Snort mailing list archives
Re: Snort Error Message Using spade configuration
From: James Hoagland <jim () SiliconDefense com>
Date: Thu, 6 Mar 2003 11:10:58 -0800
At 5:28 AM -0800 3/2/03, Mahdi Kefayati wrote:
In the Name of the Dearest Dear Jim,I'm using Spade-030125.1 downloaded from silicon defense's official web site On Redhat Linux 8.0, kernel 2.4.20, and I'd no problem with my spade until I extended my spade rules, i. e. preproccesssors. Now I get segmentation fault problems while running snort using spade specific config file, I just added the previously learned thresholds and adjusted reporting times. Also I add surveying, threshold advising and threshold adjusting facilities for each detector.
Can we see your Spade config file? How quickly is the seg fault happening.Can you run snort under gdb, show us where it stops due to the seg fault and show us the output of 'bt'?
Also, can you try commenting out some of the lines you added to see if you can identify which line(s) are needed for the seg fault to happen?
Another thing I want to ask you is that what is the string that auto threshold adjusting facility uses when alerting new thresholds, ofcource if any, I saw "spp_anomsensor: Threshold adjusted to 9.9015 after 2 alerts (of 13)" for example in a document. But when I saw the probably new style of alerts in my alerts database i.e. "Spade: Closed dest port used: local dest, est. flags: 1.0000" I thought that the style might have changed. I browsed the source code for a clue but besides the fact that I learned much about snort but I could not find things I wanted. I want to know the exact style of the alerts in order to run queries against alerts database to get neat reports, etc.
If you are querying a database, you may want to use the generator id (104 for Spade) and the the id field.
Regardless, from README.Spade: --- Spade produces two types of messages, which, depending on how Spade is configured, are sent to Snort's configured alert or log facilities (e.g., alert file, database, etc.). Brief descriptions are presented here with more details in the Usage file. The more common one has a message in the form "Spade: <activity description>: <scope>: <anomaly score>", where <activity description> describes what Spade is reporting on, <scope> explains the type of packet that was being examined, and <anomaly score> is the raw or relative anomaly score that Spade has assessed for the packet. (Sorry this line is so cramped; Snort has no facility to pass along these extra bits of information to the output plugins other than through the message field.) Spade may also periodically produce messages of the form: "Spade: id=<id>: Threshold adjusted to T after X alerts (of N)". This indicates that the alerting threshold for detector <id> was changed to T. This happens when you are using one of the threshold adapting mechanisms (see the Usage file). The message also gives information about the number of alerts (X) sent since the last time the threshold was adjusted and the total number of packets (N) accepted by Spade during that time. ---You can find what "<activity description>" a detector type produces by looking in Usage.Spade under the section describing that detector type.
Let me know if you need clarification on that. Best regards, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: The Cyberwar Defense Company --- *| |* jim () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| -------------------------------------------------------This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Error Message Using spade configuration Mahdi Kefayati (Mar 01)
- Re: Snort Error Message Using spade configuration James Hoagland (Mar 01)
- Re: Snort Error Message Using spade configuration Mahdi Kefayati (Mar 02)
- Re: Snort Error Message Using spade configuration James Hoagland (Mar 06)
- Re: Snort Error Message Using spade configuration Mahdi Kefayati (Mar 02)
- Re: Snort Error Message Using spade configuration James Hoagland (Mar 01)