Snort mailing list archives

Previous By Date Next
Previous By Thread Next

About Spade (was Re: flexresp in snort (openbsd 3.0))

From: James Hoagland <hoagland () SiliconDefense com>
Date: Wed, 26 Dec 2001 09:19:55 -0800
At 7:30 PM -0600 12/21/01, Ronneil Camara wrote:
[...]

Now, my next experiment will be spade.

How does spade benefit us other than how we normally configure snort?


Hello Ronneil,
Whereas snort rules are looking patterns of known bad traffic, Spade will tell you when a packet crossing your network is unusual. It does this by keeping track of statistics about the traffic is has seen so far. From this, is assigns an anomaly score to every new SYN packet it sees. Packets with sufficiently high anomaly scores get reported.
The main reason you'd probably want this that packets in a portscan are often anomalous with respect to normal background traffic. (This is because portscans are used for intelligence gathering, implying that the attacker does not know what normal traffic is.) Also you probably want to know if some weird packets are coming into your network.
Note that Spade is not based on signatures and thus does rely on having a signature for some new attack. Spade runs pretty darn quick in our tests, gobbling a file with 1.25 million SYN packets in less than two minutes, even with Snort's full textual alerting on. Spade even maintains its state across runs. You do need to know your network however, since Spade cannot tell you if a packet is malicious; this is much like a Snort signature alert not being able to tell you if it is a false positive.
Spade is one of two parts of Spice. The other part is the Spice correlator. Spice is designed to detect portscans, even stealthy ones. (Spice is showing excellent results but has not yet been publicly released. We have plans to write a paper on some formal experiments with Spice. One results is of an experiment in which a single port on 100 IPs where scaned over the course of 4 days and each scan packet had a different source IP. Spice detected this perfectly, meaning catching every packet and having no false positives.)
There are some differences between Spade and spp_portscan. A big one is that spp_portscan (like most current portscan detectors) is easy to evade by slowing a scan down or varying the source IP; Spade is not susceptible to that. Although it would be easy to add, Spade does not report SYNFIN packets and other packets with weird flag combinations; spp_portscan does that just fine. A downside to Spade alone versus spp_portscan is that Spade does not group the events from a portscan together as that is the Spice correlator's job, but any limitation there can be largely overcome by using an alert browser such as SnortSnarf. When Spice is added, it will also sift out more of the packets that are not part of a scan or other network incident. 

You can read more about Spice and Spade here:

   http://www.silicondefense.com/software/Spice/
You can also always download the latest version of Spade and it documentation there. 

Sorry, didn't mean to ramble to much; hopefully it was useful.

Sincerely,

  Jim
--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: