diff -uNr snort-2.3.3/etc/snort.conf snort-2.3.3-spade/etc/snort.conf
--- snort-2.3.3/etc/snort.conf	2005-04-23 21:48:52.000000000 +0200
+++ snort-2.3.3-spade/etc/snort.conf	2006-03-31 14:16:22.000000000 +0200
@@ -637,6 +637,7 @@
 #   Zeno <admin@cgisecurity.com>
 #   Ryan Russell <ryan@securityfocus.com>
 
+include spade.ossim.conf
 
 
 #=========================================
diff -uNr snort-2.3.3/etc/spade.ossim.conf snort-2.3.3-spade/etc/spade.ossim.conf
--- snort-2.3.3/etc/spade.ossim.conf	1970-01-01 01:00:00.000000000 +0100
+++ snort-2.3.3-spade/etc/spade.ossim.conf	2006-03-31 14:16:22.000000000 +0200
@@ -0,0 +1,117 @@
+# Example configuration file for Spade v021026.1 and later
+# use this as your snort config file (-c option) to run Snort Spade-only
+# include it in your snort config file or put lines of this form in it
+
+# set this to a directory Spade can read and write to store its files
+var SPADEDIR /var/log/snort/
+
+# see the Usage.Spade file for the full meaning of and all the options
+#   available for all these lines
+
+# This is the main Spade configuration line; it must appear first.
+# Here are some options for this line:
+# + dest:  the Snort facility that the Spade output should go to
+#   (alert, log, or both)
+# + statefile:  where Spade's persistant data is stored
+# + logfile:  where Spade will store information about its run
+# + Xdports,Xdips,Xsips,Xsports: like below but with global application
+preprocessor spade:  dest=alert logfile=$SPADEDIR/spade.log statefile=$SPADEDIR/spade.rcv
+
+# This line sets up your Spade homenet.  Set this to the network that is
+#   connecting to the larger network at the point Spade is running.
+# It is important to configure this line.
+# Your networks should be like [10.0.0.0/8,192.168.0.0/16] or space separated
+#preprocessor spade-homenet: 192.168.1.0/24
+
+# Turn on some detectors with "spade-detect" lines.  Each of these enables
+#   a cetain type of detector for a certain type of packet.  If you start to
+#   feel overwhelmed, use Xdports, Xdips, Xsips, and/or Xsports on the lines 
+#   below to suppress reports you don't care about, and/or disable some of
+#   your detectors these that you care least about.
+#        These detect packets going to seemingly closed dest ports
+#            You can add thresh=N to override the default reporting threshold.
+#
+#
+#  Closed Dest Ports
+preprocessor spade-detect: type=closed-dport Xsports=80,443 tcpflags=synonly wait=2
+preprocessor spade-detect: type=closed-dport Xsports=53,137,138,139 proto=udp wait=2
+#  Rare but Open Dst Used
+preprocessor spade-detect: type=closed-dport Xsports=80,443 Xdports=80,443 tcpflags=synonly revwaitrpt wait=2
+preprocessor spade-detect: type=closed-dport Xsports=53,137,138,139 proto=udp revwaitrpt wait=2
+#preprocessor spade-detect: type=closed-dport tcpflags=weird thresh=0.5
+#preprocessor spade-detect: type=closed-dport tcpflags=synack 
+#preprocessor spade-detect: type=closed-dport tcpflags=established 
+#preprocessor spade-detect: type=closed-dport tcpflags=teardown 
+#preprocessor spade-detect: type=closed-dport to=nothome tcpflags=synonly wait=5
+#preprocessor spade-detect: type=closed-dport to=nothome tcpflags=weird 
+#preprocessor spade-detect: type=closed-dport to=nothome tcpflags=synack 
+#preprocessor spade-detect: type=closed-dport to=nothome tcpflags=established 
+#preprocessor spade-detect: type=closed-dport to=nothome tcpflags=teardown 
+#preprocessor spade-detect: type=closed-dport to=nothome proto=udp wait=7
+
+
+#  These detect packets going to a seemingly non-live IP
+#
+#
+preprocessor spade-detect: type=dead-dest Xdports=80,443 tcpflags=synack wait=2
+preprocessor spade-detect: type=dead-dest proto=udp Xsports=53 wait=2
+preprocessor spade-detect: type=dead-dest proto=icmp icmptype=noterr wait=2
+#preprocessor spade-detect: type=dead-dest tcpflags=weird wait=2
+#preprocessor spade-detect: type=dead-dest tcpflags=setup wait=2
+#preprocessor spade-detect: type=dead-dest tcpflags=synonly wait=2
+#preprocessor spade-detect: type=dead-dest tcpflags=established wait=5
+#preprocessor spade-detect: type=dead-dest tcpflags=teardown wait=2
+#preprocessor spade-detect: type=dead-dest proto=icmp icmptype=err wait=2
+
+
+
+#        These detect unusual use of a dest port by a source IP
+#            You can add thresh=N to override the default reporting threshold.
+#
+#  Source used Odd Dest Port
+preprocessor spade-detect: type=odd-dport proto=tcp wait=2
+preprocessor spade-detect: type=odd-dport proto=udp Xsports=53,137,138,139 wait=2
+#preprocessor spade-detect: type=odd-dport from=nothome proto=tcp
+#preprocessor spade-detect: type=odd-dport from=nothome proto=udp
+
+
+#        These detect ICMP packets with an unusual type and code
+#            You can add thresh=N to override the default reporting threshold.
+#
+#
+preprocessor spade-detect: type=odd-typecode
+preprocessor spade-detect: type=odd-typecode to=nothome
+
+
+#        These detect unusual connections to a dest IP by a source IP when the
+#            dest port has predictable dest IPs
+#            You can add thresh=N to override the default reporting threshold.
+#
+#   Source Used Odd Dest For Port
+preprocessor spade-detect: type=odd-port-dest proto=tcp Xdports=80,443
+preprocessor spade-detect: type=odd-port-dest proto=udp Xsports=53,137,138,139
+#preprocessor spade-detect: type=odd-port-dest from=nothome proto=tcp Xdports=80
+#preprocessor spade-detect: type=odd-port-dest from=nothome proto=udp Xdports=80
+
+
+# This line causes Spade to adjust the reporting threshold for a given
+#   detector automatically; repeat it for each detector that you want to apply
+#   it to
+# Target is the target rate of alerts for normal circumstances
+#   (0.01= 1% or you can give it an hourly rate)
+# After the first hour (or however long the period is set to with "obsper"),
+#   the initially configured reporting threshold is ignored
+# To use this, you will need to an option of the form id=<label> to the
+#   spade-detect line of the detector you want to be adapted and set
+#   id=<label> below to match
+# This mode is recommended for users getting started that are using absolute
+#   anomaly scores; relative score users might want it as well.
+#preprocessor spade-adapt3: id=<label> target=0.01 obsper=60
+
+# some other possible Spade config lines:
+# offline threshold advising for a detector
+#preprocessor spade-threshadvise: id=<label> target=200 obsper=24
+# periodically report on the anom scores and count of packets seen by a detector
+#preprocessor spade-survey:  id=<label> surveyfile=$SPADEDIR/survey.txt interval=60
+# print out certain all known stats about packet features
+#preprocessor spade-stats: entropy uncondprob condprob
diff -uNr snort-2.3.3/src/Makefile.am snort-2.3.3-spade/src/Makefile.am
--- snort-2.3.3/src/Makefile.am	2004-09-13 19:44:49.000000000 +0200
+++ snort-2.3.3-spade/src/Makefile.am	2006-03-31 14:16:22.000000000 +0200
@@ -45,7 +45,8 @@
 smalloc.h \
 snort_packet_header.h \
 event_queue.c event_queue.h \
-inline.c inline.h
+inline.c inline.h \
+packets.c packets.h
 
 snort_LDADD = output-plugins/libspo.a \
 detection-plugins/libspd.a            \
diff -uNr snort-2.3.3/src/packets.c snort-2.3.3-spade/src/packets.c
--- snort-2.3.3/src/packets.c	1970-01-01 01:00:00.000000000 +0100
+++ snort-2.3.3-spade/src/packets.c	2006-03-31 14:16:22.000000000 +0200
@@ -0,0 +1,265 @@
+/*
+To: snort-devel@lists.sourceforge.net
+From: James Hoagland <hoagland@SiliconDefense.com>
+Cc: hoagland@SiliconDefense.com
+Subject: [Snort-devel] New internal facility: packet cloning
+Date: Sun, 29 Sep 2002 20:31:08 -0700
+
+Greetings all,
+
+I have written some new Snort internal functionality that should help current and future Snort detectors (e.g., preprocessors) do better detection and/or more complete and standard reporting.  That functionality is creating a copy of a Packet.
+
+Some background first, as I understand it (correct me if I am mistaken).  A Packet is the Snort data structure that contains the parsed fields of a packet that libpcap presents to Snort.  It is Snort's standard representation of a packet and so is used throughout the program.  It is given to preprocessors and Snort's signature based detector as one in a stream of packets.  When these detectors wish to report on a packet, they typically pass the Packet to the alert/log facilities (e.g., alert file or database) that the user has configured.  However, sometimes detectors use different output means than the standard ones that the user configured.  For example, spp_portscan and spp_portscan2 and their packet logs.  (There could be others.)
+
+I cannot say for sure why these two do not use the standard output mechanism.  But one barrier is the combination of the fact that the output mechanisms can only output a Packet structure and the fact that the Packet that is given to the detectors does not persist beyond that call into that detector.  Specifically, there is only one Packet that Snort has in memory at a time.  Regardless of the reason, the effect is that the user does not have the control they might like over the place where packets are stored.  For example, they cannot have portscan packets (as reported by spp_portscan) be logged to the database.  So this suggests that in order to give this flexibility to the user, the simplest thing is to provide the detector with a means of holding onto a Packet beyond its invocation.  However, this functionality does not exist in Snort and, given the complexity, it can be daunting for the detector writer to do write it themselves.
+
+The class of detectors that this will help is those that do not want to immediately report on a packet.  Often this will be because they want to wait for future information contained on the packet stream. For example, they want to eliminate a potential false positive.  And we know that false positives can be a barrier to effective use of Snort (and other IDSs).  So, providing the copying functionality, while not getting rid of false positives and promoting more standard packet reporting, can be enabling towards these goals.
+
+
+Okay, enough for the motivational speech. :)  Its working code that gets things done in open source.  So, it is attached.  At least it is working in my tests; I need others to test it our as well since, e.g., I do not have access to FDDI network packet to try it on.  And I am not an expert on the Packet data structure.  But I know much more about it now, given frequent consultation with decode.[ch].
+
+This is what is attached:
+
+1) packets.c: the code that implements ClonePacket() and FreePacket().
+
+2) packet.h:  I'll let you guess what role this serves. :)
+
+3) snort+pclone.patch:  A patch against snort 1.9.0beta6 that puts packets.[ch] into the Snort source.  In addition, the patch includes a hack of a preprocessor, spp_pcopytest, that uses the cloning code. It makes clones of 100 packets on the packet stream at a time before pushing them to the standard output facilities.  For reference, the original packets are spit out as they are received.  The original should match the clone (as they do in all my tests).  Run it as "src/snort -c etc/pcopytest.conf".
+
+Implementation notes.  There were other ways that this can be approached.  My goal was for it to be efficient and with only localized changes (e.g., no changes to Packet).  There are some other notes in the source.
+
+Snort notes.  There might be a couple small snags when using cloned packets.  One that I noticed is an (now) incorrect assumption that there will only be one call to PrintNetData between each packet acquisition.  (The workaround it to manually flush its cache.)  If some output mechanism makes a hardcoded reference to "the" Packet, that will be broken.  And if anything else makes the assumption that PrintNetData did, that would be broken.
+
+
+My main motivation for doing this is that the next generation version of Spade will need this functionality to reduce false positives and to accurately detect new scan types.  I could have this functionality internal to Spade, but I'd rather it be a general Snort internal facility that can be used anywhere in Snort.  If someone can implement this better, go for it.  But the functionality of a Packet persisting across calls to a preprocessor is something that I'll be needing in the not-too-distant future.
+
+If anyone has any questions/concerns/comments/fixes, let me know.
+
+Sorry for the length of this message.
+
+Kind regards,
+
+  Jim
+
+P.s. I do not think that Packet cloning is covered by any US federal or state stature, so at least we are safe that way. :)
+*/
+
+#include <pcap.h>
+#include <stdlib.h>
+#include <string.h>
+#include "decode.h"
+#include "snort.h"
+#include "packets.h"
+
+typedef struct _PacketClone
+{
+    Packet p; /* our packet; the address of this must be the same as
+                 the address of the structure */
+    struct pcap_pkthdr pkth; /* the pcap packet header to be included
+                                in the above packet */
+    u_int8_t *pkt; /* storage space for the packet data */
+    int pkt_alloc_size; /* how much space is allocated there */
+    struct _PacketClone *next;
+} PacketClone;
+
+PacketClone *free_packets; /* freelist of normal sized PacketClones */
+PacketClone *free_oz_packets; /* freelist of oversized PacketClones */
+
+#define ADJUST_PKT_INDEX_FIELD(to_p,from_p,field) \
+    if ((from_p)->field) \
+        (to_p)->field= (void *)((to_p)->pkt + \
+           ((unsigned long)(from_p)->field - (unsigned long)(from_p)->pkt));
+    
+#define ADJUST_OPTIONS_DATA_FIELD(to_p,from_p,field,index) \
+    if ((from_p)->field[index].data) \
+        (to_p)->field[index].data= ((to_p)->pkt + \
+            ((unsigned long)(from_p)->field[index].data - \
+             (unsigned long)(from_p)->pkt));
+
+
+/* the normal (minimum) size packet length to allocate; based on pcap snap length */
+#define NORMAL_ALLOC_PACKETLEN (pv.pkt_snaplen ? pv.pkt_snaplen : SNAPLEN)
+/* sometimes we'll need more that the snap length (e.g., with stream4_reassemble 
+   packets), so here's how we calculate how big; oversized allocations get up to
+   63 bytes extra added on at end to make their reuse more likely. */
+#define PACKET_ALLOC_SIZE(min) \
+    (min < NORMAL_ALLOC_PACKETLEN \
+    ? NORMAL_ALLOC_PACKETLEN \
+    : (((min+63) >> 6) << 6))
+
+/*
+ * Function: ClonePacket(Packet *p)
+ *
+ * Purpose: Make a copy of a decoded packet struct (Packet) so that the
+ *          contents of a Packet can survive beyond a call to pcap for a
+ *          new packet
+ *
+ * Arguments: p   => pointer to the decoded packet struct to clone
+ *
+ * Returns: a pointer to the copied Packet
+ *
+ * Notes: this function and FreePacket participate in a recycling program
+ *        for Packets to minimize malloc calls.  ssnptr and state fields not
+ *        copied but set to NULL instead.
+ */
+Packet *ClonePacket(Packet *p)
+{
+    PacketClone *clone,*prev,*here;
+    Packet *cp;
+    int i;
+    int packet_alloc_size= PACKET_ALLOC_SIZE(p->pkth->len);
+    int oversized= packet_alloc_size > NORMAL_ALLOC_PACKETLEN;
+    
+    /* get storage for the Packet */
+    if (free_packets != NULL || free_oz_packets != NULL)
+    {
+        if (oversized) {
+            /* draw from oversize list else the regular list */
+            if (free_oz_packets != NULL) {
+                prev= NULL;
+                here= free_oz_packets;
+                while (here->next != NULL) {
+                    if (here->pkt_alloc_size >= packet_alloc_size) break;
+                    prev= here;
+                    here= here->next;
+                }
+                clone= here;
+                if (prev != NULL)
+                    prev->next= here->next;
+                else
+                    free_oz_packets= here->next;
+            } else {
+                clone= free_packets;
+                free_packets= free_packets->next;
+            }
+            /* get bigger memory chunk if needed */
+            if (clone->pkt_alloc_size < packet_alloc_size) {
+                free(clone->pkt);
+                clone->pkt= (u_int8_t *)calloc(packet_alloc_size,sizeof(u_int8_t));
+                if (clone->pkt == NULL) /* must be out of memory */
+                {
+                    free(clone);
+                    return NULL;
+                }
+                clone->pkt_alloc_size= packet_alloc_size;
+            }
+        } else {
+            /* draw from regular list else the oversize list */
+            if (free_packets != NULL) {
+                clone= free_packets;
+                free_packets= free_packets->next;
+            } else {
+                clone= free_oz_packets;
+                free_oz_packets= free_oz_packets->next;
+            }
+        }
+    } else {
+        clone= (PacketClone *)calloc(1,sizeof(PacketClone));
+        if (clone == NULL) return NULL; /* must be out of memory */
+        
+        clone->pkt= (u_int8_t *)calloc(packet_alloc_size,sizeof(u_int8_t));
+        if (clone->pkt == NULL) /* must be out of memory */
+        {
+            free(clone);
+            return NULL;
+        }
+        clone->pkt_alloc_size= packet_alloc_size;
+    }
+    
+    /* make a copy of the Packet p into cp */
+    cp= &clone->p;
+    *cp= *p; /* this will get everything except the pointers */
+    
+    /* copy the pcap header */
+    cp->pkth= &clone->pkth; /* we use the PacketClone storage space rather
+                               than malloc */
+    *cp->pkth= *(p->pkth);
+    
+    /* copy the packet data */
+    cp->pkt= clone->pkt;
+    memcpy(cp->pkt,p->pkt,p->pkth->len);
+    
+    /* set the Packet fields which are just pointers into the packet data
+       (i.e., just about all of them) */
+    /* many of these fields are NULL, so let's use some knowledge about 
+       the relationship between fields to avoid trying to adjust; of course
+       this means that this must be maintained */
+    if (p->fddihdr) {
+        ADJUST_PKT_INDEX_FIELD(cp,p,fddihdr);
+        ADJUST_PKT_INDEX_FIELD(cp,p,fddisaps);
+        ADJUST_PKT_INDEX_FIELD(cp,p,fddisna);
+        ADJUST_PKT_INDEX_FIELD(cp,p,fddiiparp);
+        ADJUST_PKT_INDEX_FIELD(cp,p,fddiother);
+    }
+    if (p->trh) {
+        ADJUST_PKT_INDEX_FIELD(cp,p,trh);
+        ADJUST_PKT_INDEX_FIELD(cp,p,trhllc);
+        ADJUST_PKT_INDEX_FIELD(cp,p,trhmr);
+    }
+    ADJUST_PKT_INDEX_FIELD(cp,p,sllh);
+    ADJUST_PKT_INDEX_FIELD(cp,p,pfh);
+    ADJUST_PKT_INDEX_FIELD(cp,p,eh);
+    ADJUST_PKT_INDEX_FIELD(cp,p,vh);
+    ADJUST_PKT_INDEX_FIELD(cp,p,ehllc);
+    ADJUST_PKT_INDEX_FIELD(cp,p,ehllcother);
+    ADJUST_PKT_INDEX_FIELD(cp,p,wifih);
+    ADJUST_PKT_INDEX_FIELD(cp,p,ah);
+    if (p->eplh) {
+        ADJUST_PKT_INDEX_FIELD(cp,p,eplh);
+        ADJUST_PKT_INDEX_FIELD(cp,p,eaph);
+        ADJUST_PKT_INDEX_FIELD(cp,p,eaptype);
+        ADJUST_PKT_INDEX_FIELD(cp,p,eapolk);
+    }
+    if (p->iph) {
+        ADJUST_PKT_INDEX_FIELD(cp,p,iph);
+        ADJUST_PKT_INDEX_FIELD(cp,p,ip_options_data);
+        /* get the ones inside decoded options too */
+        for (i= 0; i < p->ip_option_count; i++)
+            ADJUST_OPTIONS_DATA_FIELD(cp,p,ip_options,i);
+        if (p->tcph) {
+            ADJUST_PKT_INDEX_FIELD(cp,p,tcph);
+            ADJUST_PKT_INDEX_FIELD(cp,p,tcp_options_data);
+            for (i= 0; i < p->tcp_option_count; i++)
+                ADJUST_OPTIONS_DATA_FIELD(cp,p,tcp_options,i);
+        } else if (p->icmph) {
+            ADJUST_PKT_INDEX_FIELD(cp,p,icmph);
+            ADJUST_PKT_INDEX_FIELD(cp,p,orig_iph);
+            ADJUST_PKT_INDEX_FIELD(cp,p,orig_udph);
+            ADJUST_PKT_INDEX_FIELD(cp,p,orig_tcph);
+            ADJUST_PKT_INDEX_FIELD(cp,p,orig_icmph);
+        } else
+            ADJUST_PKT_INDEX_FIELD(cp,p,udph);
+    }
+    ADJUST_PKT_INDEX_FIELD(cp,p,ext); /* is this used anywhere? */
+    ADJUST_PKT_INDEX_FIELD(cp,p,data);
+
+    /* we don't copy these over */
+    cp->ssnptr= NULL;
+
+    return cp;
+}
+
+/*
+ * Function: FreePacket(Packet *p)
+ *
+ * Purpose: Free a Packet created by ClonePacket
+ *
+ * Arguments: p   => pointer to the decoded packet struct to free
+ *
+ * Returns: nada
+ *
+ * Notes: this function and FreePacket participate in a recycling program
+ *        for Packets to minimize malloc calls.
+ */
+void FreePacket(Packet *p)
+{
+    PacketClone *pc= (PacketClone *)p; /* assumes pc has same addr as p */
+    if (pc->pkt_alloc_size > NORMAL_ALLOC_PACKETLEN) {
+        pc->next= free_oz_packets;
+        free_oz_packets= pc;
+    } else {
+        pc->next= free_packets;
+        free_packets= pc;
+    }
+    /* note: pc->pkt remains allocated. */
+}
diff -uNr snort-2.3.3/src/packets.h snort-2.3.3-spade/src/packets.h
--- snort-2.3.3/src/packets.h	1970-01-01 01:00:00.000000000 +0100
+++ snort-2.3.3-spade/src/packets.h	2006-03-31 14:16:22.000000000 +0200
@@ -0,0 +1,11 @@
+/* part of the packet cloning patch by Jim Hoagland, Silicon Defense
+ (hoagland@silicondefense.com).  Hopefully this or equivalent functionality
+ will become a standard part of the Snort source. */
+
+#ifndef __PACKETS_H__
+#define __PACKETS_H__
+
+Packet *ClonePacket(Packet *p);
+void FreePacket(Packet *p);
+
+#endif // __PACKETS_H__
diff -uNr snort-2.3.3/src/plugbase.c snort-2.3.3-spade/src/plugbase.c
--- snort-2.3.3/src/plugbase.c	2005-04-22 21:03:56.000000000 +0200
+++ snort-2.3.3-spade/src/plugbase.c	2006-03-31 14:16:22.000000000 +0200
@@ -62,6 +62,8 @@
 #include "preprocessors/spp_flow.h"
 #include "preprocessors/spp_sfportscan.h"
 #include "preprocessors/spp_xlink2state.h"
+#include "preprocessors/spp_spade.h"
+
 
 /* built-in detection plugins */
 #include "detection-plugins/sp_pattern_match.h"
@@ -161,6 +163,7 @@
     SetupReact();
     SetupRespond();
 #endif
+    SetupSpade();
 }
 
 /****************************************************************************
diff -uNr snort-2.3.3/src/preprocessors/Makefile.am snort-2.3.3-spade/src/preprocessors/Makefile.am
--- snort-2.3.3/src/preprocessors/Makefile.am	2005-04-22 21:03:56.000000000 +0200
+++ snort-2.3.3-spade/src/preprocessors/Makefile.am	2006-03-31 14:16:22.000000000 +0200
@@ -25,6 +25,8 @@
 spp_xlink2state.c spp_xlink2state.h \
 xlink2state.c xlink2state.h \
 str_search.c str_search.h \
+spp_sfportscan.c spp_sfportscan.h \
+spp_spade.c spp_spade.h \
 stream.h
 
 
diff -uNr snort-2.3.3/src/preprocessors/spp_spade.c snort-2.3.3-spade/src/preprocessors/spp_spade.c
--- snort-2.3.3/src/preprocessors/spp_spade.c	1970-01-01 01:00:00.000000000 +0100
+++ snort-2.3.3-spade/src/preprocessors/spp_spade.c	2006-03-31 14:18:53.000000000 +0200
@@ -0,0 +1,7495 @@
+/*********************************************************************
+Spade, a Snort preprocessor plugin to report unusual packets
+Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com)
+copyright (c) 2002 by Silicon Defense (http://www.silicondefense.com/)
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.  
+
+Spade description:
+
+SPADE, the Statistical Packet Anomaly Detection Engine, is a Snort
+preprocessor plugin to report packets that are unusual for your network. 
+Port scans and probes tend to be unusual, so this will tend to report them
+(as well as some benign packets that are simply uncommon).
+
+Spade's home page: http://www.silicondefense.com/spice/
+
+Please send complaints, kudos, and especially improvements and bugfixes to
+hoagland@SiliconDefense.com. This is a research project and would love to
+have your feedback.  It is still under active development and may change at
+any time.
+
+This file (snort_spade.c) is part of Spade v030125.1.  It makes netspade
+available via a snort plugin.
+*********************************************************************/
+
+/* Internal version control: Id: snort_spade.c,v 1.1 2004/10/11 14:35:54 jonkman Exp $ */
+ 
+/*! \file snort_spade.c
+ * \brief 
+ *  snort_spade.c makes netspade available to snort
+ * \ingroup snort_spade
+ */
+
+/*! \addtogroup snort_spade Netspade for Snort
+ * \brief this group contains objects in the Snort binding to netspade
+ * @{
+*/
+
+/*! \addtogroup libnetspade */
+
+#define ENABLE_IDMEF 0
+
+
+/* this should be in generators.h */
+#ifndef SPADE_CLOSED_DESTPORT_USED
+#define     SPADE_CLOSED_DESTPORT_USED   1
+#define     SPADE_NONLIVE_DEST_USED   3
+#define     SPADE_SRC_ODD_DESTPORT_USED   4
+#define     SPADE_SRC_ODD_TYPECODE_USED   5
+#define     SPADE_SRC_ODD_PORTDEST_USED   6
+// OSSIM
+#define     SPADE_RARE_OPEN_DESTPORT_USED   101
+#define     SPADE_RARE_DESTPORT_USED   102
+#endif
+ 
+#include "snort.h"
+#include "plugbase.h"
+#include "generators.h"
+#include "util.h"
+#include "parser.h"
+#include "log.h"
+#include "detect.h"
+#if ENABLE_IDMEF
+#include "../output-plugins/spo_idmef.h"
+#endif
+#include "packets.h"
+#include "spp_spade.h"
+#include <string.h>
+#include <stdarg.h>
+#include <signal.h>
+
+/** external globals from parser.c **/
+extern char *file_name;
+extern int file_line;
+
+static void SpadeReportAnom(void *context,spade_report *rpt);
+static void SpadeReportThreshChanged(void *context, char *id,char *mess, int using_corrscore);
+static void SnortSpadeMsgFn(spade_message_type msg_type,const char *msg);
+
+/// our instance of netspade
+netspade *spade;
+
+#define DEST_NOWHERE 0
+#define DEST_ALERT_FACILITY 1
+#define DEST_LOG_FACILITY 2
+#define DEST_IDMEF_FACILITY 4
+
+/// where to send spade alerts
+int spade_alert_dest= DEST_ALERT_FACILITY;
+/// where to send spade threshold adjusted messages
+int spade_adj_dest= DEST_ALERT_FACILITY;
+
+/// the bigger the number, the more debuging statements that are active
+int as_debug= 0; 
+
+/// is threshold adapting enabled?
+int adapt_active= 0;
+/// the number of detectors that have been enabled
+int num_detectors= 0;
+/// how many packets has Snort passed to us
+int pkt_count= 0;
+
+/*************/
+
+/* A call to this function needs to be added to plugbase.c somehow */
+void SetupSpade()
+{
+    /* link the preprocessor keyword list to the init functions in 
+       the preproc list to arrange for modules to run when specified */
+    RegisterPreprocessor("spade", SpadeInit);
+    RegisterPreprocessor("spade-homenet", SpadeHomenetInit);
+    RegisterPreprocessor("spade-detect", SpadeDetectInit);
+    RegisterPreprocessor("spade-stats", SpadeStatInit);
+    RegisterPreprocessor("spade-threshlearn", SpadeThreshadviseInit); /* for backwards compatability */
+    RegisterPreprocessor("spade-threshadvise", SpadeThreshadviseInit);
+    RegisterPreprocessor("spade-adapt", SpadeAdaptInit);
+    RegisterPreprocessor("spade-adapt2", SpadeAdapt2Init);
+    RegisterPreprocessor("spade-adapt3", SpadeAdapt3Init);
+    RegisterPreprocessor("spade-survey", SpadeSurveyInit);
+
+    if (as_debug) printf("Preprocessor: Spade is setup...\n");
+}
+
+
+
+/*========================================================================*/
+/*========================= Spade core routines ==========================*/
+/*========================================================================*/
+
+/* Spade core init function:
+     set up netspade, recover, register the signal handler,
+     register the preprocessor function */
+void SpadeInit(u_char *argsstr)
+{
+    int prob_mode=3,checkpoint_freq=50000,recover;
+    double init_thresh= -1;
+    char statefile[401]= "spade.rcv";
+    char outfile[401]= "-";
+    int use_corrscore= 0;
+    char dest[11]= "alert";
+    char adjdest[11]= "\0";
+    char xsips[401]="",xdips[401]="",xsports[401]="",xdports[401]="";
+    void *args[12];
+
+    args[0]= &init_thresh;
+    args[1]= &statefile;
+    args[2]= &outfile;
+    args[3]= &prob_mode;
+    args[4]= &checkpoint_freq;
+    args[5]= &use_corrscore;
+    args[6]= &dest;
+    args[7]= &adjdest;
+    args[8]= &xsips;
+    args[9]= &xdips;
+    args[10]= &xsports;
+    args[11]= &xdports;
+    fill_args_space_sep(argsstr,"d:thresh;s400:statefile;s400:logfile;"
+            "i:probmode;i:cpfreq;b:-corrscore,corrscore;s10:dest;s10:adjdest;"
+            "s400:Xsips,Xsip,xsips;s400:Xdips,Xdip,xdips;"
+            "s400:Xsports,Xsport,xsports;s400:Xdports,Xdport,xdports",args,SnortSpadeMsgFn);
+
+    if (as_debug) printf("statefile=%s; logfile=%s; cpfreq=%d\n",statefile,outfile,checkpoint_freq);
+
+    LogMessage("Spade is enabled\n");
+    recover= strcmp(statefile,"0") && strcmp(statefile,"/dev/null");
+
+    if (recover) {
+        spade= new_netspade_from_statefile(statefile,SnortSpadeMsgFn,as_debug,&recover);
+        if (recover)
+            LogMessage("    Spade state initialized to what is in %s\n",statefile);
+        else
+            LogMessage("    Could not load Spade state from %s\n",statefile);
+    }
+
+    if (!recover) {
+        spade= new_netspade(SnortSpadeMsgFn,as_debug);
+        LogMessage("    Spade state initialized to a clean slate (no prior knowledge)\n");
+    }
+    if (spade == NULL) {
+        FatalError("Spade initialization failed: out of memory!");
+    }
+
+    netspade_set_checkpointing(spade,statefile,checkpoint_freq);
+    LogMessage("    Spade will record its state to %s after every %d updates\n",statefile,checkpoint_freq);
+    netspade_set_output_file(spade,outfile);
+    LogMessage("    Spade's log is %s\n",outfile);
+
+    if (!strcmp(dest,"log")) {
+        LogMessage("    Spade reports will go to the log facility\n");
+        spade_alert_dest= DEST_LOG_FACILITY;
+    } else if (!strcmp(dest,"both")) {
+        LogMessage("    Spade reports will go to both the alert and log facility\n");
+        spade_alert_dest= DEST_ALERT_FACILITY|DEST_LOG_FACILITY;
+#if ENABLE_IDMEF
+    } else if (!strcmp(dest,"spo_idmef")) {
+        LogMessage("    Spade reports will go directly to the IDMEF facility\n");
+        spade_alert_dest= DEST_IDMEF_FACILITY;
+#endif
+    } else {
+        if (strcmp(dest,"alert"))
+            ErrorMessage("Spade: dest=%s not recognized, using dest=alert\n",dest);
+        LogMessage("    Spade reports will go to the alert facility\n");
+        spade_alert_dest= DEST_ALERT_FACILITY;
+    }
+    if (adjdest[0] == '\0') {
+        spade_adj_dest= spade_alert_dest;
+    } else {
+        if (!strcmp(adjdest,"log")) {
+            LogMessage("    Spade threshold adjusted reports will go to the log facility\n");
+            spade_adj_dest= DEST_LOG_FACILITY;
+        } else if (!strcmp(adjdest,"both")) {
+            LogMessage("    Spade threshold adjusted reports will go to both the alert and log facility\n");
+            spade_adj_dest= DEST_ALERT_FACILITY|DEST_LOG_FACILITY;
+        } else if (!strcmp(adjdest,"none")) {
+            LogMessage("    Spade threshold adjusted reports will not be reported\n");
+            spade_adj_dest= DEST_NOWHERE;
+        } else {
+            if (strcmp(adjdest,"alert"))
+                ErrorMessage("Spade: adjdest=%s not recognized, using adjdest=alert\n",adjdest);
+            LogMessage("    Spade threshold adjusted reports will go to the alert facility\n");
+            spade_adj_dest= DEST_ALERT_FACILITY;
+        }
+    }
+    netspade_set_callbacks(spade,NULL,SpadeReportAnom,((spade_adj_dest == DEST_NOWHERE) ? NULL : SpadeReportThreshChanged),(event_native_copier_t)ClonePacket,(event_native_freer_t)FreePacket);
+    
+    netspade_add_rpt_excludes(spade,xsips,xdips,xsports,xdports);
+    
+    /* at this point we don't know if there are any spade-detect lines, but
+       if this looks like the old form of this line (corrscore, thresh, or
+       probmode is specified).  Our approximation of specified is variance
+       from defaults.  Because our defaults are the same as netspade's
+       default detection mode, if the user did explicitly set things to the
+       default and provides no spade-detect line, the default detector will
+       be enabled in netspade automatically with the configuration we want. */
+       
+    if (prob_mode != 3 || init_thresh != -1 || use_corrscore) {
+        char init_detect_str[100];
+        /* backwards compatability mode */
+        if (prob_mode > 4 || prob_mode < 0) {
+            ErrorMessage("Warning: Spade probabity mode %d undefined, using #3 instead",prob_mode);
+            prob_mode= 3;
+        }
+        if (as_debug) printf("thresh=%f; probmode=%d; corrscore=%d\n",init_thresh,prob_mode,use_corrscore);
+
+        sprintf(init_detect_str,"id=default relscore=0  corrscore=0 thresh=%f probmode=%d corrscore=%d",
+                                                init_thresh,prob_mode,use_corrscore);
+        netspade_new_detector(spade,init_detect_str);
+        
+        LogMessage("    default detector enabled with: %s\n",init_detect_str);
+        num_detectors++;
+
+        if (as_debug) netspade_print_detector_config_details(spade,stdout,"default");
+    }       
+    
+
+   /* Set the preprocessor function into the function list */
+    AddFuncToPreprocList(PreprocSpade);
+    AddFuncToCleanExitList(SpadeCatchSig,NULL);
+    AddFuncToRestartList(SpadeCatchSig,NULL);
+}
+
+
+/*========================================================================*/
+/*========================= SpadeHomenet module ==========================*/
+/*========================================================================*/
+
+/* Set the Spade homenet */
+
+/* snort config file line:
+    preprocessor spade-homenet: {<network>}
+    where <network> is a network in CIDR notation (address/numbits)
+                       or an IP address */
+                                                        
+/* Spade homenet init function:
+     set up the homenet list */
+void SpadeHomenetInit(u_char *args)
+{
+    if (spade == NULL) FatalError("Please initialize Spade with the "
+        "'preprocessor spade:' line before listing spade-homenet: %s(%d)\n",
+        file_name,file_line);
+
+    netspade_set_homenet_from_str(spade,args);
+    LogMessage("    Spade homenet set to: %s\n",args);
+}
+
+
+
+/*========================================================================*/
+/*======================== SpadeDetect module ==========================*/
+/*========================================================================*/
+
+/* enable a Spade detector */                                                     
+void SpadeDetectInit(u_char *args)
+{
+    char *id;
+    if (spade == NULL) FatalError("Please initialize Spade with the "
+        "'preprocessor spade:' line before listing spade-detect: %s(%d)\n",
+        file_name,file_line);
+
+    id= netspade_new_detector(spade,args);
+    LogMessage("    detector %s enabled with: %s\n",id,args);
+    num_detectors++;
+
+    if (as_debug) netspade_print_detector_config_details(spade,stdout,id);
+}
+
+
+/*========================================================================*/
+/*=========================== SpadeStat module ===========================*/
+/*========================================================================*/
+
+/* Whenever SpadeCatchSig is invoked, this module arranges for certain
+   specified statistics to be written to the log file.  The available
+   statistics depend on what is recorded in the tree, which depends on the
+   probability measure used.  There is no good way to have more granularity
+   at present. */
+
+/* snort config file line:
+    preprocessor spade-stats: {<stat-option>}
+    where <stat-option> is one of:
+      "entropy" (to display the known entropies and conditional entropies)
+      "uncondprob" (to display the known non-0 simple (joint) probabilities)
+      "condprob" (to display the known non-0 conditional (joint)
+probabilities) */
+                                                        
+void SpadeStatInit(u_char *args)
+{
+    if (spade == NULL) FatalError("Please initialize Spade with the "
+        "'preprocessor spade:' line before listing spade-stat: %s(%d)\n",
+        file_name,file_line);
+
+    /* parse the argument list from the rules file */
+    netspade_set_output_stats_from_str(spade,args);
+    LogMessage("    Spade will report certain observation statistics to its log file: %s\n",args);
+}
+
+
+
+/*========================================================================*/
+/*======================== SpadeThreshadvise module =======================*/
+/*========================================================================*/
+
+/* Given a packet count and a length of time, this module reports a reporting
+   threshold that would have been effective in producing that number of alerts
+   in that time interval.  The idea is that one might use this as a threshold
+   for future runs.  The module quietly watches the network for the length of
+   time, adding events to the tree and calculating anomaly scores.  When the
+   time period is up, the module calls exit() after reporting the top anomaly
+   scores seen to the log file. */
+   
+   /* Spade threshold learning module init function:
+     set up threshold learning module per args */
+void SpadeThreshadviseInit(u_char *args)
+{
+    char *id;
+    if (spade == NULL) FatalError("Please initialize Spade with the "
+        "'preprocessor spade:' line before listing spade-threshadvise (a.k.a. "
+        "spade-threshlearn): %s(%d)\n",
+        file_name,file_line);
+    
+    id=netspade_setup_detector_advise_from_str(spade,args);
+
+    LogMessage("    Spade threshold advising inited for %s: %s\n",id,args);
+}
+
+/*========================================================================*/
+/*=========================== SpadeAdapt module ==========================*/
+/*========================================================================*/
+
+/* Given a report count target and a length of time, this module tries to keep
+   the reporting threshold at a level that would produce that number of alerts
+   in that time interval based on what was observed in the last interval.  To
+   support this, a list of the most anomalous scores seen in the current
+   interval is maintained.  At the end of the interval, an ideal threshold is
+   calculated based on the interval's scores.  This is combined linearly with
+   the current threshold to produce the threshold for the next interval.  As a
+   default option, the interval can implemented in terms of a count of packets,
+   where this count is the average number of packets seen during the specified
+   time interval length; this tends to make the transitions more smooth and
+   reliable since a more constant number of anomaly scores is used in finding
+   the topmost anamolous ones. */
+
+void SpadeAdaptInit(u_char *args)
+{
+    char *id;
+    if (spade == NULL) FatalError("Please initialize Spade with the "
+        "'preprocessor spade:' line before listing spade-adapt: %s(%d)\n",
+        file_name,file_line);
+    if (adapt_active && num_detectors < 2) {
+        ErrorMessage("Spade threshold adapting repeatedly specified, "
+            "ignoring later specification: %s(%d)\n",file_name,file_line);
+        return;
+    }
+    adapt_active= 1;
+
+    /* parse the argument list from the rules file */
+    id= netspade_setup_detector_adapt_from_str(spade,1,args);
+    
+    LogMessage("    Spade adapt mode 1 inited for %s: %s\n",id,args);
+
+    if (as_debug) netspade_print_detector_config_details(spade,stdout,id);
+}
+
+
+/*========================================================================*/
+/*========================== SpadeAdapt2 module ==========================*/
+/*========================================================================*/
+
+/* Given an hourly alert target count (or target fraction) and a length of
+   time, this module tries to keep the reporting threshold at a level that
+   would produce that number of alerts (or fraction of total reports) in an
+   hour based on what has been observed in the past.  When the report threshold
+   is updated, it is based in equal parts on observations from the short term,
+   middle term, and long term (at least for these that have been observed). 
+   The user can specify the time period for observations, the number of those
+   that make up the short term (NS), the number of short terms that make up the
+   medium term (NM), and the number of medium terms that make up the long term
+   (NL).  The short term component of the threshold is defined to be the
+   average of the kth and (k+1)st highest anomaly scores in the last NS
+   complete periods of observation, where k is number of anamoly reports that
+   should occur in the observation period assuming a uniform rate.  The middle
+   term component is the average of the last NM special short term components. 
+   The special short term components are the ones that are multiples of NS if
+   labeled with the number of observation periods that had completed when it
+   was calculated (i.e., #NS, #2NS, #3NS, etc.); these have the property that
+   they are based entirely on distinct measurements.  The long term component
+   is based on the last NL medium term componenets, including the current one. 
+   For each of the components, if there have been less than the specified
+   number of constituant parts (but there has been at least one complete one),
+   what is observed thus far is used.  To accomadate the varying rates of
+   packets fairly, the observation period is based on a count of packets.  This
+   count is the product of the specified observation period and the average
+   packet rate.
+*/
+
+void SpadeAdapt2Init(u_char *args)
+{
+    char *id;
+    
+    if (spade == NULL) FatalError("Please initialize Spade with the "
+        "'preprocessor spade:' line before listing spade-adapt2: %s(%d)\n",
+        file_name,file_line);
+    if (adapt_active && num_detectors < 2) {
+        ErrorMessage("Spade threshold adapting repeatedly specified, "
+            "ignoring later specification: %s(%d)\n",file_name,file_line);
+        return;
+    }
+    adapt_active= 2;
+
+    /* parse the argument list from the rules file */
+    id= netspade_setup_detector_adapt_from_str(spade,2,args);
+    
+    LogMessage("    Spade adapt mode 2 inited for %s: %s\n",id,args);
+
+    if (as_debug) netspade_print_detector_config_details(spade,stdout,id);
+}
+
+/*========================================================================*/
+/*========================== SpadeAdapt3 module ==========================*/
+/*========================================================================*/
+
+/* Given an hourly alert target count (or target fraction) and a length of
+   time, this module tries to keep the reporting threshold at a level that
+   would produce that number of alerts (or fraction of total reports) in an
+   hour based on what has been observed in the past.  ...
+*/
+
+void SpadeAdapt3Init(u_char *args)
+{
+    char *id;
+    
+    if (spade == NULL) FatalError("Please initialize Spade with the "
+        "'preprocessor spade:' line before listing spade-adapt3: %s(%d)\n",
+        file_name,file_line);
+    if (adapt_active && num_detectors < 2) {
+        ErrorMessage("Spade threshold adapting repeatedly specified, "
+            "ignoring later specification: %s(%d)\n",file_name,file_line);
+        return;
+    }
+    adapt_active= 3;
+
+    /* parse the argument list from the rules file */
+    id= netspade_setup_detector_adapt_from_str(spade,3,args);
+
+    LogMessage("    Spade adapt mode 3 inited for %s: %s\n",id,args);
+}
+
+
+/*========================================================================*/
+/*========================== SpadeSurvey module ==========================*/
+/*========================================================================*/
+
+/* This module surveys the anomoly scores observed across periods of time
+and reports this to a specified survey file.  The period #, the packet
+count, the median score, the 90th percentile score, and the 99th percentile
+score are recorded to the file in tab-delinated format.  Interpolation is
+used between scores if there is no score at exactly the position implied by
+the percentile. */
+
+/* efficiency note:  This use linked list to represent the observed anomoly
+   scores.  While it is necessary to maintain all these scores (the current
+   worst score might end up being the 99th percentile), a different
+   representation (order stat tree?) should be used if the packet count gets
+   high.  */
+
+void SpadeSurveyInit(u_char *args)
+{
+    char *id;
+    
+    if (spade == NULL) FatalError("Please initialize Spade with the "
+        "'preprocessor spade:' line before listing spade-survey: %s(%d)\n",
+        file_name,file_line);
+
+    /* parse the argument list from the rules file */
+    id= netspade_setup_detector_survey_from_str(spade,args);
+
+    LogMessage("    Spade survey mode inited for %s: %s\n",id,args);
+
+    if (as_debug) netspade_print_detector_config_details(spade,stdout,id);
+}
+
+
+/*********************************************************************/
+
+/* Spade core routine that is called with each packet; be efficient! */
+void PreprocSpade(Packet *p)
+{
+    spade_event pkt;
+    pkt_count++;
+    
+    if (p == NULL || p->iph == NULL) return; /* netspade only looks at IP packets for now */
+    
+    pkt.native= p;
+    pkt.time= (time_t)p->pkth->ts.tv_sec;
+    
+    pkt.origin= PKTORIG_TOP;
+    pkt.fldval[IPPROTO]= p->iph->ip_proto;
+    
+    switch (pkt.fldval[IPPROTO]) { /* protocol-specific processing */
+    case IPPROTO_TCP:
+        if (p->tcph == NULL) return;
+        pkt.fldval[TCPFLAGS]= p->tcph->th_flags;
+        break;
+    case IPPROTO_UDP:
+        if (p->udph == NULL) return;
+        break;
+    case IPPROTO_ICMP:
+        if (p->icmph == NULL) return;
+        pkt.fldval[ICMPTYPE]= p->icmph->type;
+        pkt.fldval[ICMPTYPECODE]= (p->icmph->type << 8) | p->icmph->code;
+        break;
+    default:;
+    }
+
+    pkt.fldval[SIP]= ntohl(p->iph->ip_src.s_addr);
+    pkt.fldval[DIP]= ntohl(p->iph->ip_dst.s_addr);
+    pkt.fldval[SPORT]= p->sp;
+    pkt.fldval[DPORT]= p->dp;
+    //pkt.fldval[TTL]= p->iph->ip_ttl;
+    //pkt.fldval[WIN] = p->tcph->th_win;
+
+    netspade_new_pkt(spade,&pkt);
+    
+    if ((p->orig_iph != NULL) && (p->icmph != NULL) && (p->icmph->type == 3)) {
+        pkt.origin= PKTORIG_UNRCH;
+
+        pkt.fldval[IPPROTO]= p->orig_iph->ip_proto;
+        
+        switch (pkt.fldval[IPPROTO]) { /* protocol-specific processing */
+        case IPPROTO_TCP:
+            if (p->orig_tcph == NULL) return;
+            pkt.fldval[TCPFLAGS]= p->orig_tcph->th_flags;
+            break;
+        case IPPROTO_UDP:
+            if (p->orig_udph == NULL) return;
+            break;
+        case IPPROTO_ICMP:
+            if (p->orig_icmph == NULL) return;
+            //pkt.fldval[ICMPTYPE]= p->orig_icmph->type;
+            //pkt.fldval[ICMPTYPECODE]= (p->orig_icmph->type << 8) | p->orig_icmph->code;
+            break;
+        default:;
+        }
+    
+        pkt.fldval[SIP]= ntohl(p->orig_iph->ip_src.s_addr);
+        pkt.fldval[DIP]= ntohl(p->orig_iph->ip_dst.s_addr);
+        pkt.fldval[SPORT]= p->orig_sp;
+        pkt.fldval[DPORT]= p->orig_dp;
+
+        netspade_new_pkt(spade,&pkt);
+    }
+}
+
+
+/*********************************************************************/
+/*********************************************************************/
+
+/* our netspade callback for when there is something anomalous to report */
+static void SpadeReportAnom(void *context,spade_report *rpt) {
+    char message[256];
+    Event event;
+    u_int32_t id;
+    spade_event *pkt= rpt->pkt;
+    Packet *p= pkt->native;
+    double score= spade_report_mainscore(rpt);
+
+    /*
+    sprintf(message,"Spade: %s: %s: %.4f",rpt->detect_type_str,rpt->scope_str,score);
+    */
+
+    /* OSSIM */
+    sprintf(message,"Spade: %s",rpt->detect_type_str);
+    
+    switch (rpt->detect_type) {
+    case SPADE_DR_TYPE_CLOSED_DPORT: id= SPADE_CLOSED_DESTPORT_USED; break;
+    case SPADE_DR_TYPE_DEAD_DEST: id= SPADE_NONLIVE_DEST_USED; break;
+    case SPADE_DR_TYPE_ODD_DPORT: id= SPADE_SRC_ODD_DESTPORT_USED; break;
+    case SPADE_DR_TYPE_ODD_TYPECODE: id= SPADE_SRC_ODD_TYPECODE_USED; break;
+    case SPADE_DR_TYPE_ODD_PORTDEST: id= SPADE_SRC_ODD_PORTDEST_USED; break;
+    default : id= 0;
+    }
+
+    /* OSSIM */
+    if (!strcmp(rpt->detect_type_str,"Rare but open dest port used"))
+      id = SPADE_RARE_OPEN_DESTPORT_USED;
+    else if (!strcmp(rpt->detect_type_str,"Rare dest port used"))
+      id = SPADE_RARE_DESTPORT_USED;
+
+    SetEvent(&event, GENERATOR_SPP_SPADE, id,
+            1, 0, 0, 0);
+
+#if ENABLE_IDMEF
+    if (spade_alert_dest & DEST_IDMEF_FACILITY)
+        SpadeIDMEFDirect(p, rpt->detect_type_str, NULL, &event, score, rpt->detectorid);
+#endif
+    if (spade_alert_dest & DEST_ALERT_FACILITY)
+        CallAlertFuncs(p, message, NULL, &event);
+    if (spade_alert_dest & DEST_LOG_FACILITY)
+        CallLogFuncs(p, message, NULL, &event);
+}   
+
+/* our netspade callback for when there the threshold is adjusted */
+static void SpadeReportThreshChanged(void *context,char *id,char *mess,int using_corrrscore) {
+    char message[100];
+    Event event;
+
+    sprintf(message,"Spade: id=%s: %s",id,mess);
+
+    SetEvent(&event, GENERATOR_SPP_SPADE,
+            SPADE_ANOM_THRESHOLD_ADJUSTED, 1, 0, 0, 0);
+    if (spade_adj_dest & DEST_ALERT_FACILITY)
+        CallAlertFuncs(NULL, message, NULL, &event);
+    if (spade_adj_dest & DEST_LOG_FACILITY)
+        CallLogFuncs(NULL, message, NULL, &event);
+}
+
+static void SnortSpadeMsgFn(spade_message_type msg_type,const char *msg) {
+    char buf[MAX_SPADE_MSG_LEN+1];
+    const char *newmsg;
+    
+    if (!pkt_count)  { // must be a message originating from configuration activity; include conf file name and line #
+        switch (msg_type) {
+        case SPADE_MSG_TYPE_FATAL:
+        case SPADE_MSG_TYPE_WARNING:
+        case SPADE_MSG_TYPE_DEBUG:
+        {
+            int len= strlen(msg);
+            strncpy(buf,msg,MAX_SPADE_MSG_LEN);
+            snprintf(buf+len,MAX_SPADE_MSG_LEN-len,": %s(%d)\n",file_name,file_line);
+            newmsg= (const char *)buf;
+            break;
+        }
+        default:
+            newmsg= msg;
+            break;
+        }
+    } else {
+        newmsg= msg;
+    }
+        
+    switch (msg_type) {
+    case SPADE_MSG_TYPE_FATAL:
+        FatalError("%s", newmsg);
+        break;
+    case SPADE_MSG_TYPE_WARNING:
+        ErrorMessage("%s", newmsg);
+        break;
+    default:
+        LogMessage("%s", newmsg);
+        break;
+    }
+}
+
+
+/*****************************************************
+ * Called on signals
+ *****************************************************/
+void SpadeCatchSig(int signal,void *arg) {
+    if (signal == SIGUSR1) {
+        LogMessage("Spade got SIGUSR1, refreshing its disk state");
+        netspade_dump(spade);
+    } else if (signal == SIGQUIT || signal == SIGHUP || signal == SIGINT) {
+        LogMessage("Spade got shutdown signal, cleaning up");
+        netspade_cleanup(spade);
+    }
+}
+
+/*********************************************************************
+netspade.c, distributed as part of Spade v030125.1
+Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com)
+copyright (c) 2002 by Silicon Defense (http://www.silicondefense.com/)
+Released under GNU General Public License, see the COPYING file included
+with the distribution or http://www.silicondefense.com/spice/ for details.
+
+Please send complaints, kudos, and especially improvements and bugfixes to
+hoagland@SiliconDefense.com.  As described in GNU General Public License, no
+warranty is expressed for this program.
+*********************************************************************/
+
+/*! \file netspade.c
+ * \ingroup netspade_layer
+ * \brief 
+ *  netspade.c contains a "class" netspade which applies Spade to a network
+ */
+
+/*! \addtogroup libnetspade Netspade Library
+ * \brief This group contains objects the objects in libnetspade, which
+ * applies Spade to the network packets.
+  @{
+*/
+/*! \addtogroup libspade */
+/*@}*/
+
+/*! \addtogroup netspade_layer Netspade Layer
+ * \brief This group contains objects the objects specific to Netspade, which
+ * applies Spade to the network packets.
+ * \ingroup libnetspade
+  @{
+*/
+
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+#include <stdlib.h>
+#include <math.h>
+
+/// an array mapping a netspade feature number to its name
+const char *featurenames[NETSPADE_NUM_FEATURES+1]= {"sip","dip","sport","dport","proto","tcpflags","icmptype","icmptype+code",NULL};
+
+#define IS_TCP          EVENT_CONDITION_NUM(1) ///< is the packet TCP?
+#define IS_UDP          EVENT_CONDITION_NUM(2) ///< is the packet UDP?
+#define IS_ICMP         EVENT_CONDITION_NUM(3) ///< is the packet ICMP?
+#define IS_UNRCHTCP     EVENT_CONDITION_NUM(5) ///< is the packet from inside a unreachable packet and is TCP?
+#define IS_UNRCHUDP     EVENT_CONDITION_NUM(6) ///< is the packet from inside a unreachable packet and is UDP?
+#define IS_UNRCHICMP    EVENT_CONDITION_NUM(7) ///< is the packet from inside a unreachable packet and is ICMP?
+#define SYNONLY         EVENT_CONDITION_NUM(9) ///< is the packet TCP and only have the SYN flag set (among the 6 flags)?
+#define NORMAL_RST      EVENT_CONDITION_NUM(10) ///< is the packet TCP and a normal RST?
+#define SYNACK          EVENT_CONDITION_NUM(11) ///< is the packet TCP and only have the SYN and ACK flags set?
+#define WEIRDFLAGS      EVENT_CONDITION_NUM(12) ///< is the packet TCP and have an unusual combination of flags?
+#define SETUPFLAGS      EVENT_CONDITION_NUM(13) ///< is the packet TCP and have flags associated with connection setup?
+#define ESTFLAGS        EVENT_CONDITION_NUM(14) ///< is the packet TCP and have flags associated with the established phase of a connection?
+#define TEARDOWNFLAGS   EVENT_CONDITION_NUM(15) ///< is the packet TCP and have flags associated with connection teardown?
+#define SIP_IN_HOMENET      EVENT_CONDITION_NUM(17) ///< is the source IP of the packet in the homenet?
+#define SIP_NOT_IN_HOMENET  EVENT_CONDITION_NUM(18) ///< is the source IP of the packet not in the homenet?
+#define DIP_IN_HOMENET      EVENT_CONDITION_NUM(19) ///< is the dest IP of the packet in the homenet?
+#define DIP_NOT_IN_HOMENET  EVENT_CONDITION_NUM(20) ///< is the dest IP of the packet not in the homenet?
+#define ICMPNOTERR      EVENT_CONDITION_NUM(21) ///< is the packet an ICMP but not indicating an error?
+#define ICMPERR         EVENT_CONDITION_NUM(22) ///< is the packet an ICMP and not indicating an error?
+#define REPR_PKT        EVENT_CONDITION_NUM(23) ///< does this packet fit in the minority of packets that can be considered representative of the sources of packets?
+#define UDPRESP         EVENT_CONDITION_NUM(25) ///< might the packet be a response to a UDP packet?
+#define ICMPRESP        EVENT_CONDITION_NUM(26) ///< might the packet be a response to a ICMP packet?
+#define SYNRESP         EVENT_CONDITION_NUM(27) ///< might the packet be a response to a SYN packet?
+#define ESTRESP         EVENT_CONDITION_NUM(29) ///< might the packet be a response to a ESTFLAGS packet?
+#define TEARDOWNRESP    EVENT_CONDITION_NUM(30) ///< might the packet be a response to a TEARDOWN packet?
+#define SETUPRESP       EVENT_CONDITION_NUM(31) ///< might the packet be a response to a SETUP packet?
+
+#define HOMENET_CONDS (CONDS_PLUS_3CONDS(SIP_IN_HOMENET,SIP_NOT_IN_HOMENET,DIP_IN_HOMENET,DIP_NOT_IN_HOMENET))
+#define TCPFLAG_CONDS (CONDS_PLUS_6CONDS(SYNACK,SYNONLY,NORMAL_RST,WEIRDFLAGS,ESTFLAGS,TEARDOWNFLAGS,SETUPFLAGS))
+#define REPR_PKT_CONDS (CONDS_PLUS_3CONDS(SETUPFLAGS,TEARDOWNFLAGS,IS_UDP,IS_ICMP))
+
+#define SYNRESP_CONDS (CONDS_PLUS_2CONDS(SYNACK,NORMAL_RST,IS_UNRCHTCP))
+#define ESTRESP_CONDS (CONDS_PLUS_2CONDS(ESTFLAGS,TEARDOWNFLAGS,IS_UNRCHTCP))
+#define TEARDOWNRESP_CONDS (CONDS_PLUS_CONDS(TEARDOWNFLAGS,IS_UNRCHTCP))
+#define SETUPRESP_CONDS (CONDS_PLUS_CONDS(SYNRESP_CONDS,ESTRESP_CONDS))
+#define UDPRESP_CONDS (CONDS_PLUS_CONDS(IS_UDP,IS_UNRCHUDP))
+#define ICMPRESP_CONDS (CONDS_PLUS_CONDS(ICMPNOTERR,IS_UNRCHICMP))
+
+
+#define PKT_IP_IN_HOMENET_LIST(pkt,fldname,list,res) {\
+    res= 0; \
+    if (list != NULL) { \
+        ll_net *home; \
+        for (home= list; home != NULL; home= home->next) { \
+            if ((pkt->fldval[fldname] & home->netmask) == home->netaddr) { \
+                res= 1; \
+                break; \
+            } \
+        } \
+    } else { \
+        res= 1; \
+    } \
+}
+
+static void init_netspade_empty(netspade *self,spade_msg_fn msg_callback, int debug_level);
+static netspade_detector *acquire_detector_for_id(netspade *self, char *id);
+static netspade_detector *detector_for_id(netspade *self, char *id);
+static void netspade_detector_dump(netspade_detector *detector);
+static void netspade_detector_cleanup(netspade_detector *detector);
+static void netspade_update_conds_to_calc(netspade *self);
+static event_condition_set netspade_nonstore_conds(netspade *self);
+static event_condition_set flipped_homenet_conds(event_condition_set orig);
+static int do_checkpointing(netspade *self);
+static int do_recovery(netspade *self, char *statefile);
+static void threshold_was_exceeded(void *context, void *mgrref, spade_event *pkt, score_info *score);
+static void canceller_status_report(void *context, spade_report *rpt, port_status_t status);
+static void threshold_was_adjusted(void *context, void *mgrref);
+static void netspade_add_net_to_homenet(netspade *self, char *net_str);
+static char *scope_str_for_cond(event_condition_set cond);
+static void process_netspade_xarg(netspade *self, char *str, features feat, xarg_type_t type);
+static void process_detector_xargs(netspade_detector *d, char *xsips, char *xdips, char *xsports, char *xdports);
+static void process_detector_xarg(netspade_detector *d, char *str, features feat, xarg_type_t type);
+static void process_detector_xarg(netspade_detector *d,char *str,features feat,xarg_type_t type);
+static xfeatval_link *process_xarg(char *str,features feat,xarg_type_t type,spade_msg_fn msg_callback,xfeatval_link **tail);
+static xfeatval_link *new_xfeatval_link(features feat, xarg_type_t type, char *val);
+static int pkt_is_excluded(xfeatval_link *list,spade_event *pkt);
+static int cidr_to_netmask(char *str, u32 *netip, u32 *netmask);
+static void file_print_conds(FILE *file,event_condition_set conds);
+
+void init_netspade(netspade *self,spade_msg_fn msg_callback, int debug_level) {
+    init_netspade_empty(self,msg_callback,debug_level);
+}
+
+static void init_netspade_empty(netspade *self,spade_msg_fn msg_callback, int debug_level) {
+    self->msg_callback= (msg_callback == NULL) ? default_spade_msg_fn : msg_callback;
+    self->debug_level= debug_level;
+
+    self->detectors= NULL;
+    self->detectors_tail= NULL;
+    
+    self->homelist_head= NULL;
+    self->homelist_tail= NULL;
+    
+    self->checkpoint_file= NULL;
+    self->checkpoint_freq= -1;
+
+    self->records_since_checkpoint=0;
+    self->last_time_forwarded= (time_t)0;
+    
+    self->callback_context= NULL;
+    self->exc_callback= NULL;
+    self->adj_callback= NULL;
+    self->pkt_native_copier_callback= NULL;
+    self->pkt_native_freer_callback= NULL;
+
+    self->rpt_exclude_list= NULL;
+    
+    init_event_recorder(&self->recorder);
+    self->recorder_needed_conds= 0;
+    self->nonstore_conds= 0;
+    self->conds_to_calc= 0;
+    
+    self->stats_to_print= 0;
+    self->outfile= NULL;
+    
+    self->detector_id_nonce= 0;
+    self->total_pkts= 0;
+}
+
+int init_netspade_from_statefile(netspade *self,char *statefile,spade_msg_fn msg_callback, int debug_level) {
+    init_netspade_empty(self,msg_callback,debug_level);
+    return do_recovery(self,statefile);
+}
+
+netspade *new_netspade(spade_msg_fn msg_callback, int debug_level) {
+    netspade *new= (netspade *)malloc(sizeof(netspade));
+    init_netspade(new,msg_callback,debug_level);
+    return new;
+}
+
+netspade *new_netspade_from_statefile(char *statefile,spade_msg_fn msg_callback, int debug_level,int *succ) {
+    netspade *new= (netspade *)malloc(sizeof(netspade));
+    *succ= init_netspade_from_statefile(new,statefile,msg_callback,debug_level);
+    return new;
+}
+
+void netspade_set_callbacks(netspade *self,void *context,netspade_exc_callback_t exc_callback,netspade_adj_callback_t adj_callback,event_native_copier_t pkt_native_copier_callback,event_native_freer_t pkt_native_freer_callback) {
+    self->callback_context= context;
+    self->exc_callback= exc_callback;
+    self->adj_callback= adj_callback;
+    self->pkt_native_copier_callback= pkt_native_copier_callback;
+    self->pkt_native_freer_callback= pkt_native_freer_callback;
+}
+
+void netspade_set_checkpointing(netspade *self,char *checkpoint_file,int checkpoint_freq) {
+    self->checkpoint_file= (checkpoint_file == NULL) ? NULL : strdup(checkpoint_file);
+    self->checkpoint_freq= checkpoint_freq;
+}
+
+void netspade_set_homenet_from_str(netspade *self,char *homenet_str) {
+    char *strcopy= (homenet_str == NULL) ? NULL : strdup(homenet_str);
+    char *p= strcopy;
+    int len;
+    char oldchar,*term;
+    if (strcopy == NULL) return;
+
+    while (isspace((int)*p)) p++; /* kill leading whitepspace */
+    if (*p == '[') {
+        char *end;
+        p++;
+        end= strrchr(p, (int)']');
+        if (end != NULL) *end = '\0'; /* null out the end-bracket */
+    }
+    while ((len= terminate_first_tok(p,", \t\n",&p,&oldchar)) > 0) {
+        netspade_add_net_to_homenet(self,p);
+        term= p+len;
+        *term= oldchar;
+        if (oldchar == '\0') { break; } /* Thanks Risto! */
+        p= term+1;
+    }
+
+    free(strcopy);
+
+    if (self->debug_level) {
+        ll_net *n;
+        struct in_addr net;
+        (*self->msg_callback)(SPADE_MSG_TYPE_DEBUG,"Spade home nets are:\n");
+        for (n=self->homelist_head; n != NULL; n=n->next) {
+            net.s_addr= ntohl(n->netaddr);
+            formatted_spade_msg_send(SPADE_MSG_TYPE_DEBUG,self->msg_callback,"\t%s with mask %lx\n",inet_ntoa(net),(u_long)ntohl(n->netmask));
+        }
+    }
+}
+
+void netspade_set_output_stats(netspade *self,int stats_to_print) {
+    self->stats_to_print= stats_to_print;
+}
+
+void netspade_set_output_stats_from_str(netspade *self,char *str) {
+    char *strcopy= strdup(str);
+    char *head= strcopy;
+    char oldchar;
+    int len;
+    char *term;
+    
+    self->stats_to_print= STATS_NONE;
+    
+    while ((len= terminate_first_tok(head,", \t\n",&head,&oldchar)) > 0) {
+        if (!(strcmp(head,"entropy"))) {
+            self->stats_to_print |= STATS_ENTROPY;
+        } else if (!(strcmp(head,"condprob"))) {
+            self->stats_to_print |= STATS_CONDPROB;
+        } else if (!(strcmp(head,"uncondprob"))) {
+            self->stats_to_print |= STATS_UNCONDPROB;
+        } else {
+            // warn
+        }
+        term= head+len;
+        *term= oldchar;
+        head= term+1;
+    }
+    free(strcopy);
+}
+
+int netspade_set_output(netspade *self,char *file,int stats_to_print) {
+    self->outfile= strdup(file);
+    self->stats_to_print= stats_to_print;
+    return 1;
+}
+
+int netspade_set_output_file(netspade *self,char *file) {
+    self->outfile= strdup(file);
+    return 1;
+}
+
+void netspade_add_rpt_excludes(netspade *self,char *xsips,char *xdips,char *xsports,char *xdports) {
+    process_netspade_xarg(self,xsports,SPORT,XARG_TYPE_UINT);
+    process_netspade_xarg(self,xdips,DIP,XARG_TYPE_CIDR);
+    process_netspade_xarg(self,xsips,SIP,XARG_TYPE_CIDR);
+    process_netspade_xarg(self,xdports,DPORT,XARG_TYPE_UINT);
+}
+
+char *netspade_new_detector(netspade *self,char *str) {
+    netspade_detector *new;
+    char *strcopy= strdup(str);
+    char *type;
+    int calcboth;
+    int minobs_prefix_len= -1,entropy_prefix_len=-1;
+    int canceller_timeout_implication;
+    event_condition_set cancel_homenet_conds;
+    feature_list fla[4];
+    char to[8]="home",from[8]="home",protocol[5]="tcp";
+    char tcpflags[21]="synonly";
+    char xsips[401]="",xdips[401]="",xsports[401]="",xdports[401]="";
+    double thresh= 10000000;
+    int wait=0;
+    int relscore=1,minobs=0,probmode=3;
+    int scalefreqmins=240;
+    double scalefactor= 0.98363,scalecutoff= 0.18,scalehalflifehrs=-1;
+    int reverse_reporting=0;
+    double maxentropy= -1;
+    void *args[30];
+    char formatstr[500]="$i:wait;s50:id;i:minobs;"
+                "i:scalefreq;d:scalefactor;d:scalecutoff;d:scalehalflife;"
+                "s400:Xsips,Xsip,xsips;s400:Xdips,Xdip,xdips;"
+                "s400:Xsports,Xsport,xsports;s400:Xdports,Xdport,xdports;"
+                "b:revwaitrpt";
+    char id[51]="\0";
+    char defaultid[31];
+    sprintf(defaultid,"%d",++self->detector_id_nonce);
+    
+    args[0]= &wait;
+    args[1]= &id;
+    args[2]= &minobs;
+    args[3]= &scalefreqmins;
+    args[4]= &scalefactor;
+    args[5]= &scalecutoff;
+    args[6]= &scalehalflifehrs;
+    args[7]= &xsips;
+    args[8]= &xdips;
+    args[9]= &xsports;
+    args[10]= &xdports;
+    args[11]= &reverse_reporting;
+    
+    new= (netspade_detector *)malloc(sizeof(netspade_detector));
+    new->parent= self;
+    init_score_calculator_clear(&new->calculator,&self->recorder);
+    new->store_conds= 0;
+    new->scorecalc_conds= 0;
+    new->thresh_exc_port_impl= PORT_UNKNOWN;
+    PS_INIT_SET_WITH_STRONGER(new->port_report_criterea,PORT_UNKNOWN);
+    new->cancel_closed_conds= EVENT_CONDITION_FALSE;
+    new->cancel_open_conds= EVENT_CONDITION_FALSE;
+    new->report_scope_str= NULL;
+    new->exclude_broadcast_dip= 0;
+    
+    type= extract_str_arg_space_sep(strcopy,"type");
+
+    if (type == NULL) type= "closed-dport";
+    new->detect_type= SPADE_DR_TYPE_NUM4SHORT(type);
+    new->report_detection_type= DEFAULT_DN_TYPE_FOR_DR_TYPE(new->detect_type); // may be overridden below
+    
+    switch (new->detect_type) {
+    case SPADE_DR_TYPE_CLOSED_DPORT: {
+        int corrscore=1;
+        scalefactor= 0.96409; /* this detection type uses a different that normal scaling factor */
+        minobs= -1;
+        minobs_prefix_len= 0;
+        
+        new->thresh_exc_port_impl= PORT_PROBCLOSED;
+        PS_INIT_SET_WITH_STRONGER(new->port_report_criterea,PORT_PROBCLOSED); /* override default default; this will be overriden if wait is set */
+        
+        args[12]= &protocol;
+        args[13]= &to;
+        args[14]= &tcpflags;
+        args[15]= &thresh;
+        args[16]= &relscore;
+        args[17]= &probmode;
+        args[18]= &corrscore;
+        strcat(formatstr,";s4:protocol,proto;s7:to;s20:tcpflags;d:thresh;b:relscore;"
+                          "i:probmode;b:-corrscore,corrscore");
+        fill_args_space_sep(strcopy,formatstr,args,self->msg_callback);
+            
+        if (thresh == 10000000) thresh= relscore ? 0.85 : -1;
+        if (minobs == -1) minobs= relscore ? 400 : 0;
+        score_calculator_set_corrscore(&new->calculator,corrscore);
+
+        fla[0].feat[0]= DIP; fla[0].feat[1]= DPORT;
+        fla[0].feat[2]= SIP; fla[0].feat[3]= SPORT;
+        switch (probmode) {
+            case 0:
+                fla[0].num= 1; fla[0].feat[0]= DIP;
+                fla[1].num= 3; fla[1].feat[0]= SIP; fla[1].feat[1]= DPORT; fla[1].feat[2]= SPORT;
+                fla[2].num= 2; fla[2].feat[0]= SPORT; fla[2].feat[1]= DPORT;
+                fla[3].num= 3; fla[3].feat[0]= DIP; fla[3].feat[1]= SPORT; fla[3].feat[2]= SIP;
+                /* P(dport) * P(sip|dport,sport) * P(sport|dport) * P(dip|sport,sip) */
+                score_calculator_set_features(&new->calculator,4,fla,NULL,featurenames);
+                minobs= 0; /* prob mode 0 disables minobs; what would it mean? */
+                break;
+            case 1: 
+                fla[0].num= 4;
+                score_calculator_set_features(&new->calculator,1,fla,NULL,featurenames);
+                break;
+            case 2:
+                fla[0].num= 3;
+                score_calculator_set_features(&new->calculator,1,fla,NULL,featurenames);
+                break;
+            default:
+                if (probmode < 0 || probmode > 3) formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"Probability mode %d not valid, using mode 3\n",probmode);
+            case 3:
+                fla[0].num= 2;
+                score_calculator_set_features(&new->calculator,1,fla,NULL,featurenames);
+                break;
+        }
+
+        score_calculator_set_condcutoff(&new->calculator,0);
+        
+        if (!strcmp(to,"any")) {
+            /* no restriction => no conditions to set */
+        } else if (!strcmp(to,"nothome")) {
+            ADD_TO_CONDS(new->scorecalc_conds,DIP_NOT_IN_HOMENET);
+            ADD_TO_CONDS(new->store_conds,DIP_NOT_IN_HOMENET);
+        } else {
+            if (strcmp(to,"home")) {
+                formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"\"to\" setting %s not valid, using home\n",to);
+            }
+            ADD_TO_CONDS(new->scorecalc_conds,DIP_IN_HOMENET);
+            ADD_TO_CONDS(new->store_conds,DIP_IN_HOMENET);
+        }
+
+        if (!strcmp(protocol,"udp")) {
+            ADD_TO_CONDS(new->store_conds,IS_UDP);
+            ADD_TO_CONDS(new->scorecalc_conds,IS_UDP);
+            //new->cancel_open_conds= IS_UDP; /* waiting to see if might be open is optional */
+            new->cancel_closed_conds= IS_UNRCHUDP; /* waiting for a ICMP UNRCH to be sure it is a probe is optional */
+            //if (!wait) wait= 5;
+       } else {
+            if (strcmp(protocol,"tcp")) {
+                formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"Protocol %s not valid, using tcp\n",protocol);
+            }
+            ADD_TO_CONDS(new->store_conds,SYNONLY);           /* only store tcp syns */
+            if (!strcmp(tcpflags,"weird")) {
+                ADD_TO_CONDS(new->scorecalc_conds,WEIRDFLAGS);
+                new->cancel_open_conds= EVENT_CONDITION_FALSE; /* not available */
+            } else if (!strcmp(tcpflags,"synack")) {
+                ADD_TO_CONDS(new->scorecalc_conds,SYNACK);
+                new->cancel_closed_conds= NORMAL_RST; /* we need to wait for a RST to be sure it is a probe */
+                if (!wait) wait= 5;
+            } else if (!strcmp(tcpflags,"established")) {
+                ADD_TO_CONDS(new->scorecalc_conds,ESTFLAGS);
+                new->cancel_closed_conds= NORMAL_RST; /* we need to wait for a RST to be sure it is a probe */
+                if (!wait) wait= 5;
+            } else if (!strcmp(tcpflags,"teardown")) {
+                ADD_TO_CONDS(new->scorecalc_conds,TEARDOWNFLAGS);
+                new->cancel_closed_conds= NORMAL_RST; /* we need to wait for a RST to be sure it is a probe */
+                if (!wait) wait= 5;
+            } else {
+                if (strcmp(tcpflags,"synonly")) {
+                    formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"TCP flags %s not valid, using synonly\n",tcpflags);
+                }
+                ADD_TO_CONDS(new->scorecalc_conds,SYNONLY);
+                new->cancel_open_conds= SYNACK; /* waiting to see if might be open is optional */
+            }
+        }
+        
+        if (!wait) {
+            new->report_detection_type= SPADE_DN_TYPE_ODD_DPORT;
+        } else if (reverse_reporting) {
+            new->report_detection_type= SPADE_DN_TYPE_ODD_OPEN_DPORT;
+        }
+        break;
+    }
+    case SPADE_DR_TYPE_ODD_TYPECODE: {
+        char icmptype[7]="any";
+        thresh=0.9;
+        scalefactor= 0.96409; /* this detection type uses a different that normal scaling factor */
+        minobs=-1; /* this detection type uses a different that normal default minobs */
+        
+        minobs_prefix_len= 0;
+
+        args[12]= &to;
+        args[13]= &thresh;
+        args[14]= &icmptype;        
+        strcat(formatstr,";s7:to;d:thresh;s6:icmptype");
+        fill_args_space_sep(strcopy,formatstr,args,self->msg_callback);
+            
+        fla[0].num= 1; fla[0].feat[0]= ICMPTYPECODE;
+        score_calculator_set_features(&new->calculator,1,fla,NULL,featurenames);
+        score_calculator_set_condcutoff(&new->calculator,0);
+
+        if (!strcmp(to,"any")) {
+            /* no restriction => no conditions to set */
+        } else if (!strcmp(to,"nothome")) {
+            ADD_TO_CONDS(new->scorecalc_conds,DIP_NOT_IN_HOMENET);
+            ADD_TO_CONDS(new->store_conds,DIP_NOT_IN_HOMENET);
+        } else {
+            if (strcmp(to,"home")) {
+                formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"\"to\" setting %s not valid, using home\n",from);
+            }
+            ADD_TO_CONDS(new->scorecalc_conds,DIP_IN_HOMENET);
+            ADD_TO_CONDS(new->store_conds,DIP_IN_HOMENET);
+        }
+
+        if (!strcmp(icmptype,"noterr")) {
+            ADD_TO_CONDS(new->scorecalc_conds,ICMPNOTERR);
+            ADD_TO_CONDS(new->store_conds,ICMPNOTERR);
+            if (minobs == -1) minobs= 2000;
+        } else if (!strcmp(icmptype,"err")) {
+            ADD_TO_CONDS(new->scorecalc_conds,ICMPERR);
+            ADD_TO_CONDS(new->store_conds,ICMPERR);
+            if (minobs == -1) minobs= 2000;
+        } else {
+            if (strcmp(icmptype,"any")) {
+                formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"ICMP type %s not valid, using any\n",icmptype);
+            }
+            ADD_TO_CONDS(new->scorecalc_conds,IS_ICMP);
+            ADD_TO_CONDS(new->store_conds,IS_ICMP);
+            if (minobs == -1) minobs= 4000;
+        }
+
+        new->cancel_open_conds= ICMPNOTERR;
+        
+        break;
+    }
+    case SPADE_DR_TYPE_ODD_DPORT: {
+        thresh=0.8;
+        minobs=600; /* this detection type uses a different that normal default minobs */
+        
+        args[12]= &protocol;
+        args[13]= &from;
+        args[14]= &thresh;
+        strcat(formatstr,";s4:protocol,proto;s7:from;d:thresh");
+        fill_args_space_sep(strcopy,formatstr,args,self->msg_callback);
+            
+        fla[0].num= 2; fla[0].feat[0]= SIP; fla[0].feat[1]= DPORT;
+        score_calculator_set_features(&new->calculator,1,fla,NULL,featurenames);
+        score_calculator_set_condcutoff(&new->calculator,1);
+
+        if (!strcmp(from,"any")) {
+            /* no restriction => no conditions to set */
+        } else if (!strcmp(from,"nothome")) {
+            ADD_TO_CONDS(new->scorecalc_conds,SIP_NOT_IN_HOMENET);
+            ADD_TO_CONDS(new->store_conds,SIP_NOT_IN_HOMENET);
+        } else {
+            if (strcmp(from,"home")) {
+                formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"\"from\" setting %s not valid, using home\n",from);
+            }
+            ADD_TO_CONDS(new->scorecalc_conds,SIP_IN_HOMENET);
+            ADD_TO_CONDS(new->store_conds,SIP_IN_HOMENET);
+        }
+
+        /* this detection type only makes sense for connection-openers */    
+        if (!strcmp(protocol,"udp")) {
+            ADD_TO_CONDS(new->store_conds,IS_UDP);
+            ADD_TO_CONDS(new->scorecalc_conds,IS_UDP);
+            //new->cancel_open_conds= IS_UDP;
+            new->cancel_closed_conds= IS_UNRCHUDP; /* waiting for a ICMP UNRCH is optional */
+        } else {
+            if (strcmp(protocol,"tcp")) {
+                formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"Protocol %s not valid, using tcp\n",protocol);
+            }
+            ADD_TO_CONDS(new->store_conds,SYNONLY);           /* only store tcp syns */
+            ADD_TO_CONDS(new->scorecalc_conds,SYNONLY);
+            new->cancel_open_conds= SYNACK;
+        }
+        
+        break;
+    }
+    case SPADE_DR_TYPE_ODD_PORTDEST: {
+        thresh=0.9;
+        minobs=-1; /* this detection type uses a different that normal default minobs */
+        maxentropy= 2.5;
+        scalefreqmins= 90; /* override the default defaults */
+        scalefactor= 0.97957;
+        scalecutoff= 0.25;
+        
+        args[12]= &protocol;
+        args[13]= &from;
+        args[14]= &thresh;
+        args[15]= &maxentropy;
+        strcat(formatstr,";s4:protocol,proto;s7:from;d:thresh;d:maxentropy");
+        fill_args_space_sep(strcopy,formatstr,args,self->msg_callback);
+
+        fla[0].num= 3; fla[0].feat[0]= SIP; fla[0].feat[1]= DPORT; fla[0].feat[2]= DIP;
+        score_calculator_set_features(&new->calculator,1,fla,NULL,featurenames);
+        score_calculator_set_condcutoff(&new->calculator,1);
+
+        if (!strcmp(from,"any")) {
+            /* no restriction => no conditions to set */
+        } else if (!strcmp(from,"nothome")) {
+            ADD_TO_CONDS(new->scorecalc_conds,SIP_NOT_IN_HOMENET);
+            ADD_TO_CONDS(new->store_conds,SIP_NOT_IN_HOMENET);
+        } else {
+            if (strcmp(from,"home")) {
+                formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"\"from\" setting %s not valid, using home\n",from);
+            }
+            ADD_TO_CONDS(new->scorecalc_conds,SIP_IN_HOMENET);
+            ADD_TO_CONDS(new->store_conds,SIP_IN_HOMENET);
+        }
+
+        /* this detection type only makes sense for connection-openers */    
+        if (!strcmp(protocol,"udp")) {
+            ADD_TO_CONDS(new->store_conds,IS_UDP);
+            ADD_TO_CONDS(new->scorecalc_conds,IS_UDP);
+            //new->cancel_open_conds= IS_UDP;
+            new->cancel_closed_conds= IS_UNRCHUDP; /* waiting for a ICMP UNRCH is optional */
+
+            if (minobs == -1) minobs= pow(2,maxentropy) * 200; /* default is 200 times the minimum number of observations need to acheive maxentropy */
+        } else {
+            if (strcmp(protocol,"tcp")) {
+                formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"Protocol %s not valid, using tcp\n",protocol);
+            }
+            ADD_TO_CONDS(new->store_conds,SYNONLY);           /* only store tcp syns */
+            ADD_TO_CONDS(new->scorecalc_conds,SYNONLY);
+            new->cancel_open_conds= SYNACK;
+
+            if (minobs == -1) minobs= pow(2,maxentropy) * 100; /* default is 100 times the minimum number of observations need to acheive maxentropy */
+        }
+        
+        break;
+    }
+    case SPADE_DR_TYPE_DEAD_DEST: {
+        feature_list cfl;
+        char icmptype[7]="noterr";
+        scalefreqmins= 60; /* override the default defaults */
+        scalefactor= 0.94387;
+        scalecutoff= 0.25;
+        wait= 2;
+        minobs= 2000;
+        minobs_prefix_len= 0;
+        thresh= 1;
+        
+        new->exclude_broadcast_dip= 1;
+        new->thresh_exc_port_impl= PORT_PROBCLOSED;
+        ADD_TO_CONDS(new->scorecalc_conds,DIP_IN_HOMENET);
+        ADD_TO_CONDS(new->store_conds,SIP_IN_HOMENET);
+        ADD_TO_CONDS(new->store_conds,REPR_PKT);
+
+        fla[0].num= 1; fla[0].feat[0]= SIP;
+        cfl.num= 1; cfl.feat[0]= DIP;
+        score_calculator_set_features(&new->calculator,1,fla,&cfl,featurenames);
+        score_calculator_set_corrscore(&new->calculator,1);
+        
+        args[12]= &protocol;
+        args[13]= &tcpflags;        
+        args[14]= &icmptype;        
+        strcat(formatstr,";s4:protocol,proto;s20:tcpflags;s6:icmptype");
+        fill_args_space_sep(strcopy,formatstr,args,self->msg_callback);
+
+        score_calculator_set_condcutoff(&new->calculator,0);
+
+        if (!strcmp(protocol,"udp")) {
+            ADD_TO_CONDS(new->scorecalc_conds,IS_UDP);
+            new->cancel_open_conds= UDPRESP; /* waiting to see if might be live is optional */
+        } else if (!strcmp(protocol,"icmp")) {
+            new->cancel_open_conds= ICMPRESP; /* waiting to see if might be live is optional */
+            if (!strcmp(icmptype,"any")) {
+                ADD_TO_CONDS(new->scorecalc_conds,IS_ICMP);
+            } else if (!strcmp(icmptype,"err")) {
+                ADD_TO_CONDS(new->scorecalc_conds,ICMPERR);
+            } else {
+                if (strcmp(icmptype,"noterr")) {
+                    formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"ICMP type %s not valid, using noterr\n",icmptype);
+                }
+                ADD_TO_CONDS(new->scorecalc_conds,ICMPNOTERR);
+            }
+        } else {
+            if (strcmp(protocol,"tcp")) {
+                formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"Protocol %s not valid, using tcp\n",protocol);
+            }
+            if (!strcmp(tcpflags,"weird")) {
+                ADD_TO_CONDS(new->scorecalc_conds,WEIRDFLAGS);
+                new->cancel_open_conds= EVENT_CONDITION_FALSE; /* not available */
+            } else if (!strcmp(tcpflags,"setup")) {
+                ADD_TO_CONDS(new->scorecalc_conds,SETUPFLAGS);
+                new->cancel_open_conds= SETUPRESP;
+            } else if (!strcmp(tcpflags,"synack")) {
+                ADD_TO_CONDS(new->scorecalc_conds,SYNACK);
+                new->cancel_open_conds= ESTRESP;
+            } else if (!strcmp(tcpflags,"established")) {
+                ADD_TO_CONDS(new->scorecalc_conds,ESTFLAGS);
+                new->cancel_open_conds= ESTRESP;
+            } else if (!strcmp(tcpflags,"teardown")) {
+                ADD_TO_CONDS(new->scorecalc_conds,TEARDOWNFLAGS);
+                new->cancel_open_conds= TEARDOWNRESP;
+            } else {
+                if (strcmp(tcpflags,"synonly")) {
+                    formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"TCP flags %s not valid, using synonly\n",tcpflags);
+                }
+                ADD_TO_CONDS(new->scorecalc_conds,SYNONLY);
+                new->cancel_open_conds= SYNRESP;
+            }
+        }
+
+        break;
+    }
+    default:
+        free(new);
+        formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"detector type \"%s\" not recognized, not enabling this detector: %s",type,str);
+        return NULL;
+    } 
+
+    /* finish new->store_conds,scorecalc_conds and cancel_open_conds */
+    
+    if (wait > 0 && (CONDS_NOT_FALSE(new->cancel_open_conds) ||  CONDS_NOT_FALSE(new->cancel_closed_conds))) {
+        int canceller_response_implication;
+        int report_timeout;
+        if (CONDS_NOT_FALSE(new->cancel_closed_conds)) { /* waiting is for closed */
+            canceller_timeout_implication= PORT_UNKNOWN;
+            canceller_response_implication= PORT_CLOSED;
+            new->cancel_open_conds= EVENT_CONDITION_FALSE;
+            report_timeout= 0 || reverse_reporting;
+        } else { /* waiting is for open */
+            canceller_timeout_implication= PORT_LIKELYCLOSED;
+            canceller_response_implication= PORT_OPEN;
+            new->cancel_closed_conds= EVENT_CONDITION_FALSE;
+            report_timeout= 1 && !reverse_reporting;
+        }
+        if (report_timeout) {
+            PS_INIT_SET(new->port_report_criterea,canceller_timeout_implication);
+        } else {
+            PS_INIT_SET_WITH_STRONGER(new->port_report_criterea,canceller_response_implication);
+        }
+        new->canceller= new_packet_resp_canceller(wait,&canceller_status_report,new,canceller_timeout_implication);
+    } else {
+        new->canceller= NULL;
+        new->cancel_open_conds= EVENT_CONDITION_FALSE;
+        new->cancel_closed_conds= EVENT_CONDITION_FALSE;
+    }
+    /* check if restrictions on report's homenet, need to flip for cancelling */
+    cancel_homenet_conds= flipped_homenet_conds(new->scorecalc_conds);
+    if (CONDS_NOT_FALSE(new->cancel_open_conds))
+        ADD_TO_CONDS(new->cancel_open_conds,cancel_homenet_conds);
+    if (CONDS_NOT_FALSE(new->cancel_closed_conds))
+        ADD_TO_CONDS(new->cancel_closed_conds,cancel_homenet_conds);
+
+    score_calculator_set_storage_conditions(&new->calculator,new->store_conds);
+    
+    calcboth= 0; /*relscore ? 0 : 1;*/
+    score_calculator_set_relscore(&new->calculator,relscore || calcboth,relscore);
+    score_calculator_set_rawscore(&new->calculator,!relscore || calcboth,!relscore);
+    if (scalehalflifehrs >= 0) // set factor based on halflife and frequency
+        scalefactor= exp((scalefreqmins/(scalehalflifehrs*60))*log(0.5));
+    score_calculator_set_scaling(&new->calculator,scalefreqmins*60,scalefactor,scalecutoff);
+    if (minobs > 0) {
+        if (minobs_prefix_len < 0) minobs_prefix_len+= fla[0].num;
+        score_calculator_set_min_obs(&new->calculator,minobs_prefix_len,minobs);
+    }
+    if (maxentropy >= 0) {
+        if (entropy_prefix_len < 0) entropy_prefix_len+= fla[0].num;
+        score_calculator_set_low_entropy_domain(&new->calculator,entropy_prefix_len,maxentropy);
+    }
+    init_spade_enviro(&new->enviro,thresh,&self->total_pkts);
+    init_score_mgr(&new->mgr, new, &new->enviro, self,
+                threshold_was_exceeded, threshold_was_adjusted,self->msg_callback);
+    
+    process_detector_xargs(new,xsips,xdips,xsports,xdports);
+                
+    if (id[0] == '\0' || detector_for_id(self,id)) {
+        if (id[0] != '\0') formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,self->msg_callback,"Detector with id=%s already exists; using id=%s instead on: %s",id,defaultid,str);
+        new->id= strdup(defaultid);
+    } else {
+        new->id= strdup(id);
+    }
+    new->last_adj_stats.scored= 0;
+    new->last_adj_stats.reported= 0;
+    
+    /* append new detector to the list */
+    new->next= NULL;
+    if (self->detectors == NULL) { /* first entry */
+        self->detectors= new;
+    } else {
+        self->detectors_tail->next= new;
+    }
+    self->detectors_tail= new;
+    
+    netspade_detector_scope_str(self,new->id);
+                
+    free(strcopy);
+    return new->id;
+}
+
+int netspade_set_detector_scaling(netspade *self,char *detectorid,int scale_freq,double scale_factor,double prune_threshold) {
+    netspade_detector *detector;
+    detector= acquire_detector_for_id(self,detectorid);
+    score_calculator_set_scaling(&detector->calculator,scale_freq,scale_factor,prune_threshold);
+    return 1;
+}
+
+char *netspade_setup_detector_adapt_from_str(netspade *self,int adaptmode,char *str) {
+    char *strcopy= strdup(str);
+    char *detectorid= extract_str_arg_space_sep(strcopy,"id");
+    netspade_detector *detector= acquire_detector_for_id(self,detectorid);
+    score_mgr_setup_adapt_from_str(&detector->mgr,adaptmode,strcopy);
+    free(strcopy);
+    return detector->id;
+}
+
+int netspade_setup_detector_adapt1(netspade *self,char *detectorid,int adapttarget, time_t period, float new_obs_weight, int by_count) {
+    netspade_detector *detector;
+    detector= acquire_detector_for_id(self,detectorid);
+    score_mgr_setup_adapt1(&detector->mgr,adapttarget,period,new_obs_weight,by_count);
+    return 1;
+}
+
+int netspade_setup_detector_adapt2(netspade *self,char *detectorid,double targetspec, double obsper, int NS, int NM, int NL) {
+    netspade_detector *detector;
+    detector= acquire_detector_for_id(self,detectorid);
+    score_mgr_setup_adapt2(&detector->mgr,targetspec,obsper,NS,NM,NL);
+    return 1;
+}
+
+int netspade_setup_detector_adapt3(netspade *self,char *detectorid,double targetspec, double obsper, int NO) {
+    netspade_detector *detector;
+    detector= acquire_detector_for_id(self,detectorid);
+    score_mgr_setup_adapt3(&detector->mgr,targetspec,obsper,NO);
+    return 1;
+}
+
+int netspade_setup_detector_advise(netspade *self,char *detectorid,int obs_size, int obs_secs) {
+    netspade_detector *detector;
+    detector= acquire_detector_for_id(self,detectorid);
+    score_mgr_setup_advise(&detector->mgr,obs_size,obs_secs);
+    return 1;
+}
+
+char *netspade_setup_detector_advise_from_str(netspade *self,char *str) {
+    char *strcopy= strdup(str);
+    char *detectorid= extract_str_arg_space_sep(strcopy,"id");
+    netspade_detector *detector= acquire_detector_for_id(self,detectorid);
+    score_mgr_setup_advise_from_str(&detector->mgr,strcopy);
+    free(strcopy);
+    return detector->id;
+}
+
+int netspade_setup_detector_survey(netspade *self,char *detectorid,char *filename,float interval) {
+    netspade_detector *detector;
+    detector= acquire_detector_for_id(self,detectorid);
+    score_mgr_setup_survey(&detector->mgr,filename,interval);
+    return 1;
+}
+
+char *netspade_setup_detector_survey_from_str(netspade *self,char *str) {
+    char *strcopy= strdup(str);
+    char *detectorid= extract_str_arg_space_sep(strcopy,"id");
+    netspade_detector *detector= acquire_detector_for_id(self,detectorid);
+    score_mgr_setup_survey_from_str(&detector->mgr,strcopy);
+    free(strcopy);
+    return detector->id;
+}
+
+/* called frequently, should be efficient esp for packets we don't care about */
+void netspade_new_pkt(netspade *self,spade_event *pkt) {
+    event_condition_set pkt_conds=0;
+    int write_log= 0;
+    int ip_in_homenet;
+    features orig_sip,orig_dip,orig_sport,orig_dport;
+    netspade_detector *detector;
+    int new_sec= (self->last_time_forwarded < (time_t)pkt->time);
+
+    if (self->last_time_forwarded == 0) { /* first packet */
+        if (self->detectors == NULL)
+            netspade_new_detector(self,"relscore=0 corrscore=0");
+        for (detector= self->detectors; detector != NULL; detector=detector->next) {
+            score_calculator_init_complete(&detector->calculator); /* make sure calculator is all set up */
+        }
+    }
+
+//printf("packet time is %.4f\n",pkt->time);
+
+    /* update packet counts and tell detector of new time */
+    self->total_pkts++;
+    if (new_sec) {
+        for (detector= self->detectors; detector != NULL; detector=detector->next) {
+            if (score_mgr_new_time(&detector->mgr,pkt->time)) write_log=1; /* advising completed */
+            if (detector->canceller != NULL)
+                packet_resp_canceller_new_time(detector->canceller,pkt->time);
+            detector->enviro.now= (time_t)pkt->time;
+        }
+        event_recorder_new_time(&self->recorder,(time_t)pkt->time);
+        self->last_time_forwarded= (time_t)pkt->time;
+    }
+    
+    /* calculate the conditions that this packet satisfies; no need to calculate any conditions we don't care about (i.e., not on recorder_needed_conds or nonstore_conds) */
+    if (!self->nonstore_conds || !self->recorder_needed_conds)
+        netspade_update_conds_to_calc(self);
+    if (pkt->origin == PKTORIG_UNRCH) {
+        orig_sip= DIP;
+        orig_dip= SIP;
+        orig_sport= DPORT;
+        orig_dport= SPORT;
+        if (pkt->fldval[IPPROTO] == IPPROTO_TCP) 
+             ADD_TO_CONDS(pkt_conds,IS_UNRCHTCP);
+        else if (pkt->fldval[IPPROTO] == IPPROTO_UDP) 
+            ADD_TO_CONDS(pkt_conds,IS_UNRCHUDP);
+        else if (pkt->fldval[IPPROTO] == IPPROTO_ICMP) 
+            ADD_TO_CONDS(pkt_conds,IS_UNRCHICMP);
+    } else {
+        orig_sip= SIP;
+        orig_dip= DIP;
+        orig_sport= SPORT;
+        orig_dport= DPORT;
+        if (pkt->fldval[IPPROTO] == IPPROTO_TCP) {
+            u8 tcpflags= pkt->fldval[TCPFLAGS] & 0x3F; /* strip off reserved bits */
+            ADD_TO_CONDS(pkt_conds,IS_TCP);
+            if (tcpflags == 0x02) {
+                ADD_TO_CONDS(pkt_conds,SYNONLY);
+            } else if (tcpflags == 0x12) {
+                ADD_TO_CONDS(pkt_conds,SYNACK);
+            } else {
+                if (!(tcpflags & 0x16)) { /* no syn, no ack, and no rst */
+                    ADD_TO_CONDS(pkt_conds,WEIRDFLAGS);
+                } else if (tcpflags & 0x10) { /* has ack */
+                    event_condition_set tmp= tcpflags & 0x07; /* now strip out A,P,U */
+                    if (tmp != 0x00 && tmp != 0x01 && tmp != 0x04) /* not more than one of F or R */
+                        ADD_TO_CONDS(pkt_conds,WEIRDFLAGS);
+                } else if (!((tcpflags == 0x01) || (tcpflags == 0x02) || (tcpflags == 0x04))) { /* no ack, but no S,F,or R */
+                    ADD_TO_CONDS(pkt_conds,WEIRDFLAGS);
+                }
+            }
+            if (!SOME_CONDS_MET(pkt_conds,WEIRDFLAGS)) {
+                event_condition_set tmp= (pkt->fldval[TCPFLAGS] & 0x07); /* strip off all but S,F,R */
+                switch (tmp) {
+                case 0x00: ADD_TO_CONDS(pkt_conds,ESTFLAGS); break;
+                case 0x02: ADD_TO_CONDS(pkt_conds,SETUPFLAGS); break;
+                case 0x01: ADD_TO_CONDS(pkt_conds,TEARDOWNFLAGS); break;
+                case 0x04: ADD_TO_CONDS(pkt_conds,CONDS_PLUS_CONDS(NORMAL_RST,TEARDOWNFLAGS)); break;
+                default:;
+                }
+            }
+        } else if (pkt->fldval[IPPROTO] == IPPROTO_UDP) {
+            ADD_TO_CONDS(pkt_conds,IS_UDP);
+        } else if (pkt->fldval[IPPROTO] == IPPROTO_ICMP) {
+            ADD_TO_CONDS(pkt_conds,IS_ICMP);
+            if ((pkt->fldval[ICMPTYPE] < 3 || pkt->fldval[ICMPTYPE] > 5) &&
+                pkt->fldval[ICMPTYPE] != 11 && pkt->fldval[ICMPTYPE] != 12) {
+                ADD_TO_CONDS(pkt_conds,ICMPNOTERR);
+            } else {
+                ADD_TO_CONDS(pkt_conds,ICMPERR);
+            }
+        }
+    }
+    if (SOME_CONDS_MET(pkt_conds,REPR_PKT_CONDS))
+        ADD_TO_CONDS(pkt_conds,REPR_PKT);
+    if (SOME_CONDS_MET(pkt_conds,UDPRESP_CONDS))
+        ADD_TO_CONDS(pkt_conds,UDPRESP);
+    if (SOME_CONDS_MET(pkt_conds,ICMPRESP_CONDS))
+        ADD_TO_CONDS(pkt_conds,ICMPRESP);
+    if (SOME_CONDS_MET(pkt_conds,ONLY_CONDS(self->conds_to_calc,CONDS_PLUS_3CONDS(SYNRESP_CONDS,ESTRESP_CONDS,TEARDOWNRESP_CONDS,SETUPRESP_CONDS)))) {
+        /* did that test so only TCP and ICMP unreachable will go in here */
+        if (SOME_CONDS_MET(pkt_conds,SYNRESP_CONDS))
+            ADD_TO_CONDS(pkt_conds,SYNRESP);
+        if (SOME_CONDS_MET(pkt_conds,ESTRESP_CONDS))
+            ADD_TO_CONDS(pkt_conds,ESTRESP);
+        if (SOME_CONDS_MET(pkt_conds,TEARDOWNRESP_CONDS))
+            ADD_TO_CONDS(pkt_conds,TEARDOWNRESP);
+        if (SOME_CONDS_MET(pkt_conds,SETUPRESP_CONDS))
+            ADD_TO_CONDS(pkt_conds,SETUPRESP);
+    }
+
+    
+    if (SOME_CONDS_MET(self->conds_to_calc,CONDS_PLUS_CONDS(DIP_IN_HOMENET,DIP_NOT_IN_HOMENET))) {
+        PKT_IP_IN_HOMENET_LIST(pkt,orig_dip,self->homelist_head,ip_in_homenet);
+        ADD_TO_CONDS(pkt_conds,(ip_in_homenet ? DIP_IN_HOMENET : DIP_NOT_IN_HOMENET));
+    }
+    if (SOME_CONDS_MET(self->conds_to_calc,CONDS_PLUS_CONDS(SIP_IN_HOMENET,SIP_NOT_IN_HOMENET))) {
+        PKT_IP_IN_HOMENET_LIST(pkt,orig_sip,self->homelist_head,ip_in_homenet);
+        ADD_TO_CONDS(pkt_conds,(ip_in_homenet ? SIP_IN_HOMENET : SIP_NOT_IN_HOMENET));
+    }
+    
+    if (SOME_CONDS_MET(pkt_conds,self->nonstore_conds)) { /* might match something to calculate or cancel */
+        /* check for scoring and cancelling in each detector */
+        int portless= (pkt->fldval[IPPROTO] != IPPROTO_TCP) && (pkt->fldval[IPPROTO] != IPPROTO_UDP);
+        for (detector= self->detectors; detector != NULL; detector=detector->next) {
+            if (ALL_CONDS_MET(pkt_conds,detector->scorecalc_conds) && (!detector->exclude_broadcast_dip || ((pkt->fldval[DIP] & 0xFF) != 0xFF))) {
+                score_info score;
+                int enoughobs;
+                score_info *res= score_calculator_calc_event_score(&detector->calculator,pkt,&score,&enoughobs);
+                if (!enoughobs || res != NULL) { // ignore events we decided not to apply this detector to */
+                    detector->enviro.pkt_stats.scored++;
+                    if (enoughobs) { // res != NULL
+                        score_mgr_new_event(&detector->mgr,&score,pkt);
+                    } else {  // !enoughobs
+                        detector->enviro.pkt_stats.insuffobsed++;
+                    }
+                }
+            }
+            if (ALL_CONDS_MET(pkt_conds,detector->cancel_open_conds)) {
+                detector->enviro.pkt_stats.respchecked++;
+                packet_resp_canceller_note_response(detector->canceller,PORT_OPEN,
+                    pkt->fldval[orig_dip],pkt->fldval[orig_dport],
+                    pkt->fldval[orig_sip],pkt->fldval[orig_sport],portless);
+            }
+            if (ALL_CONDS_MET(pkt_conds,detector->cancel_closed_conds)) {
+                detector->enviro.pkt_stats.respchecked++;
+                packet_resp_canceller_note_response(detector->canceller,PORT_CLOSED,
+                    pkt->fldval[orig_dip],pkt->fldval[orig_dport],
+                    pkt->fldval[orig_sip],pkt->fldval[orig_sport],portless);
+            }
+        }
+    }
+    if (SOME_CONDS_MET(pkt_conds,self->recorder_needed_conds)) { /* might match something to record */
+        self->records_since_checkpoint+=
+            event_recorder_new_event(&self->recorder,pkt,pkt_conds);
+    }
+    
+    if (write_log) { /* time to write the log */
+        netspade_write_log(self);
+    }
+    if ((self->checkpoint_freq > 0) && (self->records_since_checkpoint >= self->checkpoint_freq)) { // see if its time to checkpoint
+        do_checkpointing(self); // should report err if returns 0
+        self->records_since_checkpoint= 0;
+    }
+}
+
+
+void netspade_dump(netspade *self) 
+{
+    netspade_detector *detector;
+    netspade_write_log(self);
+    for (detector= self->detectors; detector != NULL; detector=detector->next) {
+        netspade_detector_dump(detector);
+    }
+    if (self->checkpoint_file != NULL) do_checkpointing(self);
+}
+
+void netspade_cleanup(netspade *self) 
+{
+    netspade_detector *detector;
+    netspade_write_log(self);
+    for (detector= self->detectors; detector != NULL; detector=detector->next) {
+        netspade_detector_cleanup(detector);
+    }
+    if (self->checkpoint_file != NULL) do_checkpointing(self);
+}
+
+char *netspade_detector_scope_str(netspade *self,char *id) {
+    int i;
+    char *str,*tail;
+    int numconds= 0;
+    netspade_detector *d= detector_for_id(self,id);
+    if (d == NULL) return NULL;
+    if (d->report_scope_str != NULL) return d->report_scope_str;
+    
+    for (i=0; i < 31; i++)
+        if (SOME_CONDS_MET(d->scorecalc_conds,EVENT_CONDITION_NUM(i))) numconds++;
+    
+    str= (char *)malloc(sizeof(char)*(numconds*(15+2)+1));
+    if (str == NULL) return NULL;
+    
+    tail= str;
+    for (i=31; i >= 0; i--)
+        if (SOME_CONDS_MET(d->scorecalc_conds,EVENT_CONDITION_NUM(i))) {
+            char* new= scope_str_for_cond(EVENT_CONDITION_NUM(i));
+            if (new == NULL) continue; /* nothing to add */
+            if (tail != str) {
+                *tail= ',';
+                *(tail+1)= ' ';
+                tail+= 2;
+            }
+            strcpy(tail,new);
+            tail+= strlen(new);
+        }
+
+   d->report_scope_str= str;
+   return str;         
+}
+
+static void condprinter(FILE *file,event_condition_set conds) {
+    int i,first=1;
+    for (i=31; i >= 0; i--)
+        if (SOME_CONDS_MET(conds,EVENT_CONDITION_NUM(i))) {
+            if (first) {
+                first= 0;
+            } else {
+                fprintf(file,", ");
+            }
+            fprintf(file,"%s",scope_str_for_cond(EVENT_CONDITION_NUM(i)));
+        }
+}
+
+static char *scope_str_for_cond(event_condition_set cond) {
+    switch (cond) {
+        case IS_TCP: return "tcp";
+        case IS_UDP: return "udp";
+        case IS_ICMP: return "icmp";
+        case ICMPNOTERR: return "non-err icmp";
+        case ICMPERR: return "error icmp";
+        case IS_UNRCHTCP: return "returned tcp";
+        case IS_UNRCHUDP: return "returned udp";
+        case IS_UNRCHICMP: return "returned icmp";
+        case SYNONLY: return "syn";
+        case NORMAL_RST: return "rst";
+        case SYNACK: return "synack";
+        case WEIRDFLAGS: return "weird flags";
+        case SETUPFLAGS: return "setup flags";
+        case ESTFLAGS: return "est. flags";
+        case TEARDOWNFLAGS: return "teardown flags";
+        case SIP_IN_HOMENET: return "local source";
+        case SIP_NOT_IN_HOMENET: return "nonlocal source";
+        case DIP_IN_HOMENET: return "local dest";
+        case DIP_NOT_IN_HOMENET: return "nonlocal dest";
+        case UDPRESP: return "udp response";
+        case ICMPRESP: return "icmp response";
+        case SYNRESP: return "syn response";
+        case ESTRESP: return "est. response";
+        case TEARDOWNRESP: return "teardown response";
+        case SETUPRESP: return "setup response";
+        case REPR_PKT: return "representative";
+        default: return NULL;
+    }
+}
+
+static netspade_detector *acquire_detector_for_id(netspade *self,char *id) {
+    netspade_detector *detector;
+    if (id == NULL) {
+        if (self->detectors == NULL) netspade_new_detector(self,"id=default");
+        return self->detectors_tail; /* return most recent detector */
+    }
+    detector= detector_for_id(self,id);
+    if (detector == NULL) {
+        char detect_str[45];
+        sprintf(detect_str,"id=%s",id);
+        netspade_new_detector(self,detect_str);
+        detector= detector_for_id(self,id);
+    }
+    return detector;
+}
+
+static netspade_detector *detector_for_id(netspade *self,char *id) {
+    netspade_detector *detector;
+    for (detector= self->detectors; detector != NULL; detector=detector->next) {
+        if (!strcmp(detector->id,id)) {
+            return detector;
+        }
+    }
+    return NULL;
+}
+
+static void netspade_detector_dump(netspade_detector *detector) {
+    score_mgr_dump(&detector->mgr);
+}
+static void netspade_detector_cleanup(netspade_detector *detector) {
+    score_mgr_cleanup(&detector->mgr);
+}
+
+static void netspade_update_conds_to_calc(netspade *self) {
+    if (!self->recorder_needed_conds)
+        self->recorder_needed_conds= event_recorder_needed_conds(&self->recorder);
+    if (!self->nonstore_conds)
+        self->nonstore_conds= netspade_nonstore_conds(self);
+        
+    self->conds_to_calc= CONDS_PLUS_CONDS(self->recorder_needed_conds,self->nonstore_conds);
+}
+
+static event_condition_set netspade_nonstore_conds(netspade *self) {
+    netspade_detector *detector;
+    event_condition_set nonstore_conds= 0;
+    for (detector= self->detectors; detector != NULL; detector=detector->next) {
+        ADD_TO_CONDS(nonstore_conds,CONDS_PLUS_2CONDS(detector->scorecalc_conds,detector->cancel_open_conds,detector->cancel_closed_conds));
+    }
+    return nonstore_conds;
+}
+
+static event_condition_set flipped_homenet_conds(event_condition_set orig) {
+    event_condition_set flipped=0;
+    if (SOME_CONDS_MET(orig,SIP_IN_HOMENET)) {
+        ADD_TO_CONDS(flipped,DIP_IN_HOMENET);
+    }
+    if (SOME_CONDS_MET(orig,SIP_NOT_IN_HOMENET)) {
+        ADD_TO_CONDS(flipped,DIP_NOT_IN_HOMENET);
+    }
+    if (SOME_CONDS_MET(orig,DIP_IN_HOMENET)) {
+        ADD_TO_CONDS(flipped,SIP_IN_HOMENET);
+    }
+    if (SOME_CONDS_MET(orig,DIP_NOT_IN_HOMENET)) {
+        ADD_TO_CONDS(flipped,SIP_NOT_IN_HOMENET);
+    }
+    return flipped;
+}
+
+
+static int do_checkpointing(netspade *self) {
+    statefile_ref *ref= spade_state_begin_checkpointing(self->checkpoint_file,"netspade",2);
+    if (ref == NULL) return 0;
+    
+    return event_recorder_checkpoint(&self->recorder,ref)
+        /* could checkpoint detectors in here */
+        && spade_state_end_checkpointing(ref);
+}
+
+static int do_recovery(netspade *self,char *statefile) {
+    char *appname;
+    u8 file_app_fvers;
+    
+    statefile_ref *ref= spade_state_begin_recovery(statefile,2,&appname,&file_app_fvers);
+    if (ref == NULL) return 0;
+    if (strcmp(appname,"netspade")) return 0;
+    
+    return event_recorder_merge_recover(&self->recorder,ref)
+        /* would checkpoint detectors in here; if we checkpointed that */
+        && spade_state_end_recovery(ref);
+}
+
+static void threshold_was_exceeded(void *context,void *mgrref,spade_event *pkt,score_info *score) {
+    netspade *self= (netspade *)context;
+    netspade_detector *detector= (netspade_detector *)mgrref;
+    char *id= detector->id;
+    port_status_t port_status= detector->thresh_exc_port_impl;
+    
+    /* first check if this report should be excluded */
+    if (pkt_is_excluded(self->rpt_exclude_list,pkt) ||
+            pkt_is_excluded(detector->rpt_exclude_list,pkt)) {
+        detector->enviro.pkt_stats.excluded++;
+        return;
+    } else {
+        detector->enviro.pkt_stats.nonexcluded++;
+    }
+    
+    if (PS_IN_SET(detector->port_report_criterea,port_status)) {
+        spade_report *rpt= new_spade_report(pkt,score,detector->detect_type,id,SPADE_DN_TYPE_MEDDESCR4NUM(detector->report_detection_type),netspade_detector_scope_str(self,id),&detector->enviro.pkt_stats,port_status);
+        (*(self->exc_callback))(self->callback_context,rpt);
+        free_spade_report(rpt);
+        detector->enviro.pkt_stats.reported++;
+    } else if (detector->canceller != NULL) {
+        /* we didn't meet criterea for reporting yet, and we have a canceller avail, so use it */
+        spade_event *newpkt= spade_event_clone(pkt,self->pkt_native_copier_callback,self->pkt_native_freer_callback);
+        score_info *newscore= score_info_clone(score);
+        spade_report *rpt= new_spade_report(newpkt,newscore,detector->detect_type,id,SPADE_DN_TYPE_MEDDESCR4NUM(detector->report_detection_type),netspade_detector_scope_str(self,id),&detector->enviro.pkt_stats,port_status);
+        packet_resp_canceller_add_report(detector->canceller,rpt);
+        detector->enviro.pkt_stats.waited++;
+    } else {
+        /* drop the report since no canceller available to strengthen it; that was silly */
+    }
+}
+
+static void canceller_status_report(void *context,spade_report *rpt,port_status_t status) {
+    netspade_detector *d= (netspade_detector *)context;
+    netspade *self= d->parent;
+    if (self->debug_level > 1) formatted_spade_msg_send(SPADE_MSG_TYPE_DEBUG,self->msg_callback,"canceller_status_report(%p,%p %8x:%d %8x:%d,%s)\n",d,rpt,rpt->pkt->fldval[SIP],rpt->pkt->fldval[SPORT],rpt->pkt->fldval[DIP],rpt->pkt->fldval[DPORT],PORT_STATUS_AS_STR(status));
+    if (PS_IN_SET(d->port_report_criterea,status)) {
+        /* met one of the critea so report it */
+        rpt->port_status= status;
+        (*(self->exc_callback))(self->callback_context,rpt);
+        if (rpt->stream_stats) {
+            rpt->stream_stats->reported++;
+        }
+    }
+    /* free report and pkt */
+    free_score_info(rpt->score);
+    free_spade_event(rpt->pkt);
+    free_spade_report(rpt);
+}
+
+static void threshold_was_adjusted(void *context,void *mgrref) {
+    char message[85];
+    spade_pkt_stats adj_period_stats;
+    netspade *self= (netspade *)context;
+    netspade_detector *detector= (netspade_detector *)mgrref;
+    int using_corrscore;
+    
+    adj_period_stats.scored= detector->enviro.pkt_stats.scored - detector->last_adj_stats.scored;
+    adj_period_stats.reported= detector->enviro.pkt_stats.reported - detector->last_adj_stats.reported;
+    detector->last_adj_stats= detector->enviro.pkt_stats; // copy over current stats for reference on next call
+    
+    sprintf(message,"Threshold adjusted to %.4f after %d alerts (of %d)",detector->enviro.thresh,adj_period_stats.reported,adj_period_stats.scored);
+
+    using_corrscore= score_calculator_using_corrscore(&detector->calculator);
+    (*(self->adj_callback))(self->callback_context,detector->id,message,using_corrscore);
+}
+
+
+static void netspade_add_net_to_homenet(netspade *self,char *net_str) {
+    ll_net *cur=NULL;
+
+    cur= (ll_net *)malloc(sizeof(ll_net));
+    cur->next= NULL;
+    if (self->homelist_head == NULL) {
+        self->homelist_head= cur;
+    } else {
+        self->homelist_tail->next= cur;
+    }
+    self->homelist_tail= cur;
+    
+    if (!cidr_to_netmask(net_str,&cur->netaddr,&cur->netmask)) {
+        formatted_spade_msg_send(SPADE_MSG_TYPE_FATAL,self->msg_callback,"Could not interpret homenet network: %s",net_str);
+    }
+}
+
+
+
+void netspade_write_log(netspade *self) {
+    FILE *file;
+    netspade_detector *detector;
+
+    if (!strcmp(self->outfile,"-")) {
+        file= stdout;
+    } else {
+        file = fopen(self->outfile, "w");
+        if (!file) formatted_spade_msg_send(SPADE_MSG_TYPE_FATAL,self->msg_callback,"netspade: unable to open %s",self->outfile);
+    }
+
+    fprintf(file,"%ld total packets were processed by spade in this run\n\n",self->total_pkts);
+    for (detector= self->detectors; detector != NULL; detector=detector->next) {
+        spade_pkt_stats *stats= &detector->enviro.pkt_stats;
+        int scored= stats->scored;
+        int was_anom= stats->nonexcluded + stats->excluded;
+        fprintf(file,"** %s: %s (id=%s) **\n",SPADE_DN_TYPE_MEDDESCR4NUM(detector->report_detection_type),detector->report_scope_str,detector->id);
+        fprintf(file,"%d packets were evaluated\n",stats->scored);
+        fprintf(file,"  %d (%.2f%%) packets were considered anomalous\n",was_anom,((was_anom/(float)scored)*100));
+        if (stats->excluded > 0) 
+            fprintf(file,"    %d (%.2f%%) packets were dropped due to configured exclusion\n",stats->excluded,((stats->excluded/(float)scored)*100));
+        if (stats->waited > 0) 
+            fprintf(file,"    %d (%.2f%%) packets were inserted in the wait queue\n",stats->waited,((stats->waited/(float)scored)*100));
+        fprintf(file,"    %d (%.2f%%) packets were reported as alerts\n",stats->reported,((stats->reported/(float)scored)*100));
+        if (stats->insuffobsed > 0) 
+            fprintf(file,"  %d (%.2f%%) packets did not have enough observations\n",stats->insuffobsed,((stats->insuffobsed/(float)scored)*100));
+        if (stats->respchecked > 0) 
+            fprintf(file,"  %d packets were checked against the wait queue\n",stats->respchecked);
+        fprintf(file,"%d observations were stored\n",score_calculator_get_store_count(&detector->calculator));
+        fprintf(file,"%.4f observations are remembered\n",score_calculator_get_obs_count(&detector->calculator));
+        score_mgr_file_print_log(&detector->mgr,file);
+        fprintf(file,"\n");
+    }
+    fflush(file);
+    
+    if (self->stats_to_print != STATS_NONE)
+        event_recorder_write_stats(&self->recorder,file,self->stats_to_print,condprinter);
+        
+    if (file != stdout) {
+        fclose(file);
+    }
+}
+
+void print_conds_line(event_condition_set conds) {
+    file_print_conds(stdout,conds);
+    printf("\n");
+}
+
+void print_conds(event_condition_set conds) {
+    file_print_conds(stdout,conds);
+}
+
+static void file_print_conds(FILE *f,event_condition_set conds) {
+    int first= 1;
+    if (SOME_CONDS_MET(conds,EVENT_CONDITION_FALSE)) {
+        fprintf(f,"FALSE");
+        return;
+    }
+    fprintf(f,"{");
+    if (SOME_CONDS_MET(conds,IS_TCP)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"TCP");
+    }
+    if (SOME_CONDS_MET(conds,IS_UDP)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"UDP");
+    }
+    if (SOME_CONDS_MET(conds,IS_ICMP)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"ICMP");
+    }
+    if (SOME_CONDS_MET(conds,ICMPNOTERR)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"ICMPNOTERR");
+    }
+    if (SOME_CONDS_MET(conds,ICMPERR)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"ICMPERR");
+    }
+    if (SOME_CONDS_MET(conds,IS_UNRCHTCP)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"IS_UNRCHTCP");
+    }
+    if (SOME_CONDS_MET(conds,IS_UNRCHUDP)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"IS_UNRCHUDP");
+    }
+    if (SOME_CONDS_MET(conds,IS_UNRCHICMP)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"IS_UNRCHICMP");
+    }
+    if (SOME_CONDS_MET(conds,NORMAL_RST)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"NORMAL_RST");
+    }
+    if (SOME_CONDS_MET(conds,SYNACK)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"SYNACK");
+    }
+    if (SOME_CONDS_MET(conds,WEIRDFLAGS)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"WEIRDFLAGS");
+    }
+    if (SOME_CONDS_MET(conds,SETUPFLAGS)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"SETUP");
+    }
+    if (SOME_CONDS_MET(conds,ESTFLAGS)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"EST");
+    }
+    if (SOME_CONDS_MET(conds,TEARDOWNFLAGS)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"TEARDOWN");
+    }
+    if (SOME_CONDS_MET(conds,SIP_IN_HOMENET)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"SIP_IS_HOME");
+    }
+    if (SOME_CONDS_MET(conds,SIP_NOT_IN_HOMENET)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"!SIP_IS_HOME");
+    }
+    if (SOME_CONDS_MET(conds,DIP_IN_HOMENET)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"DIP_IS_HOME");
+    }
+    if (SOME_CONDS_MET(conds,DIP_NOT_IN_HOMENET)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"!DIP_IS_HOME");
+    }
+    if (SOME_CONDS_MET(conds,REPR_PKT)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"REPR_PKT");
+    }
+    if (SOME_CONDS_MET(conds,UDPRESP)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"UDPRESP");
+    }
+    if (SOME_CONDS_MET(conds,ICMPRESP)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"ICMPRESP");
+    }
+    if (SOME_CONDS_MET(conds,SYNRESP)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"SYNRESP");
+    }
+    if (SOME_CONDS_MET(conds,ESTRESP)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"ESTRESP");
+    }
+    if (SOME_CONDS_MET(conds,TEARDOWNRESP)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"TEARDOWNRESP");
+    }
+    if (SOME_CONDS_MET(conds,SETUPRESP)) {
+        if (!first) { fprintf(f,","); } first=0;
+        fprintf(f,"SETUPRESP");
+    }
+    fprintf(f,"}");
+}
+
+int netspade_print_detector_config_details(netspade *self,FILE *f,char *id) {
+    netspade_detector *d= detector_for_id(self,id);
+    if (d == NULL) return 0;
+    
+    fprintf(f,"id=%s; detect_type=%s\n",d->id,SPADE_DR_TYPE_SHORT4NUM(d->detect_type));
+    fprintf(f,"scorecalc_conds= ");
+    file_print_conds(f,d->scorecalc_conds);
+    fprintf(f,"; store_conds= ");
+    file_print_conds(f,d->store_conds);
+    fprintf(f,"\n");
+
+    fprintf(f,"calculator=\n");
+    score_calculator_print_config_details(&d->calculator,f,"  ");
+    fprintf(f,"mgr=\n");
+    score_mgr_print_config_details(&d->mgr,f,"  ");
+    
+    fprintf(f,"port_report_criterea=");
+    port_status_set_file_print(d->port_report_criterea,f);
+    fprintf(f,"\n");
+    if (d->canceller != NULL) {
+        fprintf(f,"canceller=\n");
+        packet_resp_canceller_print_config_details(d->canceller,f,"  ");
+        fprintf(f,"cancel_open_conds= ");
+        file_print_conds(f,d->cancel_open_conds);
+        fprintf(f,"; cancel_closed_conds= ");
+        file_print_conds(f,d->cancel_closed_conds);
+        fprintf(f,"\n");
+    }
+    
+    fprintf(f,"report_detection_type=%d\n",d->report_detection_type);
+    return 1;
+}
+
+static void process_netspade_xarg(netspade *self,char *str,features feat,xarg_type_t type) {
+    xfeatval_link *list,*list_tail;
+
+    list= process_xarg(str,feat,type,self->msg_callback,&list_tail);
+    if (list == NULL) return;
+    
+    /* prepend this list onto the detector */
+    list_tail->next= self->rpt_exclude_list;
+    self->rpt_exclude_list= list;
+}
+
+static void process_detector_xargs(netspade_detector *d,char *xsips,char *xdips,char *xsports,char *xdports) {
+    d->rpt_exclude_list= NULL;
+    process_detector_xarg(d,xsports,SPORT,XARG_TYPE_UINT);
+    process_detector_xarg(d,xdips,DIP,XARG_TYPE_CIDR);
+    process_detector_xarg(d,xsips,SIP,XARG_TYPE_CIDR);
+    process_detector_xarg(d,xdports,DPORT,XARG_TYPE_UINT);
+}
+
+static void process_detector_xarg(netspade_detector *d,char *str,features feat,xarg_type_t type) {
+    xfeatval_link *list,*list_tail;
+
+    list= process_xarg(str,feat,type,d->parent->msg_callback,&list_tail);
+    if (list == NULL) return;
+    
+    /* prepend this list onto the detector */
+    list_tail->next= d->rpt_exclude_list;
+    d->rpt_exclude_list= list;
+}
+
+static xfeatval_link *process_xarg(char *str,features feat,xarg_type_t type,spade_msg_fn msg_callback,xfeatval_link **tail) {
+    xfeatval_link *list=NULL,*new;
+    char *val;
+    
+    *tail= NULL;
+
+    if (str == NULL || str[0] == '\0') return NULL;
+    val= strtok(str,",");
+    while (val != NULL) {
+        new= new_xfeatval_link(feat,type,val);
+        if (new == NULL) {
+            if (type == XARG_TYPE_CIDR)
+                formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,msg_callback,"could not parse %s as a IP or network to exclude for detector %s; skipping it");
+            else
+                formatted_spade_msg_send(SPADE_MSG_TYPE_WARNING,msg_callback,"could not parse %s as an unsigned integer to exclude for detector %s; skipping it");
+            continue;
+        }
+        
+        /* append */
+        if (list == NULL) {
+            list= new;
+        } else {
+            (*tail)->next= new;
+        }
+        *tail= new;
+        
+        val= strtok(NULL,",");
+    }
+    return list;
+}
+
+static xfeatval_link *new_xfeatval_link(features feat,xarg_type_t type,char *val) {
+    xfeatval_link *new= (xfeatval_link *)malloc(sizeof(xfeatval_link));
+    if (new == NULL) return NULL;
+    
+    new->feat= feat;
+    new->type= type;
+    new->next= NULL;
+    
+    if (type == XARG_TYPE_CIDR) {
+        if (!cidr_to_netmask(val,&new->val.cidr.netip,&new->val.cidr.netmask)) {
+            free(new);
+            return NULL;
+        }
+    } else { // XARG_TYPE_UINT
+        if (val[0] < '0' || val[0] > '9') {
+            free(new);
+            return NULL;
+        }
+        new->val.i= atoi(val);
+    }
+    return new;
+}
+
+static int pkt_is_excluded(xfeatval_link *list,spade_event *pkt) {
+    xfeatval_link *x;
+    for (x= list; x != NULL; x= x->next) {
+        u32 pktval= pkt->fldval[x->feat];
+        if ((x->type == XARG_TYPE_UINT)
+            ? (x->val.i == pktval)
+            : ((pktval & x->val.cidr.netmask) == x->val.cidr.netip)) { /* found one to exclude */
+            return 1; 
+        }
+    }
+    return 0;
+}
+
+static int cidr_to_netmask(char *str,u32 *netip,u32 *netmask) {
+    char *sep;
+    int masklen;
+    struct in_addr net;
+    char *strcopy= strdup(str);
+    
+    if ((sep= strchr(strcopy,'/')) == NULL) {
+        masklen= 32;
+    } else { 
+        *sep= '\0'; // null terminate IP
+        masklen = atoi(sep+1);
+    }
+
+    if ((masklen >= 0) && (masklen <= 32)) {
+        *netmask = (~((u32)0))<<(32-masklen);
+    } else {
+        free(strcopy);
+        return 0;
+    }
+
+    /* convert the IP addr into its 32-bit value */
+    if ((net.s_addr = inet_addr(strcopy)) ==-1) {
+        if (!strcmp(strcopy,"any")) {
+            *netmask= 0;
+            *netip= 0;
+        } else {
+            free(strcopy);
+            return 0;
+        }
+    } else {
+        *netip = (ntohl((u_long)net.s_addr) & *netmask);
+    }
+    free(strcopy);
+    return 1;
+}
+
+/*@}*/
+
+/* Id: netspade.c,v 1.1 2004/10/11 14:35:54 jonkman Exp $ */
+/*********************************************************************
+packet_resp_canceller.c, distributed as part of Spade v030125.1
+Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com)
+copyright (c) 2002 by Silicon Defense (http://www.silicondefense.com/)
+Released under GNU General Public License, see the COPYING file included
+with the distribution or http://www.silicondefense.com/spice/ for details.
+
+packet_resp_canceller.c implements the "class" packet_resp_canceller which
+  buffers spade reports for a period of time, awaiting information that
+  the port is open
+
+Please send complaints, kudos, and especially improvements and bugfixes to
+hoagland@SiliconDefense.com.  As described in GNU General Public License, no
+warranty is expressed for this program.
+*********************************************************************/
+
+/*! \file packet_resp_canceller.c
+ * \ingroup netspade_layer
+ * \brief 
+ *  packet_resp_canceller.c implements the "class" packet_resp_canceller
+ *  which buffers spade reports for a period of time, awaiting information
+ *  that the port is open
+ */
+
+/*! \addtogroup netspade_layer
+    @{
+*/
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <netinet/in.h>
+
+//static void lt_extract(packet_resp_canceller *self, prc_link *todel, prc_link *prev, u16 hash1, u32 hash2);
+static void ltl_extract(prc_lookup_table *lt, prc_link *todel, prc_link *prev, u16 hash1, u32 hash2);
+static int lt_delete_report(prc_lookup_table *lt, spade_report *rpt);
+static prc_link *new_prc_link(spade_report *rpt);
+static void free_prc_ttl_list(prc_link *head);
+//static void free_prc_link(prc_link *l);
+static prc_lookup_table2 *new_prc_lookup_table2(void);
+static void init_prc_lookup_table2(prc_lookup_table2 *t);
+static void free_prc_lookup_table2(prc_lookup_table2 *t);
+static void free_prc_lookup_table2_clean(prc_lookup_table2 *t);
+
+#define u8_right_rotate(i,bits) ((i >> bits) | ((i & ((1 << bits)-1)) << (8-bits)))
+
+#define calc_hash1(sport,dport) ((sport ^ dport) & LOOKUP_TABLE1_MASK)
+#define calc_hash2(sip,dip,hash) { \
+    u32 _tmp= sip ^ dip; \
+    u8 _tmp1= _tmp & LOOKUP_TABLE2_MASK; \
+    u8 _tmp2= (_tmp & LOOKUP_TABLE2_MASK) >> 8; \
+    u8 _tmp3= (_tmp & LOOKUP_TABLE2_MASK) >> 16; \
+    u8 _tmp4= (_tmp & LOOKUP_TABLE2_MASK) >> 24; \
+    hash= _tmp1 \
+        ^  u8_right_rotate(_tmp2,2) \
+        ^  u8_right_rotate(_tmp3,4) \
+        ^  u8_right_rotate(_tmp4,6); \
+}
+
+/// free list of allocated prc_lookup_table2s
+prc_lookup_table2 *prc_lookup_table2_freelist= NULL;
+/// free list of allocated prc_links
+prc_link *prc_link_freelist= NULL;
+
+//int disp_hashinfo= 0;
+
+void init_packet_resp_canceller(packet_resp_canceller *self,int wait_secs,prc_report_status_fn status_callback,void *callback_context,port_status_t timeout_implication) {
+    int i;
+    
+    self->tt.num_buckets= wait_secs+1;
+    self->tt.last_timeout= (time_t)0;
+    self->tt.arr= (prc_list *)malloc(sizeof(prc_list)*self->tt.num_buckets);
+    for (i= 0; i <= wait_secs; i++) {
+        self->tt.arr[i].head= NULL;
+        self->tt.arr[i].tail= NULL;
+    }
+    
+    for (i= 0; i < LOOKUP_TABLE1_SIZE; i++) self->lt.arr[i]= NULL;
+    
+    self->status_callback= status_callback;
+    self->callback_context= callback_context;
+    self->timeout_implication= timeout_implication;
+}
+
+packet_resp_canceller *new_packet_resp_canceller(int wait_secs,prc_report_status_fn status_callback,void *callback_context,port_status_t timeout_implication) {
+    packet_resp_canceller *new= (packet_resp_canceller *)malloc(sizeof(packet_resp_canceller));
+    init_packet_resp_canceller(new,wait_secs,status_callback,callback_context,timeout_implication);
+    return new;
+}
+
+void free_packet_resp_canceller(packet_resp_canceller *self) {
+    int i;
+    /* free all the prc_link's */
+    for (i=0; i < self->tt.num_buckets; i++)
+        if (self->tt.arr[i].head != NULL)
+            free_prc_ttl_list(self->tt.arr[i].head);
+    
+    /* free the timeout table's array */
+    free(self->tt.arr);
+    
+    /* free all the prc_lookup_table2's */
+    for (i=0; i < LOOKUP_TABLE1_SIZE; i++)
+        if (self->lt.arr[i] != NULL)
+            free_prc_lookup_table2(self->lt.arr[i]);
+
+    /* free ourself */
+    free(self);
+}
+
+void packet_resp_canceller_new_time(packet_resp_canceller *self,time_t now) {
+    int i;
+    prc_link *l;
+    int count= now - self->tt.last_timeout;
+    //if (self->debug_level > 1) printf("packet_resp_canceller_new_time(%p,%d)\n",self,(int)now);
+    if (count > self->tt.num_buckets) count= self->tt.num_buckets;
+    for (i=1; i <= count; i++) {
+        int slot= (self->tt.last_timeout+i) % self->tt.num_buckets;
+        if (self->tt.arr[slot].head != NULL) {
+            for (l= self->tt.arr[slot].head; l != NULL; l= l->ttl_next) {
+                if (l->rpt != NULL) {
+                    /* send the report as closed and delete this from the lookup table */
+                    (*self->status_callback)(self->callback_context,l->rpt,self->timeout_implication);
+                    lt_delete_report(&self->lt,l->rpt);
+                }
+            }
+            free_prc_ttl_list(self->tt.arr[slot].head);
+            self->tt.arr[slot].head= NULL;
+            self->tt.arr[slot].tail= NULL;
+        }
+    }
+    self->tt.last_timeout= now;
+}
+
+void packet_resp_canceller_add_report(packet_resp_canceller *self,spade_report *rpt) {
+    spade_event *pkt= rpt->pkt;
+    u16 hash1;
+    u32 hash2;
+    prc_lookup_table2 *t2;
+    prc_link *new;
+    int slot;
+    /*if (self->debug_level) printf("packet_resp_canceller_add_report(%p,%p %.2f %8x:%d %8x:%d)\n",self,rpt,rpt->pkt->time,rpt->pkt->fldval[SIP],rpt->pkt->fldval[SPORT],rpt->pkt->fldval[DIP],rpt->pkt->fldval[DPORT]);*/
+    
+    if ((pkt->fldval[IPPROTO] == IPPROTO_TCP) || (pkt->fldval[IPPROTO] == IPPROTO_UDP))
+        hash1= calc_hash1(pkt->fldval[SPORT],pkt->fldval[DPORT]);
+    else
+        hash1= calc_hash1(pkt->fldval[SIP],pkt->fldval[DIP]);
+    //if (disp_hashinfo) printf(": addrep hash1(%d,%d) => %d\n",pkt->fldval[SPORT],pkt->fldval[DPORT],hash1);
+    if (self->lt.arr[hash1] == NULL) self->lt.arr[hash1]= new_prc_lookup_table2();
+    t2= self->lt.arr[hash1];
+    calc_hash2(pkt->fldval[SIP],pkt->fldval[DIP],hash2);
+    //if (disp_hashinfo) printf(": addrep hash2(%08x,%08x) => %d\n",pkt->fldval[SIP],pkt->fldval[DIP],hash2);
+    new= new_prc_link(rpt);
+    if (t2->arr[hash2] == NULL) { // first entry here
+        t2->num_used++;
+    } else {
+        new->ltl_next= t2->arr[hash2];
+    }
+    t2->arr[hash2]= new;
+    
+    // append in time table
+    slot= ((int)pkt->time) % self->tt.num_buckets;
+    if (self->tt.arr[slot].tail == NULL) {
+        self->tt.arr[slot].head= new;
+    } else {
+        self->tt.arr[slot].tail->ttl_next= new;
+    }
+    self->tt.arr[slot].tail= new;
+    //fflush(stdout);
+}
+
+void packet_resp_canceller_note_response(packet_resp_canceller *self,port_status_t implied_status,u32 sip,u16 sport,u32 dip,u16 dport,int portless) {
+    prc_link *l,*prev,*next,*newprev;
+    u32 hash2;
+    prc_lookup_table2 *t2;
+    u16 hash1= portless ? calc_hash1(sip,dip) : calc_hash1(sport,dport);
+    //if (disp_hashinfo) printf(": noteresp hash1(%d,%d) => %d\n",sport,dport,hash1);
+    /*if (self->debug_level) printf("packet_resp_canceller_note_response(%p,%s,%8x:%d %8x:%d,%d)\n",self,PORT_STATUS_AS_STR(implied_status),sip,sport,dip,dport,portless);*/
+    
+    if (self->lt.arr[hash1] == NULL) return;
+    t2= self->lt.arr[hash1];
+    calc_hash2(sip,dip,hash2);
+    //if (disp_hashinfo) printf(": noteresp hash2(%08x,%08x) => %d\n",sip,dip,hash2);
+    if (t2->arr[hash2] == NULL) return;
+    for (l= t2->arr[hash2], prev=NULL; l != NULL; prev=newprev,l=next) {
+        next= l->ltl_next; /* in case this link is removed */
+        newprev= l;
+        if (l->rpt == NULL) continue; /* shouldn't happen */
+        if (l->rpt->pkt->fldval[SIP] != sip) continue;
+        if (l->rpt->pkt->fldval[DIP] != dip) continue;
+        if (l->rpt->pkt->fldval[SPORT] != sport) continue;
+        if (l->rpt->pkt->fldval[DPORT] != dport) continue;
+        /* found a match */
+        ltl_extract(&self->lt,l,prev,hash1,hash2);
+        (*self->status_callback)(self->callback_context,l->rpt,implied_status);
+        l->rpt= NULL; /* mark as deleted from lookup table */
+        newprev= prev;
+        /* check for more matches */
+    }
+    //fflush(stdout);
+}
+
+#if 0 // not currently needed
+static void lt_extract(packet_resp_canceller *self,prc_link *todel,prc_link *prev,u16 hash1,u32 hash2) {
+    ltl_extract(&self->lt,todel,prev,hash1,hash2);
+}
+#endif
+
+static void ltl_extract(prc_lookup_table *lt,prc_link *todel,prc_link *prev,u16 hash1,u32 hash2) {
+    if (prev == NULL) {
+        if (todel->ltl_next == NULL) {
+            lt->arr[hash1]->arr[hash2]= NULL;
+            lt->arr[hash1]->num_used--;
+            if (lt->arr[hash1]->num_used == 0) {
+                free_prc_lookup_table2_clean(lt->arr[hash1]);
+                lt->arr[hash1]= NULL;
+            }
+        } else {
+            lt->arr[hash1]->arr[hash2]= todel->ltl_next;
+        }
+    } else {
+        prev->ltl_next= todel->ltl_next;
+    }
+}
+
+static int lt_delete_report(prc_lookup_table *lt,spade_report *rpt) {
+    prc_link *l,*prev;
+    u32 hash2;
+    prc_lookup_table2 *t2;
+    spade_event *pkt= rpt->pkt;
+    u16 hash1;
+    if ((pkt->fldval[IPPROTO] == IPPROTO_TCP) || (pkt->fldval[IPPROTO] == IPPROTO_UDP))
+        hash1= calc_hash1(pkt->fldval[SPORT],pkt->fldval[DPORT]);
+    else
+        hash1= calc_hash1(pkt->fldval[SIP],pkt->fldval[DIP]);
+    
+    if (lt->arr[hash1] == NULL) return 0;
+    t2= lt->arr[hash1];
+    calc_hash2(pkt->fldval[SIP],pkt->fldval[DIP],hash2);
+    if (t2->arr[hash2] == NULL) return 0;
+    for (l= t2->arr[hash2], prev=NULL; l != NULL && l->rpt != rpt; prev=l,l=l->ltl_next);
+    if (l == NULL) return 0; /* no match */
+    ltl_extract(lt,l,prev,hash1,hash2);
+    return 1;
+}
+
+static prc_link *new_prc_link(spade_report *rpt) {
+    prc_link *new;
+    if (prc_link_freelist == NULL) {
+        new= (prc_link *)malloc(sizeof(prc_l