-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathspade.conf
93 lines (86 loc) · 5.43 KB
/
spade.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# Example configuration file for Spade v021026.1 and later
# use this as your snort config file (-c option) to run Snort Spade-only
# include it in your snort config file or put lines of this form in it
# set this to a directory Spade can read and write to store its files
var SPADEDIR .
# see the Usage.Spade file for the full meaning of and all the options
# available for all these lines
# This is the main Spade configuration line; it must appear first.
# Here are some options for this line:
# + dest: the Snort facility that the Spade output should go to
# (alert, log, or both)
# + statefile: where Spade's persistant data is stored
# + logfile: where Spade will store information about its run
# + Xdports,Xdips,Xsips,Xsports: like below but with global application
preprocessor spade: dest=alert logfile=$SPADEDIR/spade.log statefile=$SPADEDIR/spade.rcv
# This line sets up your Spade homenet. Set this to the network that is
# connecting to the larger network at the point Spade is running.
# It is important to configure this line.
# Your networks should be like [10.0.0.0/8,192.168.0.0/16] or space separated
preprocessor spade-homenet: any
# Turn on some detectors with "spade-detect" lines. Each of these enables
# a cetain type of detector for a certain type of packet. If you start to
# feel overwhelmed, use Xdports, Xdips, Xsips, and/or Xsports on the lines
# below to suppress reports you don't care about, and/or disable some of
# your detectors these that you care least about.
# These detect packets going to seemingly closed dest ports
# You can add thresh=N to override the default reporting threshold.
preprocessor spade-detect: type=closed-dport tcpflags=synonly wait=3
preprocessor spade-detect: type=closed-dport tcpflags=weird thresh=0.5
#preprocessor spade-detect: type=closed-dport tcpflags=synack
#preprocessor spade-detect: type=closed-dport tcpflags=established
#preprocessor spade-detect: type=closed-dport tcpflags=teardown
#preprocessor spade-detect: type=closed-dport proto=udp wait=5
#preprocessor spade-detect: type=closed-dport to=nothome tcpflags=synonly wait=5
#preprocessor spade-detect: type=closed-dport to=nothome tcpflags=weird
#preprocessor spade-detect: type=closed-dport to=nothome tcpflags=synack
#preprocessor spade-detect: type=closed-dport to=nothome tcpflags=established
#preprocessor spade-detect: type=closed-dport to=nothome tcpflags=teardown
#preprocessor spade-detect: type=closed-dport to=nothome proto=udp wait=7
# These detect packets going to a seemingly non-live IP
#preprocessor spade-detect: type=dead-dest tcpflags=synonly wait=2
preprocessor spade-detect: type=dead-dest tcpflags=weird wait=2
preprocessor spade-detect: type=dead-dest tcpflags=synack wait=2
#preprocessor spade-detect: type=dead-dest tcpflags=setup wait=2
preprocessor spade-detect: type=dead-dest tcpflags=established wait=5
preprocessor spade-detect: type=dead-dest tcpflags=teardown wait=2
preprocessor spade-detect: type=dead-dest proto=udp wait=2
preprocessor spade-detect: type=dead-dest proto=icmp icmptype=noterr wait=2
#preprocessor spade-detect: type=dead-dest proto=icmp icmptype=err wait=2
# These detect unusual use of a dest port by a source IP
# You can add thresh=N to override the default reporting threshold.
#preprocessor spade-detect: type=odd-dport proto=tcp wait=2
#preprocessor spade-detect: type=odd-dport proto=udp wait=5
#preprocessor spade-detect: type=odd-dport from=nothome proto=tcp
#preprocessor spade-detect: type=odd-dport from=nothome proto=udp
# These detect ICMP packets with an unusual type and code
# You can add thresh=N to override the default reporting threshold.
preprocessor spade-detect: type=odd-typecode
preprocessor spade-detect: type=odd-typecode to=nothome
# These detect unusual connections to a dest IP by a source IP when the
# dest port has predictable dest IPs
# You can add thresh=N to override the default reporting threshold.
#preprocessor spade-detect: type=odd-port-dest proto=tcp Xdports=80
#preprocessor spade-detect: type=odd-port-dest proto=udp Xdports=80
#preprocessor spade-detect: type=odd-port-dest from=nothome proto=tcp Xdports=80
#preprocessor spade-detect: type=odd-port-dest from=nothome proto=udp Xdports=80
# This line causes Spade to adjust the reporting threshold for a given
# detector automatically; repeat it for each detector that you want to apply
# it to
# Target is the target rate of alerts for normal circumstances
# (0.01= 1% or you can give it an hourly rate)
# After the first hour (or however long the period is set to with "obsper"),
# the initially configured reporting threshold is ignored
# To use this, you will need to an option of the form id=<label> to the
# spade-detect line of the detector you want to be adapted and set
# id=<label> below to match
# This mode is recommended for users getting started that are using absolute
# anomaly scores; relative score users might want it as well.
#preprocessor spade-adapt3: id=<label> target=0.01 obsper=60
# some other possible Spade config lines:
# offline threshold advising for a detector
#preprocessor spade-threshadvise: id=<label> target=200 obsper=24
# periodically report on the anom scores and count of packets seen by a detector
#preprocessor spade-survey: id=<label> surveyfile=$SPADEDIR/survey.txt interval=60
# print out certain all known stats about packet features
#preprocessor spade-stats: entropy uncondprob condprob