| Intrusion Detection is one kind of network security technologies that actively protects oneself from attack; continue the security technologies of new generation after the traditional safe protective measures, such as "fire wall", "the data encrypted ", etc.. The Detection Engine, as the core module of the Intrusion Detection System (IDS), primarily adopts the detection methods that based on pattern matching. So it is important for IDS's performance to select or design an excellent pattern matching methods.Snort is one powerful lightweight network IDS. It has the ability of realtime data analyzing and recording IP network data packets, and it can be able to process protocol analyzing, definite content searching or matching. Snort also can detect many different attack ways, and then give a realtime alarm. Furthermore, Snort has good expansibility and transability.In this paper, I firstly describe the Snort's architecture, working flow and three-dimensional linked list, and then especially analyze the Detection Engine of the Snort and the Detection Engine's pattern matching algorithms. Because of the shortcomings of the original pattern matching algorithms the Snort used, I choose a new improved algorithm to improve the Snort's Detection Engine, and then apply it into the Snort's Detection Engine. Through several experiments' results, I prove that the new improved algorithm is efficient; moreover the speed of the improved Detection Engine is faster than original system's. The advantage and disadvantage of the newly implemented system as well as a suggestion of further improvement are given at last.
|
PDF Full Text Request