Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Spade Joint Prob table output

From: Wilson Farrell <wfarrell () bbn com>
Date: Tue, 02 Apr 2002 12:58:35 -0500
Thanks Jim... very helpful.

wilson

James Hoagland wrote:


At 1:16 PM -0500 4/1/02, Wilson Farrell wrote:
I was hoping someone could tell me a little about how the joint probability table for Spade is created. I am assuming that spade just counts SYN packets. If it sees a SYN packet, it is counted even if there is no SYN ACK. So if a firewall is preventing a connection, the connection attempt will still be accounted for in the probability table. 


That is correct.
When Spade gets a SYN packet destined for the specified spade-homenet (0.0.0.0/0 by default), it makes a record of it. Otherwise the packet is discarded by Spade. How it makes a record of it varies with probability mode, but with modes 1, 2, or 3 it records the joint occurrence of the packet's values in certain fields.
After recording the SYN, the anomaly score is calculated for the packet. If it exceeds the current reporting threshold, an alert is sent.
To keep the probability table fresh, exponential decay is used. Ideally the decay would be on a continuous basis, but for the sake of efficiency it is actually done periodically. Also, when it has been a long time since a particular combination of fields' values was seen, it is trimmed from the table. (How long is long depends on how much it was seen previously.)
For more details, I can refer you to our upcoming Journal of Computer Security paper available here: 

  http://www.silicondefense.com/research/pubs.htm
(This is largely the same paper as I presented at CCS IDS in Athens.) Also, feel free to ask more questions. 

Best regards,

  Jim




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: