Re: Spade ---What gives

[<bthaler () webstream net>]

Something else I noticed:
Even with my usual database output plugin enabled, Snort still creates the "alert" file.

I grep'd this for "spp_anomsensor", and viola!  There's millions of Spade alerts in there.  So evidently Spade was 
working properly,
and it seems that Snort was just not writing the spp_anomsensor alerts to the database.






Sincerely,

Brad T.




----- Original Message -----
From: "James Hoagland" <hoagland () SiliconDefense com>
To: <bthaler () webstream net>; <snort-users () lists sourceforge net>
Sent: Tuesday, March 12, 2002 4:41 PM
Subject: Re: [Snort-users] Spade ---What gives


> Hello Brad,
>
> At 2:34 PM -0500 3/12/02, <bthaler () webstream net> wrote:
> > I enabled Spade as described in the docs, but can't seem to get any
> > output from it.
> >
> > In my snort.conf, I am using:
> > preprocessor spade: 0.005 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
> > preprocessor spade-homenet: 1.1.1.1/20 2.2.2.2/20 3.3.3.3/20
> > preprocessor spade-adapt3: 0.01 60 168
> > preprocessor spade-stats: entropy uncondprob condprob
>
>
> > I've tried different values for the threshhold argument, everything
> > from the default "-1" to the current "0.005".
>
> This looks alright.
>
> > My output plugin is:
> > output database: log, mysql, user=xxx dbname=xxx password=xxx
> > host=1.1.1.1 sensor_name=xxx
> >
> > Is there some problem with Spade and the database output plugin?
>
> I cannot speak to these, hopefully someone else can.  What version of
> Snort are you using?
>
> > In my /var/log/spade/log.txt, I see lots of entries like:
> > P(dport=80|dip=1234567890)= 1.000000000000
> > P(dport=80|dip=1234567890)= 0.625000000000
> > P(dport=443|dip=1234567890)= 0.375000000000
> > P(dport=80|dip=1234567890)= 1.000000000000
> > ***not the real IPs, of course***
> >
> > Since the last field is always greater than my threshhold of 0.005,
> > these should be considered as anamolous by Spade, right?  With a
> > threshhold of 0.005, and tons of traffic (about 30Mb/s right now), I
> > should be getting loads of "spp_anomsensor" alerts, right?
>
> You should be.  (However the reported probabilities in the Spade log
> file are not the same thing as anomaly scores, which is what
> threshold applies to.)
>
> Based on the fact that you are getting entries in log.txt, I would
> infer that Spade is receiving packets and processing them.  With your
> configuration as shown above, you should be getting many Spade alerts
> for the first hour (since 0.005 is a pretty darn low threshold).
> After 1 hour adapt3 will make its first adjustment to the threshold,
> it will choose a threshold which it thinks will result in 1% of
> packets being reported.
>
> I suggest trying to log to a file to see if Spade alerts appear.
> This will verify that Spade is sending alerts for your network.
>
> Hope this helps,
>
>    Jim
> --
> |*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
> |*            --- Silicon Defense: IDS Solutions ---             *|
> |*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
> |*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users