Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help with Spade Threshold

From: James Hoagland <hoagland () SiliconDefense com>
Date: Thu, 14 Feb 2002 17:35:08 -0800
Dear James,

At 11:20 AM -0700 2/14/02, james wrote:

I am trying to set the spp_anomsensor: Threshold to at least 11, so it
starts at this level. It will adjust, ie "spp_anomsensor: Threshold adjusted
to 11.0972 after 52 alerts (of 4483)" but is takes overnight to get to this
point. It seems that when I restart snort I lose the state table or adjusted
threshold and start back at ~8.

Per the README.Shade.Usage,  I tried adjusting "preprocessor spade: 11
$SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000" to 11 and also "preprocessor
spade-adapt2: 0.01 15 4 24 7" to 11 (where 0.01 is now) to no luck.


Where to start...
Okay, in Spade, you can either specify a fixed reporting threshold or let one of the adapt modes work its magic. There is no way to have it "automatically adjust but stay above 11".
If you give it a threshold on your 'spade:' line and use one of the adapt modes, it will use your given threshold until the adapt mode has made enough observations to set in on its own. The value it chooses is independent of your specified threshold, except with adapt method #1 (which is too quick to adapt for my taste).
You only get the "spp_anomsensor: Threshold adjusted" message when an adapt mode is running and it adjusts. This message will not appear when using a fixed threshold. Also, it does not appear on startup.
Is there any reason you are using 'adapt2'? That is fine but I think 'adapt3' works better for most networks.
Placing a threshold in the first position in 'spade-adapt2:' is incorrect. That position contains a "specification of the number of alerts wanted. If it is >= 1, it is an hourly alert rate. If it is < 1, then it is a fraction of considered packets to report, based on the best estimate of your packet rate." This is also the way you specify how many alerts you want in adapt method #3 as well.
If you think you are getting too many alerts from Spade, you can adjust the target specification (that first position) downward. Make sure that you want this though. Look at the anomaly scores on the alerts you are receiving. If the alerts that have a smaller score are of interest to you, then you might not want to adjust downward.
It looks like you have things set up for state persistance alright. State will be stored in $SPADEDIR/spade.rcv periodically and on Snort exit. Note that the adapt modes do not presently store their state persistantly. So, for the threshold, every time you start up, you start up from scratch. So, if you restart snort frequently, you might want to use a fixed threshold (once you have an idea what a good one might be). 

Wow, I think I covered everything there. :)

Good luck and let me know if more clarification is needed.

Sincerely,

  Jim

--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: