Re: Spade ---What gives

[<bthaler () webstream net>]

OK.  Spade is now running in it's own process, logging to /var/log/spade/alert.
I have verified that the spp_anomsensor alerts are showing up now, as expected.

So, for some reason, they're not showing up in my database when Spade is run within the production Snort's process.  
Any ideas?





Sincerely,

Brad T. 




----- Original Message ----- 
From: "James Hoagland" <hoagland () SiliconDefense com>
To: <bthaler () webstream net>; <snort-users () lists sourceforge net>
Sent: Tuesday, March 12, 2002 4:41 PM
Subject: Re: [Snort-users] Spade ---What gives


> Hello Brad,
>
> At 2:34 PM -0500 3/12/02, <bthaler () webstream net> wrote:
> > I enabled Spade as described in the docs, but can't seem to get any 
> > output from it.
> >
> > In my snort.conf, I am using:
> > preprocessor spade: 0.005 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
> > preprocessor spade-homenet: 1.1.1.1/20 2.2.2.2/20 3.3.3.3/20
> > preprocessor spade-adapt3: 0.01 60 168
> > preprocessor spade-stats: entropy uncondprob condprob
>
>
> > I've tried different values for the threshhold argument, everything 
> > from the default "-1" to the current "0.005".
>
> This looks alright.
>
> > My output plugin is:
> > output database: log, mysql, user=xxx dbname=xxx password=xxx 
> > host=1.1.1.1 sensor_name=xxx
> >
> > Is there some problem with Spade and the database output plugin?
>
> I cannot speak to these, hopefully someone else can.  What version of 
> Snort are you using?
>
> > In my /var/log/spade/log.txt, I see lots of entries like:
> > P(dport=80|dip=1234567890)= 1.000000000000
> > P(dport=80|dip=1234567890)= 0.625000000000
> > P(dport=443|dip=1234567890)= 0.375000000000
> > P(dport=80|dip=1234567890)= 1.000000000000
> > ***not the real IPs, of course***
> >
> > Since the last field is always greater than my threshhold of 0.005, 
> > these should be considered as anamolous by Spade, right?  With a
> > threshhold of 0.005, and tons of traffic (about 30Mb/s right now), I 
> > should be getting loads of "spp_anomsensor" alerts, right?
>
> You should be.  (However the reported probabilities in the Spade log 
> file are not the same thing as anomaly scores, which is what 
> threshold applies to.)
>
> Based on the fact that you are getting entries in log.txt, I would 
> infer that Spade is receiving packets and processing them.  With your 
> configuration as shown above, you should be getting many Spade alerts 
> for the first hour (since 0.005 is a pretty darn low threshold). 
> After 1 hour adapt3 will make its first adjustment to the threshold, 
> it will choose a threshold which it thinks will result in 1% of 
> packets being reported.
>
> I suggest trying to log to a file to see if Spade alerts appear. 
> This will verify that Spade is sending alerts for your network.
>
> Hope this helps,
>
>    Jim
> -- 
> |*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
> |*            --- Silicon Defense: IDS Solutions ---             *|
> |*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
> |*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users