| With the rapid development of information technology, the Internet and information-sharing has become the main trend of the information society. For more and more dependent on the current information system of the Internet, so Network security issues are increasingly highlighted. As one kind of initiative defense technology, The Intrusion Detection is the focal point of the network security.This paper introduces the technology of intrusion detection, and open source Snort network intrusion detection system is also studied at the same time. This paper does an in-depth analysis on the pre-treatment process, rules processing, detection theory, and the main program of work processes. Finally, to deal with the existence of Snort's current problem, a new distributed IDS system has been provided. The new system is mainly conducted the following research and improvement.First, the resolution of Snort's rules was improved. In this paper, we did some statistic analysis work for the Snort's rules. According to the testing and the different operating system, software and database, we sorted out the corresponding template. We also added the "rule template" layer to the Snort rules tree, and detection engine based on user's configuration distributed the data packet to the appropriate template to match. This will significantly reduce the Snort's invalid rule matching operation. Effectively improve the detection performance of Snort, which makes the detection Agent more adopted for distributed network environments.Second, put forward the SOAP-based interface of the firewall. In view of the current interface of the firewalls are not unified, and linked to the IDS was inconvenience, this paper proposed and designed a SOAP-based interface of the firewall, which allows the linkage between IDS and firewall more convenient and flexible and can easily cross network segment.Finally, Thinking to the Snort's alert response is too simple, we designed an independent alarm module, which reads the alert document and accords to the user's profile to respond. This response is more flexible and diverse which includes blocking connection, firewall linked, e-mail alarm, switch linkage, snmptrap and source address scanning, at the same time ,the system provides real-time alarm, alarm merge, query, alert analysis and statistics Etc, all of these improve the network administrator for the log analysis of alarm and monitoring capacity.Running through the actual testing, the system at full capacity in the Fast stable network environment, more than 98% in throughput, false alarm rate and missing rate of less than 1 percent, which can meet the security needs of Fast network environment. |
PDF Full Text Request