SPICE / SPADE
The Stealthy Portscan and Intrusion Correlation Engine, is a project at Silicon Defense
to detect portscans, even those in which the attacker has attempted to make the scan stealthy.
For example, they may have slowed down the scan or randomized it. A paper on our approach was
accepted to the CCS IDS Workshop
in Athens and we presented it there on November 1, 2000. Here is a later version of the paper [1000k, PDF] that appeared in the Journal of Computer Security.
The basic idea with Spice is to monitor a network's packets.
Each packet is assigned an anomaly score based on the normal traffic observed
on the network. The higher the score, the more unusual and possibly suspicious
the packet is. These are then passed to a correlator which groups related packets
together and reports portscans. The correlator is under active development, but an
implementation of the anomaly sensor called SPADE has been released and will be
incorporated in future CounterStealthTM products.
Spade stands for the Statistical Packet Anomaly Detection Engine. It is a
preprocessor plugin which sends alerts of anomalous packet through standard
Snort reporting mechanisms.
Download Spade here:
(the full 030125.1 distribution) [101k]
You might want to look at these files (they are included in the distribution):
The above is for Snort 1.9.0 (and betas). It might also work for previous versions of Snort (though the installation will be more manual. In any case, this older version of Spade is known to work with Snort 1.6.3 through 1.8.7: Spade-010818.1.tar.gz
(an overview of Spade and how get going with it)
(how to use and configure)
(Spade's licence: the GNU General Public License)
You are invited to join the Spade-users mailing list. This is someplace you can ask questions, make comments/suggestions, or just talk about Spade. Join or search archives from here.