The Research And Application Of Intrusion Detection System Based On Snort

Internet has played a pivotal role in the China's economic development and increasingly become an indispensable tool in people's life, work and study. However, there are a variety of vulnerabilities in operating systems and applications. Security awareness of Internet users is very weak in China. These users are easily used by malicious attackers. Network security issues become increasingly urgent. Intrusion detection system is an important component in network security and real-time network monitoring and prevention.There are two main types of intrusion detection systems: host-based intrusion detection system and network-based intrusion detection system. Network-based intrusion detection system has obvious advantages. It is installed in a host and can monitor the entire network segment, reducing the cost and improving the efficiency. Snort system analyzed in this paper is a network-based intrusion detection system.Intrusion detection system mainly has three different detection methods: integrity detection, anomaly detection and feature detection. In integrity detection, system file generate a checksum, then periodically check the file. System will alert when the file is changed. Anomaly detection checks whether a behavior is the same as the standard. System will alert if they are different. Feature detection is a method of detecting the characteristics of intrusion behavior, and it is the most accurate detection method of known attack. Snort system uses feature detection method. Snort system stores some rules. When the characteristics of intrusion behavior match the rules system will alert.Snort intrusion detection system is an open source and lightweight intrusion detection system. In this paper, use the Snort2.9.0.2. Snort system is a cross-platform system. It can run on both Unix or Unix-like operating system and Windows operating system. It has strong scalability by using the plug-in mechanism.The core technology of feature detection is the application of pattern matching algorithm. With the rapid development of high-speed networks, network traffic is increasing. Intrusion detection system faces a major test of real-time requirements, and efficient pattern matching algorithm is especially important. In this paper, I analyze the Snort2.9.0.2 source code, the pattern matching algorithm used in Snort system and the function of the sp_pattern_match detection engine plug-in. This plug-in matches the content and uricontent of the rule options, using BM algorithm.The main contents are as follows:1) This paper introduces the concept of intrusion detection system, the principle of intrusion detection system, the classification of intrusion detection system and the methods of intrusion detection.2)This paper analyzes the Snort system structure and work process, introduce the major system modules, analyze the process of detection engine module and Snort rules. Snort rules tree data structure is the core of the detection engine. Feature detection is the process of traversal of the rules tree.3)This paper analyzes several classic single pattern matching algorithms, including BM algorithm, BMH algorithm and Sunday algorithm. Analyze the advantages and disadvantages of these algorithms and find that the original BM algorithm in the Snort system has obvious drawback. On this basis, bring up a new single pattern matching algorithm Im_Sunday algorithm. Abandon the good suffix shift table mechanism in BM algorithm, because its preprocess cost relatively large and efficiency is not very high. Im_Sunday algorithm retains the bad character heuristic rule of skip table mechanism, use the Sunday algorithm heuristic rule, judge the char S[next] that is the next char of the rightmost of current text string corresponding to the pattern string. Meanwhile, in order to further improve the character jump distance, reduce the times of comparisons and improve the speed of pattern matching, I also judge the char S[nnext] that is the length of pattern string from S[next]. Then, I implement the BM algorithm, Sunday algorithm and Im_Sunday algorithm, randomly choose two different length of string used in matching test. The results of the two matching test show that Im_Sunday algorithm increases the jump distance of text pointer, thus greatly reduces the times of character jump and character comparison.4)According to the new algorithm in this paper, I optimize the Snort2.9.0.2, use the 29163144 data set of the Defcon8 as the data source in the test. Snort is installed on Red Hat Enterprise Linux Workstation Release 6.0 operating system. Compare the Snort using Im_Sunday algorithm with the Snort using BM algorithm. Choose five group of different number of rules. Examine the runtime and memory consumption that are two important performance figures when system is running. Finally, the experiments prove the efficiency and practicality of Im_Sunday algorithm.