Re: How can I tell if spade is running?

["Matthew Collins" <Matthew.Collins () northernregistrars co uk>]

Thanks for that. Someone had already alerted me to the -1 problem. I changed the debug level, and got a Fatal error: 
Could not open file. I then realised that I had a full stop (.) on the end of my SPADEDIR variable. I removed this and 
changed the code again from CallAlertFuncs to CallAlertPlugins (don't know if it makes any difference). I also added a 
CallLogPlugins call, before I realised that spade only looks at SYN packets, so I won't get payload anyway. It would be 
nice to be able to log the next two ACK packets, to try and get some of the payload, but I'm not sure how that could be 
done.
I don't know why I only got the Fatal error message when I put the debug level up, looking at the code it should always 
produce that message.
SPADE is now working, and I am trying to tune it. I didn't really want to use the home-net plugin, because I wanted to 
scan for anomalous traffic leaving the network as well, but it's just too noisy.
Tuning the alert level is difficult. I notice, in the midst of alerts about normal web & email traffic, traffic coming 
in to port 80 on unused IP addresses was also getting logged. I thought this was good, until I noticed that it had the 
same anomaly level as normal web traffic, so it disappeared when I put the level up.
How much normal traffic does it have to see before it starts balancing out? I would have expected traffic coming in to 
port 80 on unused IP addresses to have a higher anomaly score than traffic from our email server. Still, I expect it 
will take a while to tune it to our network traffic.

> > > Gary Grim <garyg () silicondefense com> 23/08/01 23:34:21 >>>
Matthew,

Hi, a couple of comments here.  To begin, you'll need to grab the latest
version of spade to fix the logging bug.  Just follow the link below:

http://www.silicondefense.com/software/spice/index.htm 

Next, the -1 is effectively an "infinite" threshold, i.e. no reporting,
which is why you're not seeing anything in the alert file, assuming you
are not using threshold adapting.   After you rebuild snort with the
010818.1 version of Spade, I would suggest something like the following
config file options:

preprocessor spade: 0 $logdir/spade.rcv $logdir/log.txt 3 50000
preprocessor spade-homenet: xxx.xxx.xxx.xxx/yy
preprocessor spade-adapt2: 0.01 1

I would run this for a coupe of minutes.  You should get a number of
alerts, along with a "threshold adapt" message in the alert file, and
when you quit, $logdir/log.txt will have some stats.  If you choose to
use "-", i.e. <stdout> for the log file, be forewarned that the stats
immediately follow the ^C of the SIGQUIT, and are difficult to see,
unless you look carefully.  Jim, the main dude, is aware of this, and
will update the ouptput to include some whitespace, horizontal rules,
and header info in a future release.

After testing, I would suggest setting your threshold to around 10 or
12, and take the defaults for adapt2, i.e.

preprocessor spade: 10 $logdir/spade.rcv $logdir/log.txt 3 50000
preprocessor spade-homenet: xxx.xxx.xxx.xxx/yy
preprocessor spade-adapt2:

Every once in awhile, you'll probably want to check the threshold
updates, and see if there is a nominal range in which they fall, and
then update your initial threshold to the middle of this.

Hope this helps.

Cheers,
Gary 

Matthew Collins wrote:
> I've just put some more memory in our snort box, so I thought I'd try enabling spade & stream4 as well as upgrade to 
> 1.8.1
>
> My question is. How can I tell if it is doing anything. It dosn't look like it is working, there are no output files 
> anywhere, but I don't know if it creates them as soon as it starts (like snort logging) or just when it needs them.
>
> Here's the relavent bits from the conf file.
>
> var SPADEDIR /var/log/spade.
> #
> preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
>
> I've tried sending snort SIGUSR1 which the docs say should make spade do a checkpoint, but nothing appears in the 
> /var/log/spade directory.
> Snort is compiled from source. There are no warnings in the startup log.
>
> ****************************************************************************************
> This message and any attachments are confidential to the ordinary user of
> the e-mail address to which it was addressed and may also be privileged.
> If you are not the addressee you may not copy, forward, disclose or use
> any part of the message or its attachments and if you have received this
> message in error, please notify the sender immediately by return e-mail and
> delete it from your system.
> Internet communications cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, arrive late or contain
> viruses. The sender therefore does not accept liability for any errors or
> omissions in the context of this message which arise as a result of Internet
> transmission.
> Northern Registrars Limited, Northern House, Woodsome Park, Fenay
> Bridge, Huddersfield. HD8 0LA.
> Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
> For more information visit our web site: http://www.northernregistrars.co.uk 
> ****************************************************************************************
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net 
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list 

-- 
|*    Silicon Defense - Technical Support for Snort      *|
|*           mailto:garyg () SiliconDefense com             *|
|*           http://www.silicondefense.com/              *|
|*     Voice: (530) 756-7317   Fax: (530) 756-7297       *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


****************************************************************************************
This message and any attachments are confidential to the ordinary user of
the e-mail address to which it was addressed and may also be privileged.
If you are not the addressee you may not copy, forward, disclose or use 
any part of the message or its attachments and if you have received this
message in error, please notify the sender immediately by return e-mail and
delete it from your system.
Internet communications cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, arrive late or contain 
viruses. The sender therefore does not accept liability for any errors or
omissions in the context of this message which arise as a result of Internet
transmission.
Northern Registrars Limited, Northern House, Woodsome Park, Fenay 
Bridge, Huddersfield. HD8 0LA.
Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
For more information visit our web site: http://www.northernregistrars.co.uk
****************************************************************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users