Snort mailing list archives
Re: How can I tell if spade is running?
From: "Matthew Collins" <Matthew.Collins () northernregistrars co uk>
Date: Fri, 24 Aug 2001 13:46:44 +0100
Thanks for that. Someone had already alerted me to the -1 problem. I changed the debug level, and got a Fatal error: Could not open file. I then realised that I had a full stop (.) on the end of my SPADEDIR variable. I removed this and changed the code again from CallAlertFuncs to CallAlertPlugins (don't know if it makes any difference). I also added a CallLogPlugins call, before I realised that spade only looks at SYN packets, so I won't get payload anyway. It would be nice to be able to log the next two ACK packets, to try and get some of the payload, but I'm not sure how that could be done. I don't know why I only got the Fatal error message when I put the debug level up, looking at the code it should always produce that message. SPADE is now working, and I am trying to tune it. I didn't really want to use the home-net plugin, because I wanted to scan for anomalous traffic leaving the network as well, but it's just too noisy. Tuning the alert level is difficult. I notice, in the midst of alerts about normal web & email traffic, traffic coming in to port 80 on unused IP addresses was also getting logged. I thought this was good, until I noticed that it had the same anomaly level as normal web traffic, so it disappeared when I put the level up. How much normal traffic does it have to see before it starts balancing out? I would have expected traffic coming in to port 80 on unused IP addresses to have a higher anomaly score than traffic from our email server. Still, I expect it will take a while to tune it to our network traffic.
Gary Grim <garyg () silicondefense com> 23/08/01 23:34:21 >>>
Matthew, Hi, a couple of comments here. To begin, you'll need to grab the latest version of spade to fix the logging bug. Just follow the link below: http://www.silicondefense.com/software/spice/index.htm Next, the -1 is effectively an "infinite" threshold, i.e. no reporting, which is why you're not seeing anything in the alert file, assuming you are not using threshold adapting. After you rebuild snort with the 010818.1 version of Spade, I would suggest something like the following config file options: preprocessor spade: 0 $logdir/spade.rcv $logdir/log.txt 3 50000 preprocessor spade-homenet: xxx.xxx.xxx.xxx/yy preprocessor spade-adapt2: 0.01 1 I would run this for a coupe of minutes. You should get a number of alerts, along with a "threshold adapt" message in the alert file, and when you quit, $logdir/log.txt will have some stats. If you choose to use "-", i.e. <stdout> for the log file, be forewarned that the stats immediately follow the ^C of the SIGQUIT, and are difficult to see, unless you look carefully. Jim, the main dude, is aware of this, and will update the ouptput to include some whitespace, horizontal rules, and header info in a future release. After testing, I would suggest setting your threshold to around 10 or 12, and take the defaults for adapt2, i.e. preprocessor spade: 10 $logdir/spade.rcv $logdir/log.txt 3 50000 preprocessor spade-homenet: xxx.xxx.xxx.xxx/yy preprocessor spade-adapt2: Every once in awhile, you'll probably want to check the threshold updates, and see if there is a nominal range in which they fall, and then update your initial threshold to the middle of this. Hope this helps. Cheers, Gary Matthew Collins wrote:
I've just put some more memory in our snort box, so I thought I'd try enabling spade & stream4 as well as upgrade to 1.8.1 My question is. How can I tell if it is doing anything. It dosn't look like it is working, there are no output files anywhere, but I don't know if it creates them as soon as it starts (like snort logging) or just when it needs them. Here's the relavent bits from the conf file. var SPADEDIR /var/log/spade. # preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000 I've tried sending snort SIGUSR1 which the docs say should make spade do a checkpoint, but nothing appears in the /var/log/spade directory. Snort is compiled from source. There are no warnings in the startup log. **************************************************************************************** This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee you may not copy, forward, disclose or use any part of the message or its attachments and if you have received this message in error, please notify the sender immediately by return e-mail and delete it from your system. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of Internet transmission. Northern Registrars Limited, Northern House, Woodsome Park, Fenay Bridge, Huddersfield. HD8 0LA. Tel: +44 (0) 1484 600900 Fax: +44 (0) 1484 600911 For more information visit our web site: http://www.northernregistrars.co.uk **************************************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-- |* Silicon Defense - Technical Support for Snort *| |* mailto:garyg () SiliconDefense com *| |* http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users **************************************************************************************** This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee you may not copy, forward, disclose or use any part of the message or its attachments and if you have received this message in error, please notify the sender immediately by return e-mail and delete it from your system. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of Internet transmission. Northern Registrars Limited, Northern House, Woodsome Park, Fenay Bridge, Huddersfield. HD8 0LA. Tel: +44 (0) 1484 600900 Fax: +44 (0) 1484 600911 For more information visit our web site: http://www.northernregistrars.co.uk **************************************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How can I tell if spade is running? Matthew Collins (Aug 23)
- Re: How can I tell if spade is running? Gary Grim (Aug 23)
- Re: How can I tell if spade is running? James Hoagland (Aug 23)
- <Possible follow-ups>
- Re: How can I tell if spade is running? Matthew Collins (Aug 24)
- Re: How can I tell if spade is running? James Hoagland (Aug 28)
- Re: How can I tell if spade is running? Matthew Collins (Aug 29)
- Re: How can I tell if spade is running? James Hoagland (Aug 29)
- Re: How can I tell if spade is running? Gary Grim (Aug 23)