OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: James Hoagland (hoaglandSiliconDefense.com)
Date: Sun Jun 17 2001 - 11:30:51 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    At 4:56 PM -0600 6/16/01, Josh Gentry wrote:
    >Folks,
    >
    >Spade is obviously keeping track of a bunch of stats on the
    >traffic on the network, to be able to calculate probabilities,
    >etc. The logs generated in the spade log dir seem to only
    >contain the results of the calculations. Is there any way to get
    >spade to report the stats its using to calculate the probability
    >that a packet is anomylous?
    >

    Josh,

    If you are using probability mode 3 (the default), the anomaly score
    is based on the joint probability of the particular destination IP
    and destination port. Specifically it is the negative base-2 log of
    that probability*. The probabilities are derived from observing TCP
    SYNs on your particular network.

    To get the full table of these probabilities (could be quite large),
    you can look into the spade-stat mode. Not that using this mode
    could introduce a several second delay in snort when the statistics
    output is being produced and put in a file. This occurs on certain
    signals and on snort exit. (There is no overhead for this mode at
    other times.)

    See also README.Spade
    (http://www.silicondefense.com/software/spice/spicereadme.htm) and
    the SPICE web page (http://www.silicondefense.com/software/spice/).

    *= at least that is what is supposed to be. There is little
    difference from a practical point of view, but I recently discovered
    that due to a misplaced parenthesis in the source code, this is not
    quite what it is. If A is correct anomaly score (correct meaning
    what I described above) and B is what is produced in all released
    versions of Spade, A= 0.693*B-0.3665. Note that the what is
    currently produce is internally consistent and even proportionate, so
    the differnence shouldn't matter from a practical point of view.
    We'll need to make the transition at some point through, at least for
    use with SPICE.

    Sincerely,

       Jim 

    -- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoaglandSiliconDefense.com                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users