Snort mailing list archives

Re: How can I tell if spade is running?

From: James Hoagland <hoagland () silicondefense com>
Date: Thu, 23 Aug 2001 20:23:38 -0700

Thanks for responding to this Gary. Just want to make a fewadditional comments.

People sometimes get confused about where to expect Spade's anomalousevent reports to appear. They expect it to appear in one of Spade'sspecial files. Instead, it goes wherever your alerts from Snortnormally go. (E.g., to Snort's alert file or to your database)

I'm partial to the adapt3 mode (over adapt and adapt2). It is simpleand seems to work well. YMMV though.

Definitely use spade-homenet. This specifies the network over whichto monitor packets going in to. Since Spade needs to know whatcharacteristics to expect for packets, it needs to see enoughexamples for the networks it monitors. In general, you will not havethat for external networks.

You can consult Spade's README (called README.Spade in the Snortdistribution) or Usage (README.Spade.Usage) files for other usefulinformation about Spade.


Best regards,

  Jim

At 3:34 PM -0700 8/23/01, Gary Grim wrote:

Matthew,

Hi, a couple of comments here.  To begin, you'll need to grab the latest
version of spade to fix the logging bug.  Just follow the link below:

http://www.silicondefense.com/software/spice/index.htm

Next, the -1 is effectively an "infinite" threshold, i.e. no reporting,
which is why you're not seeing anything in the alert file, assuming you
are not using threshold adapting.   After you rebuild snort with the
010818.1 version of Spade, I would suggest something like the following
config file options:

preprocessor spade: 0 $logdir/spade.rcv $logdir/log.txt 3 50000
preprocessor spade-homenet: xxx.xxx.xxx.xxx/yy
preprocessor spade-adapt2: 0.01 1

I would run this for a coupe of minutes.  You should get a number of
alerts, along with a "threshold adapt" message in the alert file, and
when you quit, $logdir/log.txt will have some stats.  If you choose to
use "-", i.e. <stdout> for the log file, be forewarned that the stats
immediately follow the ^C of the SIGQUIT, and are difficult to see,
unless you look carefully.  Jim, the main dude, is aware of this, and
will update the ouptput to include some whitespace, horizontal rules,
and header info in a future release.

After testing, I would suggest setting your threshold to around 10 or
12, and take the defaults for adapt2, i.e.

preprocessor spade: 10 $logdir/spade.rcv $logdir/log.txt 3 50000
preprocessor spade-homenet: xxx.xxx.xxx.xxx/yy
preprocessor spade-adapt2:

Every once in awhile, you'll probably want to check the threshold
updates, and see if there is a nominal range in which they fall, and
then update your initial threshold to the middle of this.





--
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland () SiliconDefense com                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

How can I tell if spade is running? Matthew Collins (Aug 23)
- Re: How can I tell if spade is running? Gary Grim (Aug 23)
  - Re: How can I tell if spade is running? James Hoagland (Aug 23)
- <Possible follow-ups>
- Re: How can I tell if spade is running? Matthew Collins (Aug 24)
  - Re: How can I tell if spade is running? James Hoagland (Aug 28)
- Re: How can I tell if spade is running? Matthew Collins (Aug 29)
- Re: How can I tell if spade is running? James Hoagland (Aug 29)