Snort mailing list archives
Re: spade reports
From: James Hoagland <hoagland () SiliconDefense com>
Date: Sun, 17 Jun 2001 09:30:51 -0700
At 4:56 PM -0600 6/16/01, Josh Gentry wrote:
Folks, Spade is obviously keeping track of a bunch of stats on the traffic on the network, to be able to calculate probabilities, etc. The logs generated in the spade log dir seem to only contain the results of the calculations. Is there any way to get spade to report the stats its using to calculate the probability that a packet is anomylous?
Josh,If you are using probability mode 3 (the default), the anomaly score is based on the joint probability of the particular destination IP and destination port. Specifically it is the negative base-2 log of that probability*. The probabilities are derived from observing TCP SYNs on your particular network.
To get the full table of these probabilities (could be quite large), you can look into the spade-stat mode. Not that using this mode could introduce a several second delay in snort when the statistics output is being produced and put in a file. This occurs on certain signals and on snort exit. (There is no overhead for this mode at other times.)
See also README.Spade (http://www.silicondefense.com/software/spice/spicereadme.htm) and the SPICE web page (http://www.silicondefense.com/software/spice/).
*= at least that is what is supposed to be. There is little difference from a practical point of view, but I recently discovered that due to a misplaced parenthesis in the source code, this is not quite what it is. If A is correct anomaly score (correct meaning what I described above) and B is what is produced in all released versions of Spade, A= 0.693*B-0.3665. Note that the what is currently produce is internally consistent and even proportionate, so the differnence shouldn't matter from a practical point of view. We'll need to make the transition at some point through, at least for use with SPICE.
Sincerely, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* hoagland () SiliconDefense com *| |* http://www.silicondefense.com/ *| |* Silicon Defense - Technical Support for Snort *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spade reports Josh Gentry (Jun 16)
- Re: spade reports James Hoagland (Jun 17)
- loggin to mySQL Blake Frantz (Jun 17)
- RE: loggin to mySQL Jason Lewis (Jun 17)
- Re: loggin to mySQL Grant Parkinson (Jun 17)
- Re: loggin to mySQL Guillaume (Jun 17)
- loggin to mySQL Blake Frantz (Jun 17)
- Re: spade reports James Hoagland (Jun 17)