RE: Spade/Spice and Snort?

["Michael Steele" <michaels () winsnort com>]

The CC thing is a quirky part of Outlook. I usually 'Reply to all' because
if I just hit the 'reply' button, it only sends eMail to the users address
and not to the list.

The usefulness of spade has greatly diminished when it was no longer
accepted and removed as a part of the Snort distribution.

I'm sure the last update was working with 2.x. You can contact the
programmer (Jim Hoagland) and he can verify this. I think his eMail is in
the distribution. 

Cheers...

-Michael Steele
-- 
 System Engineer / Security Support Technician     
 mailto:michaels () winsnort com    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org


> -----Original Message-----
> From: snort-users-admin () lists sourceforge net [mailto:snort-users-
> admin () lists sourceforge net] On Behalf Of Matt Kettler
> Sent: Monday, November 03, 2003 7:05 AM
> To: Mark.Schutzmann () Omron com; Michael Steele
> Cc: snort-users () lists sourceforge net
> Subject: RE: [Snort-users] Spade/Spice and Snort?
>
> At 03:34 PM 11/2/2003, Mark.Schutzmann () Omron com wrote:
>
> > Michael,
> >
> > Thanks for that. In fact, I have learned about Spade from SiliconDefense.
> > Since this is a user group, I am actually asking for experiential
> comments.
> > In knowing that Spade works on statistical anomolies, I am wondering if
> > people are finding this to be as useful as it sounds, or whether it is
> just
> > another tool to sort out FPs and whether it just adds overhead to Snort.
>
> (dropping the undesirable cc to snort-users-admin () lists sourceforge net)
>
> Personally, I successfully ran spade on a low-end hardware box so it's not
> very high overhead.. it's definitely MUCH lower overhead than the
> spp_conversation/spp_portscan2 pairing, which caused truly horrid packet
> drop rates on the same hardware (>10%, and I think it was over 20%).
>
> I found that in general things like installing a p2p client on a host that
> previously did nothing but browse the web causes it to fire off quite a
> bit
> for a few days, but in general I found it to be fairly low on the false
> alarms.. I did have to turn a few of the default settings off to get a
> decent level of noise, but later versions of spade appeared to adopt the
> same settings as the default.
>
> Unfortunately, it looks like there's no version of spade designed for
> snort
> 2.0.. the last version they released was 1/25/2003, and supported snort
> 1.9.0 (it works on 1.9.1 as well). It could possibly work with 2.0, but
> I've not tried it.
>
> Given that Silicon Defense has sold their sentaurus product line to
> demarc,
> it's unclear if they are going to continue development of spade or not.
> It's kind of a shame I've not seen more active development of it.. it was
> a
> very useful plugin.
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?   SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users