Snort mailing list archives
Re: How can I tell if spade is running?
From: "Matthew Collins" <Matthew.Collins () northernregistrars co uk>
Date: Wed, 29 Aug 2001 09:18:46 +0100
James Hoagland <hoagland () silicondefense com> 28/08/01 16:40:37 >>>
Just wondering. For what reason did you change CallAlertFuncs to CallAlertPlugins?
I noticed that stream4 was using that, rather than CallAlertFuncs, so just thought I'd try it.
I don't know why I only got the Fatal error message when I put the debug level up, looking at the code it should always produce that message.
Not sure. To start with I'd need to know how you changed the debug level. And also precisely what error message you got.
I set as_debug = 1 at the top of the spp_anomsenor.c file. The error message was FATAL ERROR: spp_anomsensor: unable to open /var/log/spade./log.txt
Tuning the alert level is difficult.
You might try using spade-adapt3, which should keep things pretty straightforward. This way your explicit threshold only matters for the first 60 minutes (in the default config).
I'm using this now, along with spade_homenet
I notice, in the midst of alerts about normal web & email traffic, traffic coming in to port 80 on unused IP addresses was also getting logged. I thought this was good, until I noticed that it had the same anomaly level as normal web traffic, so it disappeared when I put the level up.
That is very surprising and something I'd never heard of before. Can you check that result again? How long had Spade been running at this point?
Spade had not been running long, an hour at the most. I was playing around with settings as well. I'm going to keep an eye out for it now it's all settled down again. [lots of useful info snipped]
Hope this helps, Jim
It does, Thanks. Matthew **************************************************************************************** This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee you may not copy, forward, disclose or use any part of the message or its attachments and if you have received this message in error, please notify the sender immediately by return e-mail and delete it from your system. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of Internet transmission. Northern Registrars Limited, Northern House, Woodsome Park, Fenay Bridge, Huddersfield. HD8 0LA. Tel: +44 (0) 1484 600900 Fax: +44 (0) 1484 600911 For more information visit our web site: http://www.northernregistrars.co.uk **************************************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How can I tell if spade is running? Matthew Collins (Aug 23)
- Re: How can I tell if spade is running? Gary Grim (Aug 23)
- Re: How can I tell if spade is running? James Hoagland (Aug 23)
- <Possible follow-ups>
- Re: How can I tell if spade is running? Matthew Collins (Aug 24)
- Re: How can I tell if spade is running? James Hoagland (Aug 28)
- Re: How can I tell if spade is running? Matthew Collins (Aug 29)
- Re: How can I tell if spade is running? James Hoagland (Aug 29)
- Re: How can I tell if spade is running? Gary Grim (Aug 23)