentation fault problems while running snort using spade 
> specific config file, I just added the previously learned thresholds 
> and adjusted reporting times. Also I add surveying, threshold 
> advising and threshold adjusting facilities for each detector.

Can we see your Spade config file?  How quickly is the seg fault happening.

Can you run snort under gdb, show us where it stops due to the seg 
fault and show us the output of 'bt'?

Also, can you try commenting out some of the lines you added to see 
if you can identify which line(s) are needed for the seg fault to 
happen?

> Another thing I want to ask you is that what is the string that auto 
> threshold adjusting facility uses when alerting new thresholds, 
> ofcource if any, I saw "spp_anomsensor: Threshold adjusted to 9.9015 
> after 2 alerts (of 13)" for example in a document. But when I saw 
> the probably new style of alerts in my alerts database i.e. "Spade: 
> Closed dest port used: local dest, est. flags: 1.0000" I thought 
> that the style might have changed. I browsed the source code for a 
> clue but besides the fact that I learned much about snort but I 
> could not find things I wanted. I want to know the exact style of 
> the alerts in order to run queries against alerts database to get 
> neat reports, etc.

If you are querying a database, you may want to use the generator id 
(104 for Spade) and the the id field.

Regardless, from README.Spade:
---
Spade produces two types of messages, which, depending on how Spade is
configured, are sent to Snort's configured alert or log facilities (e.g.,
alert file, database, etc.).  Brief descriptions are presented here with
more details in the Usage file.

The more common one has a message in the form "Spade: <activity
description>: <scope>: <anomaly score>", where <activity description>
describes what Spade is reporting on, <scope> explains the type of packet
that was being examined, and <anomaly score> is the raw or relative anomaly
score that Spade has assessed for the packet.  (Sorry this line is so
cramped; Snort has no facility to pass along these extra bits of information
to the output plugins other than through the message field.)

Spade may also periodically produce messages of the form: "Spade: id=<id>:
Threshold adjusted to T after X alerts (of N)".  This indicates that the
alerting threshold for detector <id> was changed to T.  This happens when
you are using one of the threshold adapting mechanisms (see the Usage file).
 The message also gives information about the number of alerts (X) sent
since the last time the threshold was adjusted and the total number of
packets (N) accepted by Spade during that time.
---
You can find what "<activity description>" a detector type produces 
by looking in Usage.Spade under the section describing that detector 
type.

Let me know if you need clarification on that.

Best regards,

 Jim
--
|*     Jim Hoagland, Associate Researcher, Silicon Defense     *|
|*    --- Silicon Defense: The Cyberwar Defense Company ---    *|
|*   jim () SiliconDefense com, http://www.silicondefense.com/    *|
|*  Voice: (530) 756-7317                 Fax: (530) 756-7297  *|


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users