Re: How can I tell if spade is running?

["Matthew Collins" <Matthew.Collins () northernregistrars co uk>]

> > > James Hoagland <hoagland () silicondefense com> 28/08/01 16:40:37 >>>

> Just wondering.  For what reason did you change CallAlertFuncs to 
> CallAlertPlugins?

I noticed that stream4 was using that, rather than CallAlertFuncs, so just thought I'd try it.

> > I don't know why I only got the Fatal error message when I put the 
> > debug level up, looking at the code it should always produce that 
> > message.

> Not sure.  To start with I'd need to know how you changed the debug 
> level.  And also precisely what error message you got.

I set as_debug = 1 at the top of the spp_anomsenor.c file.
The error message was
FATAL ERROR: spp_anomsensor: unable to open /var/log/spade./log.txt

> > Tuning the alert level is difficult.

> You might try using spade-adapt3, which should keep things pretty 
> straightforward.  This way your explicit threshold only matters for 
> the first 60 minutes (in the default config).

I'm using this now, along with spade_homenet

> > I notice, in the midst of alerts about normal web & email traffic, 
> > traffic coming in to port 80 on unused IP addresses was also getting 
> > logged. I thought this was good, until I noticed that it had the 
> > same anomaly level as normal web traffic, so it disappeared when I 
> > put the level up.

> That is very surprising and something I'd never heard of before.  Can 
> you check that result again?  How long had Spade been running at this 
> point?

Spade had not been running long, an hour at the most. I was playing around with settings as well. I'm going to keep an 
eye out for it now it's all settled down again.

[lots of useful info snipped]

> Hope this helps,
>
>   Jim

It does, Thanks.

Matthew












****************************************************************************************
This message and any attachments are confidential to the ordinary user of
the e-mail address to which it was addressed and may also be privileged.
If you are not the addressee you may not copy, forward, disclose or use 
any part of the message or its attachments and if you have received this
message in error, please notify the sender immediately by return e-mail and
delete it from your system.
Internet communications cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, arrive late or contain 
viruses. The sender therefore does not accept liability for any errors or
omissions in the context of this message which arise as a result of Internet
transmission.
Northern Registrars Limited, Northern House, Woodsome Park, Fenay 
Bridge, Huddersfield. HD8 0LA.
Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
For more information visit our web site: http://www.northernregistrars.co.uk
****************************************************************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users