Re: Spade 021008.1 available!

[James Hoagland <hoagland () SiliconDefense com>]

FYI, looks like a last minute fix I made to the installation Makefile 
might have bit me a bit.  If you get the message:

  Makefile:17: *** missing separator.  Stop.

just edit Makefile to delete the 2 lines that begin with "@#".

I'll get a new version out before long with that fixed, but want to 
see if there are any other priority changes.  So, try it out folks! :)

-- Jim

At 5:50 PM -0700 10/8/02, James Hoagland wrote:
> Hello everyone,
>
> Silicon Defense is pleased to announce the availability of Spade 
> version 021008.1.  This version of Spade has significant expansion 
> of its detection capabilities and other features.  For those not 
> familiar with Spade, it is a Snort preprocessor plugin that finds 
> anomalous packets on your network.
>
> Here is the change list since the previous release (which was also a 
> standard part of Snort):
>
> + Large expansion of Spade detection capabilities, including:
>     + UDP and non-SYN TCP anomaly detection added
>     + a new detection type looks for packets to unused IP addresses
>     + another new detection type looks for sources using unusual destination
>         port numbers
>     + you can apply Spade to the outbound direction of your network as well
>         as inbound and internal
> + You can now ask Spade to hold a report for a few seconds to see if the
>     port is open or closed (bye bye passive FTP reports)
> + Ported to Snort 1.9
> + You have a little more control over what is reported (you can suppress
>     certain source or dest networks and source or dest ports)
> + Relative anomaly scores are now standard (unlike the formerly standard raw
>     anomaly scores, this has a much more predictable range)
> + Spade alert message strings updated (e.g., now always starts with "Spade",
>     indicates detection type, and indicates scope detection was being
>     applied to)
> + The way you configure snort has changed (but backwards compatibility
>     preserved); you now enable a number of detectors, all options are in the
>     form of <option>=<val>, etc.
> + You can now control whether Spade reports go to the Snort alert facility,
>     log facility, or both
> + Documentation significantly updated
> + New, easier installation into Snort
> + You can now specify your Spade homenets in the Snortesque manner of
>     [<net>,<net>]
> + spade-threshadvise (formerly called spade-threshlearn) now correctly
>     reports how long it ran for
> + Stats mode provides more contextual information
> + The options controlling how Spade's observations decay can now be set in
>     the configuration file
> + Spade produces informative log messages as it starts up
> + Spade now checks to make sure the main configuration line is given before
>     its other configuration lines (this eliminates an obscure error
>     condition when the user forgets the main Spade line)
> + Spade's Snort source files renamed to spp_spade.[ch] from
>     spp_anomsensor.[ch] for clarity
> + Packet cloning patch included in installation (this is Snort internal
>     functionality that this version of Spade requires)
> + Probably more changes I can't recall right now
>
> This release involved some significant internal restructuring of the 
> Spade code.  This should set it up quite well for adding additional 
> detection capabilities in the future.
>
> You can download Spade and read more about it here:
>
>   http://www.silicondefense.com/software/spice/
>
> We're also pleased to announce a new mailing lists for Spade, 
> Spade-users.  This is a good place to talk about Spade (ask 
> questions, make suggestions, etc.).  You can subscribe here:
>
>   http://www.silicondefense.com/mailman/listinfo/spade-users
>
> We'd like to thank DARPA for their continuing support of Spade.
>
> Sincerely,
>
>   Jim Hoagland
> --
> |*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
> |*            --- Silicon Defense: IDS Solutions ---             *|
> |*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
> |*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users