'About Spade (was Re: [Snort-users] flexresp in snort (openbsd'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    About Spade (was Re: [Snort-users] flexresp in snort (openbsd
From:       James Hoagland <hoagland () SiliconDefense ! com>
Date:       2001-12-26 17:19:55
[Download RAW message or body]

At 7:30 PM -0600 12/21/01, Ronneil Camara wrote:
[...]
>Now, my next experiment will be spade.
>
>How does spade benefit us other than how we normally configure snort?

Hello Ronneil,

Whereas snort rules are looking patterns of known bad traffic, Spade 
will tell you when a packet crossing your network is unusual.  It 
does this by keeping track of statistics about the traffic is has 
seen so far.  From this, is assigns an anomaly score to every new SYN 
packet it sees.  Packets with sufficiently high anomaly scores get 
reported.

The main reason you'd probably want this that packets in a portscan 
are often anomalous with respect to normal background traffic.  (This 
is because portscans are used for intelligence gathering, implying 
that the attacker does not know what normal traffic is.)  Also you 
probably want to know if some weird packets are coming into your 
network.

Note that Spade is not based on signatures and thus does rely on 
having a signature for some new attack.  Spade runs pretty darn quick 
in our tests, gobbling a file with 1.25 million SYN packets in less 
than two minutes, even with Snort's full textual alerting on.  Spade 
even maintains its state across runs.  You do need to know your 
network however, since Spade cannot tell you if a packet is 
malicious; this is much like a Snort signature alert not being able 
to tell you if it is a false positive.

Spade is one of two parts of Spice.  The other part is the Spice 
correlator. Spice is designed to detect portscans, even stealthy 
ones.  (Spice is showing excellent results but has not yet been 
publicly released.  We have plans to write a paper on some formal 
experiments with Spice.  One results is of an experiment in which a 
single port on 100 IPs where scaned over the course of 4 days  and 
each scan packet had a different source IP.  Spice detected this 
perfectly, meaning catching every packet and having no false 
positives.)

There are some differences between Spade and spp_portscan.  A big one 
is that spp_portscan (like most current portscan detectors) is easy 
to evade by slowing a scan down or varying the source IP; Spade is 
not susceptible to that.  Although it would be easy to add, Spade 
does not report SYNFIN packets and other packets with weird flag 
combinations; spp_portscan does that just fine.  A downside to Spade 
alone versus spp_portscan is that Spade does not group the events 
from a portscan together as that is the Spice correlator's job, but 
any limitation there can be largely overcome by using an alert 
browser such as SnortSnarf.  When Spice is added, it will also sift 
out more of the packets that are not part of a scan or other network 
incident.

You can read more about Spice and Spade here:

    http://www.silicondefense.com/software/Spice/

You can also always download the latest version of Spade and it 
documentation there.

Sorry, didn't mean to ramble to much; hopefully it was useful.

Sincerely,

   Jim
-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland@SiliconDefense.com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic