Snort mailing list archives
Re: Spade Joint Prob table output
From: Wilson Farrell <wfarrell () bbn com>
Date: Tue, 02 Apr 2002 12:58:35 -0500
Thanks Jim... very helpful. wilson James Hoagland wrote:
At 1:16 PM -0500 4/1/02, Wilson Farrell wrote:I was hoping someone could tell me a little about how the joint probability table for Spade is created. I am assuming that spade just counts SYN packets. If it sees a SYN packet, it is counted even if there is no SYN ACK. So if a firewall is preventing a connection, the connection attempt will still be accounted for in the probability table.That is correct.When Spade gets a SYN packet destined for the specified spade-homenet (0.0.0.0/0 by default), it makes a record of it. Otherwise the packet is discarded by Spade. How it makes a record of it varies with probability mode, but with modes 1, 2, or 3 it records the joint occurrence of the packet's values in certain fields.After recording the SYN, the anomaly score is calculated for the packet. If it exceeds the current reporting threshold, an alert is sent.To keep the probability table fresh, exponential decay is used. Ideally the decay would be on a continuous basis, but for the sake of efficiency it is actually done periodically. Also, when it has been a long time since a particular combination of fields' values was seen, it is trimmed from the table. (How long is long depends on how much it was seen previously.)For more details, I can refer you to our upcoming Journal of Computer Security paper available here:http://www.silicondefense.com/research/pubs.htm(This is largely the same paper as I presented at CCS IDS in Athens.) Also, feel free to ask more questions.Best regards, Jim
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Spade Joint Prob table output Wilson Farrell (Apr 01)
- Re: Spade Joint Prob table output James Hoagland (Apr 02)
- Re: Spade Joint Prob table output Wilson Farrell (Apr 02)
- Re: Spade Joint Prob table output James Hoagland (Apr 02)