Re: How can I tell if spade is running?

[Gary Grim <garyg () silicondefense com>]

Matthew,

Hi, a couple of comments here.  To begin, you'll need to grab the latest
version of spade to fix the logging bug.  Just follow the link below:

http://www.silicondefense.com/software/spice/index.htm

Next, the -1 is effectively an "infinite" threshold, i.e. no reporting,
which is why you're not seeing anything in the alert file, assuming you
are not using threshold adapting.   After you rebuild snort with the
010818.1 version of Spade, I would suggest something like the following
config file options:

preprocessor spade: 0 $logdir/spade.rcv $logdir/log.txt 3 50000
preprocessor spade-homenet: xxx.xxx.xxx.xxx/yy
preprocessor spade-adapt2: 0.01 1

I would run this for a coupe of minutes.  You should get a number of
alerts, along with a "threshold adapt" message in the alert file, and
when you quit, $logdir/log.txt will have some stats.  If you choose to
use "-", i.e. <stdout> for the log file, be forewarned that the stats
immediately follow the ^C of the SIGQUIT, and are difficult to see,
unless you look carefully.  Jim, the main dude, is aware of this, and
will update the ouptput to include some whitespace, horizontal rules,
and header info in a future release.

After testing, I would suggest setting your threshold to around 10 or
12, and take the defaults for adapt2, i.e.

preprocessor spade: 10 $logdir/spade.rcv $logdir/log.txt 3 50000
preprocessor spade-homenet: xxx.xxx.xxx.xxx/yy
preprocessor spade-adapt2:

Every once in awhile, you'll probably want to check the threshold
updates, and see if there is a nominal range in which they fall, and
then update your initial threshold to the middle of this.

Hope this helps.

Cheers,
Gary 

Matthew Collins wrote:
> I've just put some more memory in our snort box, so I thought I'd try enabling spade & stream4 as well as upgrade to 
> 1.8.1
>
> My question is. How can I tell if it is doing anything. It dosn't look like it is working, there are no output files 
> anywhere, but I don't know if it creates them as soon as it starts (like snort logging) or just when it needs them.
>
> Here's the relavent bits from the conf file.
>
> var SPADEDIR /var/log/spade.
> #
> preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
>
> I've tried sending snort SIGUSR1 which the docs say should make spade do a checkpoint, but nothing appears in the 
> /var/log/spade directory.
> Snort is compiled from source. There are no warnings in the startup log.
>
> ****************************************************************************************
> This message and any attachments are confidential to the ordinary user of
> the e-mail address to which it was addressed and may also be privileged.
> If you are not the addressee you may not copy, forward, disclose or use
> any part of the message or its attachments and if you have received this
> message in error, please notify the sender immediately by return e-mail and
> delete it from your system.
> Internet communications cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, arrive late or contain
> viruses. The sender therefore does not accept liability for any errors or
> omissions in the context of this message which arise as a result of Internet
> transmission.
> Northern Registrars Limited, Northern House, Woodsome Park, Fenay
> Bridge, Huddersfield. HD8 0LA.
> Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
> For more information visit our web site: http://www.northernregistrars.co.uk
> ****************************************************************************************
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

-- 
|*    Silicon Defense - Technical Support for Snort      *|
|*           mailto:garyg () SiliconDefense com             *|
|*           http://www.silicondefense.com/              *|
|*     Voice: (530) 756-7317   Fax: (530) 756-7297       *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users